Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple dll.exe COM processes running in the background, very slow progress


  • This topic is locked This topic is locked
30 replies to this topic

#1 virtualx

virtualx

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 09 October 2014 - 02:37 PM

I simply cannot get rid of this virus.  I've run multple scans with various engines (e.g. Windows Malicious Tool, Malwarebytes, Norton, etc.) and cannot kill this process or get rid of it. There are about 15 processes running in the background with the description COM SURROGATE.  They take up so much memory and CPU, and redirect all of my web traffic.  My computer is basically useless at this point.  I've viewed other posts regarding this issue, but each removal process seems to differ a little here and there.  Please help!  



BC AdBot (Login to Remove)

 


#2 virtualx

virtualx
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 09 October 2014 - 08:35 PM

I've read that multiple users were directed to run FRST and save the logs.  I'm attaching them to help initiate the process a little faster, thanks.

Attached Files



#3 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:48 PM

Posted 11 October 2014 - 07:49 PM

Download attached fixlist.txt file and save it to the Desktop.

Attached File  FixList.txt   4.21KB   4 downloads

NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#4 virtualx

virtualx
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 11 October 2014 - 08:27 PM

Thank you sooooooo much for your quick response.  I'm using a second computer here to respond, as my other computer is too slow to use.  But, I did run the FRST report on it.  I've attached the FIXLOG, but I'm not sure if it worked right--you'll have to let me know.  The application produced a log, but as of now is still cycling, saying 'fixing is in progress,' but nothing is actually happening.  I'll let it run overnight to see if more happens.  Please let me know if this is successful.  Thanks!!!!

Attached Files



#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:48 PM

Posted 11 October 2014 - 08:38 PM

reboot the computer and try the fix again, it doesn't appear to have completed yet

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#6 virtualx

virtualx
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 11 October 2014 - 08:50 PM

Do I press SCAN first or just FIX?



#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:48 PM

Posted 11 October 2014 - 08:56 PM

just press FIX

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#8 virtualx

virtualx
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 11 October 2014 - 09:12 PM

It's been running for a while.  There's a green progress bar that slides from left to right repeatedly, but that's the only sign I can see something is working.  I'm going to head to bed and leave it on overnight.  Hopefully, I have something to send you tomorrow.  Thanks again for your continued support!



#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:48 PM

Posted 11 October 2014 - 09:40 PM

If it doesn't complete again,
then please run the following:

Please download Malwarebytes Anti-Rootkit (MBAR) from here http://www.malwarebytes.org/products/mbar/ and save it to your desktop.
Direct link to the file: http://downloads.malwarebytes.org/file/mbar
•Be sure to print out and follow the instructions provided on that same page.
•Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.
•Doubleclick on the MBAR file you downloaded.
•Approve the UAC prompt in Vista and newer operating systems.
•Click OK on the next screen, to allow the package to extract the contents of the file to it's own folder, mbar.
•By default, this will be on your desktop, though you can choose another location if you wish. We advise using the default location for simplicity.
•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.
•After reading the Introduction, click 'Next' if you agree.
•On the Update Database screen, click on the 'Update' button.
•Once you see 'Success: Database was successfully updated' click on 'Next'.
•Click the 'Scan' button.
A.With some infections, you may see two messages boxes.
1.'Could not load protection driver'. Click 'OK'.
2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.
•If malware is found, press the Cleanup button when the scan completes.

~~~~~~~~~~~~~~~~~~~~~~~
Note: <<<< this is an important step >>>>
fixdamage - repair damaged services

If no detections occurred during the MBAR scan, and/or if the issue with Website Blocking remains, please do this next:
Open the Malwarebytes Anti-Rootkit folder.
Locate fixdamage.exe within the \mbar\Plugins folder and double click on it. In Windows Vista and Windows 7, approve the UAC prompt
fixdamage.exe will open a command window.
You will be asked if you want to continue. Type y if you do.
A reboot request may be made after the fix. Type y in the command prompt, and allow the computer to be rebooted.
Even if a reboot request was not made after running FixDamage.exe please restart the computer.

Once back in Windows, please send the following logs as attachments to your reply. These logs are located in the Malwarebytes Anti-Rootkit folder.

mbar-log-2014-xx-xx(xx-xx-xx).txt (where xx-xx(xx-xx-xx) is the date and time of the scan)
system-log.txt

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 virtualx

virtualx
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 12 October 2014 - 06:22 AM

It finished some time during the night.  I had to reboot, and here is the FIXLOG.  Please let me know how to proceed...

Attached Files



#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:48 PM

Posted 12 October 2014 - 09:26 AM

Please run MBAR from the instructions above.

Then run the following:

Refer to the ComboFix User's Guide
  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------
NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 virtualx

virtualx
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 12 October 2014 - 11:24 AM

Here are the MBAR files.  Combo fix to follow...

Attached Files



#13 virtualx

virtualx
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 12 October 2014 - 12:31 PM

Here's the ComboFix log...

Attached Files



#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:48 PM

Posted 12 October 2014 - 01:40 PM

That looks a lot better now.

Please run the following:

Please download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Right-mouse click JRT.exe and select Run as administrator
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message

NEXT


Download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Scan
  • If items are found, please select the Clean button
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply
Please advise how the computer is running now and if there are any outstanding issues.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 virtualx

virtualx
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 12 October 2014 - 06:24 PM

Here are the final two reports.  I do feel like the computer is running much better.  I can actually get on the web and not be redirected all over the place.  I'll trust in your expertise, however, to tell me what you see on the reports.  Actually, as I write that, I'm getting a tab in Chrome that will open (http://tech-support-local.com/support....  It warns me that I have adware/spyware and threatens financial risk.  So...not totally clean yet.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users