Jump to content

Recommended Posts

I was and may still be affected by remnants of this and other malware. After several scans with Malwarebytes , some in safe mode and one in normal mode the following symptoms remain.

Windows update cannot be turned on. "Service has stopped, try rebooting your system"

Mozilla Firefox shortcuts disappeared and the exe file to launch it has been renamed firefoxstraddled.exe but launching this exe file does launch Firefox.  When I could not locate the shortcut I tried to launch IE and it won't launch with the ComSurrogate service not responding.

I've got an unknown process running named Parathion.exe linked to a folder named "Frere" in my Program files x86 folder containing this .exe file.

I have the lastest version of Malwarebytes installed. Windows Defender appears to be working now as well but had been turned off earlier by "GPO settings". Resolved the issue using gpedit.msc.

I've attached my current Hijack This Log.

Please let me know what I need to do to get the help I need here.

 

 

hijackthis.log

Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Did you installed this today?
R1 57b3c4021b9fba30; C:\Windows\system32\drivers\57b3c4021b9fba30.sys [30912 2019-06-15] (BlockChain Advances Ltd -> FsFilter Network)

If not add these 2 lines in the Fixlist.txt and save the file before running the script.

R1 57b3c4021b9fba30; C:\Windows\system32\drivers\57b3c4021b9fba30.sys [30912 2019-06-15] (BlockChain Advances Ltd -> FsFilter Network)
C:\Windows\system32\drivers\57b3c4021b9fba30.sys

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

p.s.
If you have issues with Firefox reset it.
Default Browsing settings:
https://support.mozilla.org/en-US/kb/refresh-firefox-reset-add-ons-and-settings

Restart the computer normally.

Please post the Fixlog.txt and let me know what problem persists.

fixlist.txt

Link to post
Share on other sites

I added the line to the fixlist file as you instructed since I have not installed anything called FS FilterNetwork today.

Shortly after running FRST -> fix from the same directory the tool is located (the Desktop), the application stopped responding. I left it alone for over 25 minutes but no change. Attempting to "End task" on the application or end the process has had no effect , it still appears in task manager 40 minutes later.

I have not yet reboot my system. I'm attaching the modified fixlist.txt with the line I added and it seems it did generate a fixlog file as well despite these problems.

I've attached both files.

The firefoxstraddled.exe is now missing from Program Files\Mozilla Firefox so I'm unable to launch it.

Despite the ComSurrogate error I did manage to use IE to download the Firefox installer to my desktop. I have not yet reboot my system or attempted to uninstall/reinstall Firefox.

Thank you for the prompt replies .. awaiting further instructions :)

 

fixlist.txt Fixlog.txt

Link to post
Share on other sites

I reboot my system and it loaded normally. No parathion.exe application running and running processes appear normal.

I was able to re-install Firefox and it's behaving fine. Set as the default browser.

After rebooting my system I was notified that the fix had been completed when I re-ran FRST to complete another scan.

I re-ran FRST and here are the updated addition and FRST files.

The only symptoms I'm seeing now are the COM Surrogate Not responding when launching Internet Explorer and general instability in IE along with the Windows Update issue.

The "Windows Update Service" is not even listed in Services (Local) .. see the enclosed screenshot.

 

Services.PNG

Addition.txt FRST.txt

Link to post
Share on other sites

Hi,

The fix did not work on this service.
57b3c4021b9fba30 => Unable to stop service.
HKLM\System\CurrentControlSet\Services\57b3c4021b9fba30 => could not remove, key could be protected

Boot in safe mode and run the fixlist.txt attached.

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Quoted from the Addition.txt logs.
System errors:
=============
Error: (06/15/2019 06:12:34 PM) (Source: Microsoft-Windows-DNS-Client) (EventID: 1012) (User: NT AUTHORITY)
Description: There was an error while attempting to read the local hosts file.

The fix will reset the Default Hosts file.

You can remove the command Hosts: from the fixlist. It's our call.

Please post the Fixlog.txt and let me know what problem persists.

fixlist.txt

Link to post
Share on other sites

I'm actually unable to boot into safe mode now.. Using the F8 option doesn't work , I see a quick flash of a black screen with minimal text on it before Windows loads normally.

Using msconfig and selecting safe boot , minimal does the same thing.

I've also noticed since these issues began I'm now seeing a Windows loading yellow progress bar for a few seconds before Windows loads , looks like something out of Windows 95. Don't recall seeing it before these issues began.

My keyboard is working fine pre-Windows , I'm able to select my boot menu or enter my bios, selected my HDD and tried F8 immediately following that, no difference.

 

 

MSConfig.PNG

Link to post
Share on other sites

I was able to enter safe mode by setting the above to Windows Fast Mode and selecting safe boot. I'm not able to set it as default either for some reason (grayed out) now that I'm back into normal mode. I'm guessing that Windows loading progress bar is displayed because it's not in fast mode ? Not really sure what the difference is tbh. F8 still not working either for some reason.

Here is the fixlog.txt file generated.

 

Fixlog.txt

Link to post
Share on other sites

Noticed I was in selective startup mode for disabling the Lavasoft Web Companion (a software I never willingly installed) but it's been uninstalled and the folder shown as it's path is gone.

Is it safe to switch to normal mode at this point ?

I've managed to resolve the IE Com Surrogate issue and the only real problem I have is the F8 option not working to enter safe mode and these msconfig irregularities which I don't really know are irregular. It's an odd coincidence I can't enter safe mode unless I choose the fast boot option in MSconfig and am now seeing a slightly longer boot up time with that yellow progress bar I mentioned.

Webcompanion.PNG.13463f18db699d86062c7d9ff27d5ddf.PNG

msconfig 2.PNG

Link to post
Share on other sites

Hi,

This Safe Boot problem is not my forty.

I suggest you get help in the Windows 7 forum.

An expert with that operating system should be able to help you.

You can check also for other issues that are not malware related.

Windows  7 Forum.
https://www.bleepingcomputer.com/forums/f/167/windows-7/

Hope that helps.

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.