Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple COM Surrogate proccesses.


  • This topic is locked This topic is locked
24 replies to this topic

#1 Robi_

Robi_

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 06 September 2015 - 06:37 AM

Hello. Since yesterday, whenever I open taskmanager, for a 2 seconds, I see 2 "COM Surrogate" processes.
They just disappear right away. From what I read I learned that there is a virus which looks similar and is said to eat alot of CPU. (not in my case .. I guess)
I came here for help since Ive never seen it there before. (I suppose). I started seeing it like since yesterday and I always get suspicious of random/new processes in my task manager.

I am using orig. win 8,1

Please, further info/help with my case would be much appreciated!
Thanks!

Edit: I scanned with windows defender tool/malwarebytes/adwcleaner/Roguekiller/TDSSkiller - found nothing. But I am still cautious. Thanks for soon respond. :)


Edited by Robi_, 06 September 2015 - 06:50 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:17 PM

Posted 06 September 2015 - 10:19 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===


Wait for further instructions.

#3 Robi_

Robi_
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 06 September 2015 - 10:41 AM

Hello and thank you very much for your response!
I will try and cooperate with you, and do as you ask of me to solve my problem. :)

I am attaching FRST and addition.txt as you asked of me.

Could not copy the whole text because it would be too long for the message.
Please forgive me, I am using this forum for the first time.

Attached Files



#4 Robi_

Robi_
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 06 September 2015 - 12:55 PM

bump.
I'd like to continue with solving my problem and I am afraid noone will answer :I



#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:17 PM

Posted 06 September 2015 - 01:43 PM

Do you recongnize this ip Address in the Netherland?

Tcpip\..\Interfaces\{015058DA-D2E0-4E15-B373-56C21FCEF7D4}: [DhcpNameServer] 213.46.172.37 213.46.172.36
http://whatismyipaddress.com/ip/213.46.172.37

===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:


ShellIconOverlayIdentifiers: [###MegaShellExtPending] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} =>  No File
ShellIconOverlayIdentifiers: [###MegaShellExtSynced] -> {05B38830-F4E9-4329-978B-1DD28605D202} =>  No File
ShellIconOverlayIdentifiers: [###MegaShellExtSyncing] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} =>  No File
ShellIconOverlayIdentifiers-x32: [###MegaShellExtPending] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} =>  No File
ShellIconOverlayIdentifiers-x32: [###MegaShellExtSynced] -> {05B38830-F4E9-4329-978B-1DD28605D202} =>  No File
ShellIconOverlayIdentifiers-x32: [###MegaShellExtSyncing] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} =>  No File
FF Plugin HKU\S-1-5-21-2338250142-3511113990-3783751715-1001: ubisoft.com/uplaypc -> C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll No File
CHR HKU\S-1-5-21-2338250142-3511113990-3783751715-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bknbnapaddjdnbilpmlacdkjdkjmbjhd] - http://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [bknbnapaddjdnbilpmlacdkjdkjmbjhd] - http://clients2.google.com/service/update2/crx

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

How is the computer running now?

#6 Robi_

Robi_
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 06 September 2015 - 01:58 PM

Thank you for your response again!

I have no idea what is that IP and what it has to do with me. I've moved just few days ago in a new home. The internet provider is UPC. (I am sorry, only giving any info that I can give you).

Well about my pc the boot was not so smooth like before. And as for those 2 COM Surrogate processes they will still show up whenever I open taskmanager for 2 seconds and then just dissappear.

Here is the log you requested.

Ask me for any info I will give it right away. I hope I am not infected though!

Edit: the ip you asked me about earlier is the ip of my internet provider.

Attached Files


Edited by Robi_, 06 September 2015 - 05:03 PM.


#7 Robi_

Robi_
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 07 September 2015 - 02:11 AM

bump



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:17 PM

Posted 07 September 2015 - 07:02 AM

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • When instructed Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • Click on "Report"
  • Click on Export TXT button save the file as RogueReport.txt
  • The file RogueReport.txt will be saved in the desktop.
  • Close the program.
  • Open the file with Notepad and Copy/paste the content into your next reply.
<<<>>>

#9 Robi_

Robi_
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 07 September 2015 - 07:26 AM

Hello, and thank you for response.
I've finished scanning.
During the scan, a message popped that some file, I think bootstrap.tmp is unknown and should be uploaded.
Since it was not stated in your previous message, I clicked no and continued the scan.
Here are the results.

 

Attached Files



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:17 PM

Posted 07 September 2015 - 07:35 AM


Nothing has been reported by the RogueKiller tool. These could be just remnant items in the registry.
The filx will reset the registry if needed.


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


start

CreateRestorePoint:
CloseProcesses:

Tcpip\Parameters: [DhcpNameServer] 213.46.172.37 213.46.172.36
Tcpip\..\Interfaces\{015058DA-D2E0-4E15-B373-56C21FCEF7D4}: [DhcpNameServer] 213.46.172.37 213.46.172.36
Tcpip\..\Interfaces\{1AD0AAAF-28FA-4E04-A4AC-383134D54E2D}: [DhcpNameServer] 213.46.172.37 213.46.172.36
cmd: ipconfig /flushdns

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please run the Farbar tool and post a fresh FRST log for my review.

How is the computer running now?

#11 Robi_

Robi_
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 07 September 2015 - 07:53 AM

It looks fine. Boot is smooth.
I still don't know whether my pc is ok or not (those two COM Surrogate processes show up and disappear just like before but I don't know if it is a threat). I sure know you have more important cases than this but I am really grateful for your help.
If there are still some things you would like me to look into, I will.
Waiting for response. :)

Attached Files



#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:17 PM

Posted 07 September 2015 - 09:47 AM


Check to make sure that you have all the latest security updates from Microsoft.

Then:

Run an online scan with Eset (easiest with Internet Explorer): http://www.eset.com/onlinescan/
To shorten the scanning time disable your antivirus program while scanning.

Select Enable detection of potentially unwanted applications.
Click Advanced Settings.

Deselect Remove found threats.

Select:
Scan Archives
Scan for potentially unsafe applications
Enable Anti-Stealth Technology


Click Start.

When the scan is finished, click on List of found threats and then Export to text file. Copy the content of the text file and paste its content in your reply.
<<<>>>

#13 Robi_

Robi_
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 07 September 2015 - 10:46 AM

Found no threat thus there's no list I could view/post.
Could there be anything else, any other scan you want me to run? :)


Edited by Robi_, 07 September 2015 - 10:49 AM.


#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:17 PM

Posted 07 September 2015 - 01:32 PM

Please Download and run the ComboFix tool.

How to use ComboFix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Follow the instructions on the page.

Post the content of the C:\ComboFix.txt file for my review.

p.s.
When all is well you can remove the tool by following the Uninstall instructions on the same page.

====

#15 Robi_

Robi_
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 07 September 2015 - 01:42 PM

"Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer."

I am sorry but after reading this sentence, I got worried.
Is it really safe to use this tool? What are the risks of using this tool?

Edit: Also I'd like to ask you what you think about my case so far? Is there a threat possibility? I mean is it really necessary to run this program? I read on forums it can screw up my PC really bad if NOT USED properly... (yet it only has 2 buttons) and is Last resort. If you really think it is necessary to run this tool, then so be it.


Edited by Robi_, 07 September 2015 - 02:04 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users