Posted on 4th November, 2013 | No Comment
Listed below are my notes from a recent virus infection on a Windows 7 computer.
Reason for service:
1: Computer is extremely sluggish.
2: Multiple instances of “COM Surrogate has stopped working” dialog boxes.
1: All applications unresponsive.
2: Over 36 instances of dllhost.exe running in Services and repeated popups of COM Surrogate message.
3: ntdll.dll is the Fault Module involved.
4: CPU is running at 100% usage.
Manually killed all dllhost.exe processes to free up CPU cycles.
Ran System File Checker to scan for possibly corrupt files.
Note, during all scans it was necessary to keep manually killing dllhost processes. If not, CPU usage would quickly reach 100%.
Result = None found.
Ran msconfig to disable all non-MS processes.
Result = no change
Ran a full AVG virus scan. One Win32/Heur was found mid-scan, but the file disappeared before AVG could quarantine it. I continuously stopped dllhost processes during scan to free up CPU cycles.
Note: AVG, like any other antivirus, must be properly configured for thorough protection and acceptable performance. Do NOT use this product “out of the box” or you are likely to suffer a nasty infection.
No further infection found.
Disabled thumbnail view in System performance, as many instances of this problem had that as a solution.
Result = No change.
Set System Performance to Fastest.
Result = No change.
Ran a full Malwarebytes scan.
Result = No infection found.
I ran Process Explorer and located the folder associated with dllhost.exe. A folder comprised of random letters in the Temp directory is the culprit, indicating an infection.
Note: No legitimate application will ever run from a Temp or Temporary Internet Files directory. Period.
I tried numerous mechanisms for taking ownership of this folder so that I could delete it, including:
1: Setting up a new Administrator account to access the folder from outside the user account.
Result = Unsuccessful.
2: Rebooting in Safe Mode + Command Prompt.
Result = Unable to make folder visible.
Once I determined it was definitely a virus and not a system error, I asked the client what she was doing on the computer at 3:42 pm the day before ( time stamp on the infected folder). It seems she was browsing the MSN website and had clicked on Wonder Wall at the time. Immediately after going to that site, the popup messages commenced.
The only solution was to take the computer to the lab, remove the hard drive and connect it to my MacBook Pro. Since the Apple OS is not help captive by the Windows “security” I was able kill the files and folders this way. I could have accomplished the same thing on one of my Linux machines.
Unfortunately, the computer did not operate correctly when taken out of Safe Mode. More than 50 services were either set to Disabled or Manual and un-started. Resetting each one by hand and manually starting them solved the problem nicely.
If you have another solution to this nasty bug, post it here.