Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Many, Many Instances of COM Surrogate (32-bit)


  • Please log in to reply
7 replies to this topic

#1 JMG01

JMG01

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 22 September 2014 - 05:33 PM

I am running Windows 8.1,

 

First noticed the issue about a week or two ago because of two things.

 

First, the computer started slowing down. Poking around to figure out why, in Task Manager, I saw I had 20 or so instances of COM Surrogate (32-bit) running.

 

Second, around the same time, I tried downloading a file from work. It wouldn't let me. I saw my Internet Explorer security settings had been changed.

 

I ended the instances of COM Surrogate via Task Manager. They keep coming back, though not always right away.

I changed the internet settings. They magically changed themselves back to the Custom level (and oddly slightly more secure). This has happened multiple times.

 

In an effort to clean up the machine, I downloaded Malwarebytes. If found a few things and cleaned them, but it didn't stop either issue.

 

When Malwarebytes is on, it is near constantly popping up with a warning Malicious Website Blocked. Something is trying to reach out to the web behind the scenes.

 

Any help with this dllhost.exe (the source of the Com Surrogate) would be greatly appreciated.

 

Looking through the forums, I've seen similar issues resolved, but they've usually needed a lot of jobs and logs created and run and the solution was well beyond my skill set.

 

Thank you in advance!



BC AdBot (Login to Remove)

 


#2 LiquidTension

LiquidTension

  • Malware Response Team
  • 1,278 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:57 PM

Posted 22 September 2014 - 07:42 PM

Hello, 

 

This sounds like Poweliks. 

Lets check. 

 

2NquDoJ.png RKill

  • Please download RKill and save the file to your Desktop.
  • Right-Click RKill.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • Important: Please do NOT reboot your computer until you have carried out the steps below.
  • A log (C:\rkill.log) will open once the scan has completed. Copy the contents of the log and paste in your next reply.

Note: If the programme fails to run, or encounters an error, please delete RKill.exe and download the following file. Repeat the steps using the newly downloaded iExplore.exe.


Posted Image

#3 JMG01

JMG01
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 23 September 2014 - 06:48 AM

Thank you very much for the assistance.

 

The results of the log:

Rkill 2.6.8 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 09/23/2014 07:44:36 AM in x64 mode.
Windows Version: Windows 8.1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * C:\windows\system32\ptumlcmsvc64.exe (PID: 1504) [WD-HEUR]

1 proccess terminated!

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * System Restore Disabled

   [HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
   "DisableSR" = dword:00000001

Checking Windows Service Integrity:

 * MsKeyboardFilter [Missing Service]
 * CSC [Missing Service]
 * E1G60 [Missing Service]
 * HdAudAddService [Missing Service]
 * kbldfltr [Missing Service]
 * storvsp [Missing Service]
 * Vid [Missing Service]
 * vmbusr [Missing Service]
 * vpcivsp [Missing Service]

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 09/23/2014 07:46:23 AM
Execution time: 0 hours(s), 1 minute(s), and 47 seconds(s)



#4 LiquidTension

LiquidTension

  • Malware Response Team
  • 1,278 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:57 PM

Posted 23 September 2014 - 11:12 AM

Hello, 

 

Did you disable your System Restore? If not, we can address this later. 

 

Lets run some general scans and see what turns up. We may well find the use of more advanced tools not permitted in this section are required; in which case, I will direct you to a different forum section. 

 

For now, please do the following. 

 

STEP 1
bQqV3wh.png Temporary File Clean (TFC)

  • Please download TFC and save the file to your Desktop
  • Close any open windows. 
  • Double-click TFC.exe to run the programme. 
  • Click Start
  • Allow TFC to run interrupted
  • Upon completion, your computer will reboot automatically. If this does not happen, please manually reboot
     

STEP 2
YARWD1t.pngTDSSKiller Scan

  • Please download TDSSKiller and save the file to your Desktop.
  • Right-Click TDSSKiller.exe and select AVOiBNU.jpgRun as administrator to run the programme.
  • Click Change parameters. Place a checkmark next to:
    • Loaded Modules
    • Detect TDLFS file system
  • Note: If you receive the following message: Extended Monitoring Driver is required, click Reboot now, and continue from here following the reboot.
  • ​Click Start Scan. Do not use the computer during the scan.
  • If objects are found, change the action to skip.
  • Click Continue and close the window.
  • A log will be created and saved to the root directory (usually C:\). Copy the contents of the log and paste in your next reply.
     

