Jump to content

Recommended Posts

I have this same problem that many others seem to be having.  I ran the Malware Bytes software and it didn't catch anything.  I was browsing a common website that I go to everyday and I noticed what looked like a DOS prompt briefly pop up and disappear.  Since then I have noticed weird issues like me being signed out of websites that I usually don't need to sign into each visit.  Over the last few minutes, I noticed that thumbnails wouldn't load, so I did a CRTL+ALT+DEL and noticed a ton of COM Surrogate entries using up a lot of resources.  Like other people here, I close them and they come back.

Link to post
Share on other sites

The issue of me being signed out of sites seems to only be affecting sites I regularly visit in Internet Explorer.  Sites I was already signed into in Fire Fox seem unaffected.  However, the site I was browsing when I noticed the DOS prompt was in Fire Fox.

Link to post
Share on other sites

Welcome to the forum. (Do what you can)

General P2P/Piracy Warning:

 

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

2. If you have illegal/cracked software (MS Office, Adobe Products), cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

 

<====><====><====><====><====><====><====><====>

 

1. Please run a Threat Scan with Malwarebytes (if possible)

Start Malwarebytes 2.0.........

Click on Settings > Detection and Protection > Non-Malware Protection > PUP (Potentially Unwanted Program) detections > Make sure it's set to Treat detections as malware

Same for PUM (Potentially Unwanted Modifications)

Quarantine all that's found

Post the log (save the log as a .txt file not .xml)

Then......

2. Please download Farbar Recovery Scan Tool (FRST) and save it to a folder.

(use correct version for your system.....Which system am I using?)

FRST <----for 32 bit systems

FRST64 <----for 64 bit systems

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button. (make sure the Addition box is checked)
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
If the logs are large, you can attach them:

To attach a log:

Bottom right corner of this page.

reply1.jpg

New window that comes up.

replyer1.jpg

Last................

3. Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Wait for the Prescan to finish

Click Scan to scan the system.

When the scan completes > Don't Fix anything! > Click on the Report Button > Copy and paste the Report back here.

Don't run any other options, they're not all bad!!!!!!!

RogueKiller logs will also be located here:

%programdata%/RogueKiller/Logs <-------W7

C:\Documents and Settings\All Users\Application Data\RogueKiller\Logs <-------XP

(please don't put logs in code or quotes and use the default font)

MrC

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running. Create a new restore point

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear".

------->Your topic will be closed if you haven't replied within 3 days!<--------

If I don't respond within 24 hours, please send me a PM

Link to post
Share on other sites

I could only remember having one bit torrent program installed (Vuze) and I just uninstalled it, but it hadn't been used in ages.

 

Ok, here is the Malwarebytes log:

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 10/28/2014
Scan Time: 11:26:01 AM
Logfile: Malwarebytes Log.txt
Administrator: Yes

Version: 2.00.3.1025
Malware Database: v2014.10.28.04
Rootkit Database: v2014.10.22.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 8
CPU: x86
File System: NTFS
User: Zack

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 468845
Time Elapsed: 13 min, 19 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

 

 

 

I've been keeping task manager open and as soon as the scan finished and I saved the log, I got another group of COM Surrogate entries in there.

Link to post
Share on other sites

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

http://www.bleepingcomputer.com/download/combofix/dl/12/ <---ComboFix direct download

Please make sure you click download buttons that look similar to this, not "sponsored ad links":

bleep-crop.jpg

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

 

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

I tried logging into an extra account I have on this computer and downloading those programs and the downloads were going to work, but then the computer grinded to a halt.  Then I did a hard reset and came back to my primary account and now COM Surrogate is coming back every minute or so after I end the task.

 

I'm thinking I could have my brother download the files and copy them to USB and I could get them that way.  Please tell me if I should do any of this.

Link to post
Share on other sites

Ok.  I did that now and it did fix the original issue, but now it starts the download and then says that the file couldn't be downloaded.  It does this for all of the programs you listed so far.  Before I click to download it, it says something like this file could harm your computer.

 

Would a full system refresh or reinstall take care of this problem?  I've been backing up my data all afternoon.

Link to post
Share on other sites

Please read the following information first.

 

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

I would change all my passwords and keep a close eye on all your sensitive accounts.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Download the attached fixlist.txt to the same folder as FRST.exe/FRST64.exe.

Run FRST.exe/FRST64.exe and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

MrC

Link to post
Share on other sites

It has Dell printed on it. It says Reinstallation DVD Windows Vista Home Premium 32BIT. There is a code printed on the sleeve with a barcode. At some point I upgraded to Windows 7, but I don't remember how I did that. When I upgraded to Windows 8, I downloaded directly from Microsoft.

Link to post
Share on other sites

I am reading about the Windows 8 reset options. It says it deletes all files and overwrites them with random data several times and then reinstalls Windows 8. Is this considered to be a good option?

I don't have W8 so I'm not familiar with it but it sounds like a good option.

I would ask in this part of the forum and you should get your answer, if not let me know and I'll get an answer for you.

https://forums.malwarebytes.org/index.php?/forum/6-general-pc-help/

------------------------

The virus should be gone now.....How is the computer running???

MrC

Link to post
Share on other sites

I'll ask my Windows 8 question in that part of the forum.  Thanks for directing me there.

 

Regarding the problem I've been having, it's hard to say.  After reading your last message from my iPad, I restarted the computer and plugged the internet back in and immediately opened up Task Manager and there were briefly 2 COM Surrogate entries in there, but then they disappeared on their own.  One of the symptoms I had been experiencing previously was that every minute or so, the edges of the windows on the screen (notepad, FireFox, etc.) would briefly flicker as if I had clicked on the desktop and then clicked back within the window.  I'm not noticing that at the moment.  Also, before using the fixlist I had to go back into Internet Explorer and enable downloads again.  I just checked that and it has remained enabled.

 

So, I guess what I'm saying is that I'm not currently seeing any symptoms but I'm still really paranoid.

Link to post
Share on other sites

immediately opened up Task Manager and there were briefly 2 COM Surrogate entries in there, but then they disappeared on their own.

That sounds like normal behavior. We'll look though:

Re-scan with FRST and Make sure the Addition Box is checked.

Post or attach the 2 logs FRST(64).txt and Addition.txt

also try to run RogueKiller and scan the system.

MrC

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.