Jump to content

Laptop infected with RAT Trojan COM Surrogate and other malware


Recommended Posts

Hello there! My laptop has been infected with a really nasty RAT virus COM Surrogate and it has crashed my first laptop's hard drive beyond it being recognized by any BIOS and it cannot install any windows os on it. My second laptop was partially erased but the BIOS can still recognize it. I have re-installed win 10 on it, but however, the RAT virus is still on it. I am currently on the laptop that was wiped partially. I have the premium version of Malwarebytes but every time I run it, it does not detect anything wrong. I know I have more than one RAT Trojan running on my laptop not just the main one COM Surrogate.

 

Here are some the things that happen to me while I am on my laptop:

 

  • Internet Explorer redirects to pages that are NOT what I clicked on. (happens about 4 to 5 times before I can get through)
  • Slow Boot up to Windows 10
  • Constant Windows Updates
  • Buttons loosing functions or sticking when pressed (takes me constantly clicking on my mouse button to get it to function)
  • Personal Files being erased without my permission
  • Windows Defender and Windows Security being disabled whenever I get into safe mode
  • Programs being opened without me touching my laptop
  • Internet Connection speed either being delayed or severely slowed down
  • Program Execution being delayed when shortcuts are clicked on
  • Laptop Battery being constantly drained, cannot hold a charge for more than 60 mins at a time
  • Slow Login to Win 10 (My user account to laptop)
  • System Freezes where I have to Hard Reset just to get to a single program
  • Wireless Connection no longer connects to the internet
  • System Restore constantly being modified to current dates instead of having dates back to around factory settings

My Laptop specs:

 

Windows 10 Home Edition

Processor: Intel Pentium CPU 2020 @ 2.40Ghz     2.40GHz

Installed Memory (RAM): 6.00 GB (5.88 GB usable)

System Type: 64-bit Operating System, x64-based processor

 

Link to post
Share on other sites

Hello silver_fox_revival and welcome to Malwarebytes,

My screen name is kevinf80, i`m here to help clean up your system, continue as follows please:

Download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach those logs to your reply.


Let me see those logs in your reply...

Thank you,

Kevin...
Link to post
Share on other sites

Thanks for those logs, continue as follows:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Download AdwCleaner by Xplode onto your Desktop.
 
  • Double click on Adwcleaner.exe to run the tool.
  • Click on the Scan in the Actions box
  • Please wait fot the scan to finish..
  • When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
  • Click on the Cleaning box.
  • Next click OK on the "Closing Programs" pop up box.
  • Click OK on the Information box & again OK to allow the necessary reboot
  • After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...


Next,

Please download Junkware Removal Tool to your desktop.
 
  • Shut down your protection software now to avoid potential conflicts. (re-enable when done)
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.


Next,

Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/
 
  • Quit all running programs.
  • For Windows XP, double-click to start.
  • For Vista,Windows 7/8/8.1/10, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
  • Read and accept the EULA (End User Licene Agreement)
  • Click Scan to scan the system.
  • When the scan completes select "Report",in the next window select "Export txt" the log will open as a text file post that log... Also save to your Desktop for reference. log will open.
  • Close the program > Don't Fix anything!


Let me see those logs, also let me know if there are any remaining issues or concerns...

Thank you,

Kevin

Fixlist.txt

Link to post
Share on other sites

Thanks for the update, the logs produced up to now are not showing any obvious malware or infection... Run the following indepth scan:

user posted imageScan with ESET Online Scanner

This step can only be done using Internet Explorer, Google Chrome or Mozilla Firefox.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
Please visit ESET Online Scanner website.

Click there Run ESET Online Scanner.

If using Internet Explorer:
 
  • Accept the Terms of Use and click Start.
  • Allow the running of add-on.

If using Mozilla Firefox or Google Chrome:
  • Download esetsmartinstaller_enu.exe that you'll be given link to.
  • Double click esetsmartinstaller_enu.exe.
  • Allow the Terms of Use and click Start.


To perform the scan:
 
  • Select "Enable detection of potentially unwanted applications"
  • Make sure that Remove found threats is unchecked.
  • Scan archives is checked.
  • In Advanced Settings: Scan for potentially unwanted applications, Scan for potentially unsafe applications and Enable Anti-Stealth technology are checked.
  • Under “Enable Stealth Technology select “Change” select any extra drives in that window.
  • Click Start
  • The program will begin to download it's virus database. The speed may vary depending on your Internet connection.
  • When completed, the program will begin to scan. This may take several hours. Please, be patient.
  • Do not do anything on your machine as it may interrupt the scan.
  • When the scan is done, click Finish.
  • A logfile will be created at C:\Program Files (x86)\ESET\ESET Online Scanner. Open it using Notepad.


Please include this logfile in your next reply.

Don't forget to re-enable protection software!

Thank you,

Kevin....

 

Link to post
Share on other sites

I am sorry but the hacker that installed the virus on my laptop, is actively running the virus and is running hang time on the online scanner. However, I do have some interesting news. I have multiple rat viruses running. There is one named google installer, scvhost, Microsoft Skype to name the ones I found. I do not have Google Chrome installed at all but there is a folder inside the Programs (x86) named "Google" and it has all of the virus' programs including dlls and so on. I also will show you what my laptop is doing when the rat virus is running so that you can see for yourself exactly what is going on. I tried to delete the "Google" folder and the deletion goes through the motions of being deleted, but, never is deleted. That is what happens when I try to delete any foreign files off of my laptop. I also would like to show you my Task Manager and how it looks when everything is running (Viruses) so that you can see that the hacker is choosing to run them. That is probably why nothing can be found. I also do not have Skype installed and whenever I try to stop or end the task in the task manager, nothing happens. I will produce a video showing all of what is taking place.

Link to post
Share on other sites

Quote

There is one named google installer, scvhost, Microsoft Skype

Google Chrome does show as installed on your system, as does its update helper,

Quote
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 49.0.2623.112 - Google Inc.)
Google Update Helper (x32 Version: 1.3.29.5 - Google Inc.) Hidden

scvhost is not a windows file, svchost is, did you make typo error maybe?

Microsoft Skype is an app that will be on your system, although not necessarily active. If you open regedit, select > edit > find > type skype into the "find what" box, tap enter you should see Skype listed as per attached image...

Next,

Regarding the re-direct issue, navigate to and delete the contents of the following folder:

C:\Users\{your username}\AppData\Local\Steam\htmlcache

Appdata is usually a hidden folder, if so you will need to change to show.... Instructions at following link if required..

http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/

reboot when complete, see if the redirect issue clears...

Next,

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt  under "Optional scan" Select scan, when done post the new logs....

Thanks,

Kevin...

 

skype.PNG

Link to post
Share on other sites

51a612a8b27e2-Zoek.pngScan with ZOEK

Please download ZOEK by Smeenk from here: http://hijackthis.nl/smeenk/ and save it to your desktop (preferred version is the *.exe one)

*.exe Mirror http://smeenk.247fixes.com/Tools/zoek.exe

Temporary disable your AntiVirus and AntiSpyware protection - instructions here or here

  • Right-click on 51a612a8b27e2-Zoek.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Wait patiently until the main console will appear, it may take a minute or two.
  • In the main box please paste in the following script:

	createsrpoint;
	autoclean;
	emptyalltemp;
	ipconfig /flushdns >>"%temp%\log.txt";b


  • Make sure that Scan All Users option is checked.
  • Push Run Script and wait patiently. The scan may take a couple of minutes.
  • When the scan completes, a zoek-results logfile should open in notepad.
  • If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Please include its content in your next reply. Don't forget to re-enable security software!

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.