STEP 3
iAdP9bf.png Malwarebytes Anti-Rootkit (MBAR)

  • Please download Malwarebytes Anti-Rootkit and save the file to your Desktop.
  • Double-click MBAR.exe to run the installer.
  • Select a convenient location to extract the contents and click OK. Navigate to the location you selected.
  • Right-Click MBAR.exe and select Run as administrator to run the programme.
  • Follow the prompts to update the programme and scan your computer. 
  • Upon completion, click Cleanup and reboot your computer. 
  • After the reboot, rerun the programme to verify no threats remain. If threats are still detected, click the Cleanup button once more. 
  • Upon completion, two logs (mbar-log.txt and system-log.txt) will be created. Copy the contents of both logs and paste in your next reply. Both logs can be found in the MBAR folder
     

STEP 4
GzlsbnV.png ESET Online Scan
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.

  • Please download ESET Online Scan and save the file to your Desktop.
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Double-click esetsmartinstaller_enu.exe to run the programme. 
  • Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.
  • Agree to the Terms of Use once more and click Start. Allow components to download.
  • Place a checkmark next to Enable detection of potentially unwanted applications.
  • Click Hide advanced settings. Place a checkmark next to:
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Ensure Remove found threats is unchecked.
  • Click Start.
  • Wait for the scan to finish. Please be patient as this can take some time.
  • Upon completion, click List of found threats.... If no threats were found, skip the next two bullet points. 
  • Click Export to text file... and save the file to your Desktop, naming it something unique such as MyEsetScan.
  • Push the Back button.
  • Place a checkmark next to Uninstall Application on Close and click Finish.
  • Re-enable your anti-virus software.
  • Copy the contents of the log and paste in your next reply.
     

STEP 5
rzqZvBe.png MiniToolBox

  • Please download MiniToolBox and save the file to your Desktop.
  • Close any open windows.
  • Right-Click MiniToolBox.exe and select Run as administrator to run the programme.
  • Check the following items:
    • njvAG80.png
    • 6N6QY9z.png
    • zmWTIXg.png
    • VAFn5gg.png
    • AtULTyM.png
    • 4roTXa5.png
    • kLju9nY.png
    • chxHkm0.png
    • 6KiAnDw.png
    • bKYHfhP.png
    • rO2mCup.png & Ii0HSu5.png
    • fd89mAB.png
  • Click GO.
  • A log (Result.txt) will be created on your Desktop. Copy the contents of the log and paste in your next reply.
     

======================================================
 
STEP 6
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • TDSSKiller log
  • mbar log
  • system log
  • ESET log
  • Result.txt

Posted Image

#5 JMG01

JMG01
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 23 September 2014 - 08:44 PM

I have bad news after the first step above. I downloaded TFC and kicked it off. It ran for at least an hour. I'm not sure exactly when, but sometime when I was out coaching soccer, the system must have crashed or shut down. I tried to boot it up and it wouldn't start. I hit ESC and tried to boot that way and it told me to drive was locked when I tried to refresh the windows 8.1 files but save my documents.



#6 LiquidTension

LiquidTension

  • Malware Response Team
  • 1,278 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:57 PM

Posted 23 September 2014 - 08:53 PM

I'm very sorry to hear that. 

Whilst this may have been caused by running TFC, it is also possible this has been caused by the infection(s) already present on your machine. 

 

Please create a new topic in the Virus and Malware Removal section. Describe the original issue at hand, and state that after running TFC your computer doesn't seem to boot. You may wish to take a photo using a camera or mobile to better assist your description. 

 

Best of luck, and I hope this is resolved quickly. 


Posted Image

#7 JMG01

JMG01
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 23 September 2014 - 09:02 PM

I'll try to get my hands on a boot disk, grab the personal stuff off the hard drive, and just reformat. I suppose that's one way to get rid of the virus.

 

I appreciate the help.



