Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Re-accuring multiple COM Surrogates


  • Please log in to reply
12 replies to this topic

#1 Z3ddicus

Z3ddicus

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 29 October 2014 - 12:51 AM

*Recurring* multiple Com Surrogates (oops)

 

I have recently inherited the issue of having multiple COM Surrogates running in my Task Manager, one of which has this line in the command line 'F9717507-6651-4EDB-BFF7-AE615179BCCF". I believe it may have be an infection picked up from watching a movie online, as I have backtracked what I have done since this issue has arisen. I am guessing it is sending information over the internet as it is mainly persistent only when online. I am on a windows 7 64bit system. I would greatly appreciate some help in solving this issue, so much so I would donate. I have tried using my WinZip systems utility suite and my trend micro titanium to try to solve this to no avail.

 

EDIT: I had downloaded Malwarebytes Anti-Malware and got this message;

Malicious Website Blocked

Domain: fff5ee.com

IP: 31.184.192.90

Port:49208

Type: Outbound

Process: C:\Windows\SysWOW64\dllhost.exe


Edited by Z3ddicus, 29 October 2014 - 02:23 AM.


BC AdBot (Login to Remove)

 


#2 crisis2k

crisis2k

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:59 PM

Posted 29 October 2014 - 03:14 AM

hi z3ddicus first i wanna tell you i'am not a professional one but i think it looks like some kind of zeroaccess try this both programs and post me response please

 

roguekiller 64bit

 

avg zeroaccess


:welcome: My Name is Philip You Can Call Me Phil
Thank You I'll be there anytime you need help :rolleyes:


#3 Z3ddicus

Z3ddicus
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 29 October 2014 - 03:18 AM

Alright, before I do though, there is an update to this problem over the last 30 or so minutes.

Malwarebytes is now blocking c:\Program Files\Trend Micro\AMSP\coreServiceShell.exe from making outbound connections, some to fff5ee.com and some without a domain name


Edited by Z3ddicus, 29 October 2014 - 03:24 AM.


#4 Z3ddicus

Z3ddicus
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 29 October 2014 - 03:31 AM

If I download those it will take a little while as I have to download from another computer as this one no longer allows me to download files



#5 crisis2k

crisis2k

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:59 PM

Posted 29 October 2014 - 03:36 AM

can't you download roguekiller and avg both? and did you installed anti-malware and trend micro product on one computer? open the taskmgr and check cpu usage of coreserviceshell.exe and kill process coreserviceshell.exe in task manager..

thank you


:welcome: My Name is Philip You Can Call Me Phil
Thank You I'll be there anytime you need help :rolleyes:


#6 Z3ddicus

Z3ddicus
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 29 October 2014 - 03:46 AM

Well, my computer just shows the desktop now and it pushed IE explore to the bottom of task manager so it was running at lik 47 kb and I could not see anything but the malwarebytes popup and my desktop so I shut it down. It may have been taken over, kinda afraid to start it up again


Edited by Z3ddicus, 29 October 2014 - 03:50 AM.


#7 crisis2k

crisis2k

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:59 PM

Posted 29 October 2014 - 03:53 AM

i guess you have seriously infected disable download making cure more harder check enable to safe boot(use networking) mode and reply me please


:welcome: My Name is Philip You Can Call Me Phil
Thank You I'll be there anytime you need help :rolleyes:


#8 Z3ddicus

Z3ddicus
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 29 October 2014 - 04:13 AM

restarted in safemode with networking. I had run farbar alone before it f'ed up like that too, just because I had seen people asking for that.



#9 crisis2k

crisis2k

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:59 PM

Posted 29 October 2014 - 04:45 AM

sorry i can't posting reply anymore orange blossom warned me for bad grammar sorry


Edited by crisis2k, 29 October 2014 - 04:45 AM.

:welcome: My Name is Philip You Can Call Me Phil
Thank You I'll be there anytime you need help :rolleyes:


#10 Z3ddicus

Z3ddicus
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 29 October 2014 - 10:31 PM

I would appreciate some professional help, I tried to get Trend Micro to help but they have not got back with me, said they needed to look over the HijackThis log. Malwarebytes is still blocking C:\Windows\SysWOW64\dllhost.exe from sending outbound info. When I keep this computer on for a little while the cpu will run at 100% and RAM at around 80%.



#11 Z3ddicus

Z3ddicus
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 31 October 2014 - 01:34 AM

Thanks for the attempt at help.



#12 crisis2k

crisis2k

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:59 PM

Posted 31 October 2014 - 01:51 AM

z3ddicus if you need more help for about it then send me your order to my e-mail(crisis2k@naver.com) i tried to help you at forum but my english sux and orange blossom always warned me for bad grammar i cannot help you in this forum anymore


:welcome: My Name is Philip You Can Call Me Phil
Thank You I'll be there anytime you need help :rolleyes:


#13 Z3ddicus

Z3ddicus
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 02 November 2014 - 10:31 PM

I thought this would have been a helpful forum, apparently not, now this virus has taken over 2 computers....so yea, thanks for the help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users