Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple rundll32.exe, and iexplore.exe


  • This topic is locked This topic is locked
16 replies to this topic

#1 spazzcotas

spazzcotas

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 14 September 2014 - 02:39 PM

Hello, I'm hoping someone can help. I saw numerous posts about people having issues with multiple surrogate processes running so I downloaded the Farbar Recovery Scan Tool and ran the reports. Would someone be able to take a look at the logs and let me know if I need to use any other software to help clean up my computer, of if they can provide a fix file? I've attached the FRST and Addition text files. thanks in advance everyone! 

Attached Files



BC AdBot (Login to Remove)

 


#2 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:52 PM

Posted 14 September 2014 - 02:51 PM

Hello,

there is quite a few different malware types running on your system..
But before we go after them we need more information:


Step 1

Please download TDSSKiller and save it to your Desktop.
  • Start tdsskiller.exe with administrator privileges.
  • Accept the EULA and the KSN Statement.
  • Click on Change parameters.
  • Make sure that all available options (except "Loaded modules") are checked and click OK.
  • Click on Start scan.
  • If any threats are found don't delete them but choose the Skip option for all of them.
  • Click on Report to open the log file. (It is also saved at C:\TDSSKiller.<version_date_time>_log.txt).
    Copy and paste its contents in your next reply.


Step 2
  • Start FRST with Administrator privileges.
  • Write the following text into the Search: textbox:
    rpcss.dll
  • Click on the Search File(s) button.
  • When finished, a log file (Search.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.


#3 spazzcotas

spazzcotas
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 14 September 2014 - 04:31 PM

thank you for such a quick response!! I've attached the TDSSKiller logo and the Search.txt file.

Attached Files



#4 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:52 PM

Posted 14 September 2014 - 04:41 PM

Ok.


Please download Combofix (by sUBs) and save it to your Desktop.
  • Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start Combofix.exe and follow its instructions.
  • Do not use the computer while the scan is running. This may cause the program to stall.
  • When finished, a log file will be displayed (that can also be found at C:\Combofix.txt).
    Please copy and paste the contents of this file into your next post.
Note: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." after the scan, just restart the computer.
(You can find more detailed instructions in this guide on using Combofix.)

#5 spazzcotas

spazzcotas
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 14 September 2014 - 05:53 PM

when I double clicked on the combofix.exe file after downloading it, I get this error "Error Opening File for Writing: C:\

32788R22FWJFW\pev.3XE



#6 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:52 PM

Posted 14 September 2014 - 06:07 PM

Please reboot your computer, download a fresh copy of Combofix and try again.

#7 spazzcotas

spazzcotas
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 14 September 2014 - 07:08 PM

ok that did it! Here is the combofix file.

Attached Files



#8 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:52 PM

Posted 14 September 2014 - 07:10 PM

Alright. But Combofix wasn't too successful.
Please create a fresh FRST log:


Start FRST with administator privileges.
  • Press the Scan button.
  • When finished, FRST will produce a log (FRST.txt) in the same directory the tool was run from.
    Please copy and paste this log in your next reply.


#9 spazzcotas

spazzcotas
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 14 September 2014 - 07:15 PM

New FRST file.

Attached Files

  • Attached File  FRST.txt   48.28KB   2 downloads


#10 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:52 PM

Posted 14 September 2014 - 07:30 PM

Ok, let's run this manual fix:


Step 1

Please download this attached Attached File  fixlist.txt   3.42KB   3 downloads and save it in the same directory as FRST.
  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.


Step 2

Start FRST with administator privileges.
  • Press the Scan button.
  • When finished, FRST will produce a log (FRST.txt) in the same directory the tool was run from.
    Please copy and paste this log in your next reply.


#11 spazzcotas

spazzcotas
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 14 September 2014 - 09:57 PM

here is the fixlog and new FRST. It produced the fixlog pretty quick but the program still said it was fixing for quite a while and the program even became nonresponsive at one point, but I noticed the task manager is much cleaner and the processes running were at about 40 instead of upwards of 80!

Attached Files



#12 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:52 PM

Posted 15 September 2014 - 06:11 AM

Ok, next steps:


Step 1

Please download this attached Attached File  fixlist.txt   256bytes   2 downloads and save it in the same directory as FRST.
  • Start FRST with Administrator privileges.
  • Press the Fix button. Allow a reboot if required.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.


Step 2

Please download the ESET Online Scanner and save it to your Desktop.
  • Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start esetsmartinstaller_enu.exe with administartor privileges.
  • Select the option Yes, I accept the Terms of Use and click on Start.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click on Start. The virus signature database will begin to download. This may take some time.
  • When completed the Online Scan will begin automatically.
    Note: This scan might take a long time! Please be patient.
  • When completed select Uninstall application on close if you so wish, but make sure you copy the logfile first!
  • Now click on Finish
  • A log file is created at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
    Copy and paste the content of this log file in your next reply.
Note: Do not forget to re-enable your antivirus application after running the above scan!



Step 3

Start FRST with administator privileges.
  • Make sure the option Addition.txt (under Optional Scan) is checked.
  • Press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
    Please copy and paste these logs in your next reply.


#13 spazzcotas

spazzcotas
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 15 September 2014 - 10:25 AM

Here are the new txt files.

Attached Files



#14 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:52 PM

Posted 15 September 2014 - 10:54 AM

Ok, just one minor thing to delete.
Can you please test the following: Are there any instances of iexplore.exe running in your task manager when you have no browser windows open?


Please download this attached Attached File  fixlist.txt   35bytes   1 downloads and save it in the same directory as FRST.
  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.


#15 spazzcotas

spazzcotas
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 15 September 2014 - 11:50 AM

nope! iexplore is only running now when I have a browser window open. I've attched the fixlog.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users