#8 LiquidTension

LiquidTension

  • Malware Response Team
  • 1,278 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:57 PM

Posted 23 September 2014 - 09:18 PM

OK, whilst that is one option, there are others which do not require a reformat. These options cannot be used here, but can in the Malware Removal section linked in my previous post. 

 

However, if you're still interested in going down the route of backing up and reformatting, here are instructions on how you can backup your data by booting into a Puppy Linux environment. 
 
These instructions come courtesy of phillpower2 from Geeks To Go, and modified by LiquidTension. 

===================
 
Required Hardware

  • CD Burner (CDRW) Drive
  • Blank CD
  • Extra Storage Device (USB Flash Drive, External Hard Drive)

===================
 
1. Burn Puppy Linux Live CD Using Clean PC

  • Using your clean PC:
  • Open BurnCDCC.
  • Extract All files to a convenient location.  
  • Double-Click 1BurnCDCCIcon.PNGBurnCDCC.
  • Click Browse 2BurnCDCCBrowseButton.PNG and navigate to the Puppy Linux ISO file you downloaded earlier.
  • Double-Click the file.
  • Important: Adjust the speed bar to CD: 4x DVD: 1x.
  • Click Start 3BurnCDCCStartButton.PNG.
  • Your CD Burner Tray will automatically open. 
  • Insert a blank CD and close the tray.
  • Click OK.
  • Your Puppy Linux Live CD will now be created.
     

2. Change BIOS Boot Priority

  • Restart the infected PC.
  • Read the following instructions (scroll down for Dell).
  • Open your CD ROM drive and insert your Puppy Linux Live CD.
  • Press F10 to save and exit.
  • Press Y to continue.
  • Your computer will restart and boot from your Puppy Linux Live CD.
     

3. Recover Your Data
Once Puppy Linux has loaded, it will in your computer's memory (RAM). You will see a fully functioning Graphical User Interface similar to what you consider your "normal computer". Internet access may or may not be available depending on your machine, so it is recommended you print the following instructions or ensure you have access using a different device.
 
Note: Double-clicking is unnecessary in Puppy Linux. To expand, or open folders/icons, a single click is all that is required.
 

3a. Mount Drives

  • Click the Mount located at the top left corner of your Desktop. 5PuppyLinuxMountIcon.PNG
  • A Window will open. By default, the "drive" tab will be forward/highlighted. Click on Mount for your hard drive.
  • Assuming you only have one hard drive and/or partition, there may only be one selection to mount.
  • USB Flash Drives usually automatically mount upon boot, but click the "usbdrv" tab and make sure it is mounted.
  • If using an external hard drive for the data recovery, do this under the "drive" tab. Mount it now.
     

3b. Transfer Files

  • At the bottom left corner of your Desktop a list of all hard drives/partitions, USB Drives, and Optical Drives are listed with a familiar looking hard drive icon.
  • Open your hard drive i.e. sda1
  • Next, open your USB Flash Drive or External Drive. i.e. sdc or sdb1
  • If you open the wrong drive, simply X out at the top right corner of the window that opens (just like in Windows)
  • From your hard drive, drag and drop whatever files/folders you wish to transfer to your USB Drive's Window.

Remember, you need only click once! No double clicking! Once you drag and drop your first folder, you will notice a small menu appear giving you the option to move or copy. Choose COPY each time you drag and drop.

The safest practice is not to backup any executable (.exe), screensavers (.scr), dynamic link library (.dll), autorun (.ini) or script (.php,.asp.htm.html.xml) files because they may be infected by malware. You should also avoid backing up compressed (.zip.cab.rar) files that have executables inside as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may disguise itself by hiding a file extension or by adding double file extensions and/or space(s) in the file's name to hide the real extension, so be sure you look closely at the full file name.

  • Backing up documents, image, music and video is fine.
  • To repeat, do not backup up files with the following extensions:
.exe, .scr, .bat, .com, .cmd, .msi, .pif, .ini, .htm, .html, .hta, .php, .asp, .xml, .zip, .rar, .cab

You are now done! Click Menu > Mouse Over Shutdown > Reboot/Turn Off Computer. Be sure to plug your USB Drive into another working windows machine to verify all data is there and transferred without corruption.


Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users