Solved Probable infection. Computer slowdown and multiple COM surrogate instances

[Jamex]

Hello,

I think i got infected after after a P2P download (uTorrent now removed). My system, protected by AVG Free, suddenly slowed down, in Task Manager I was seeing dozens of cmd & other processes (using up to 5GB memory) and my processor at 99%.

I downloaded Spybot S&D and purchased AVG Pro, did multiple scans of my computer and my Network drive, which has helped immeasurably, but I'm still seeing a few suspect processes and getting many Fake Flash player exploit notices from AVG. My computer is also definitely not running as fast as pre infection.

Numerous searches for a cure brought me here, I have to say, kudos to you folks for sorting out so many peoples systems!

Thanks for looking,

Jamex

 

[TwinHeadedEagle]

Hello,

Scan with MGADiag

Need to check one more thing.

• Please download MGADiag by Microsoft and save it to your desktop.
• Double-click on
  
  icon to start the tool.
• PressContinuewhen prompted.
• When it has finished, press Copy.
• Press the
  
  + R on your keyboard at the same time. Type Notepad and click OK.
• Paste (Ctrl+V) this into notepad and save to your desktop.

Include that report in your reply.

 

[Jamex]

Thanks,

here you go...

 

[TwinHeadedEagle]

Before we continue, I would like to ask one question.

Is this home/personal PC or work/company PC?

 

[Jamex]

it's my home PC.

 

[TwinHeadedEagle]

Let's see if this fixes your issues:

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.

Running it on another one may cause damage and render the system unstable.

​

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

 

[Jamex]

When I clicked FIX, it almost immediately closed all programs and required a reboot. Here's the log...

 

[TwinHeadedEagle]

How is your PC behaving now?

 

[Jamex]

Seems pretty good, but there are still a few instances of COM surrogate running - I don't really know if thats normal or not, but I hadn't noticed them pre infection. Haven't had any fake flash notices. I'll monitor it over the evening and let you know if something crops up.

Thanks so much for your help!

J

 

[Jamex]

As I was writing, one of the COM surrogate instances has jumped from using 14MB to 185MB...

 

[TwinHeadedEagle]

Let's perform one more scan:

Scan with Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.

• Install the progam and select update.
• Once updated, click the Settings tab, in the left panel choose Detection & Protection and tick Scan for rootkits.
• Click the Scan tab, choose Threat Scan is checked and click Scan Now.
• If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
• Upon completion of the scan (or after the reboot), click the History tab.
• Click Application Logs and double-click the Scan Log.
• At the bottom click Export and choose Text file.

Save the file to your desktop and include its content in your next reply.

 

[Jamex]

Just had my 1st fake flash player popup warning from avg... posting screenshots, will perform next scan after dinner

 

[TwinHeadedEagle]

This was blocked, so do not worry.

 

[Jamex]

OK - I'm just concerned that there's something on my computer trying to direct me to download more malware, because it keeps blocking that fake flash player so often. This is what my Task Manager looks like btw, i only have 4 tabs open in chrome, yet there's a lot of chrome instances, and that COM surrogate up there at 132MB...

 

[TwinHeadedEagle]

Chrome is fine, do not worry. Run MalwareBytes scan.

 

[Jamex]

Hello,

Apologies for the delay - just ran the scan and it found a few things...

 

[TwinHeadedEagle]

Very good. How is your PC behaving now?

 

[Jamex]

Back to it's speedy old self

Also, just got a letter from my ISP saying it detected I had been infected by Conficker on 3rd July.

Did the scans performed also check my other internal drives and my NAS? Is there any danger that the malware lives on elsewhere in my system?

What would you recommend with regards to my passwords etc? Time to make new ones for everything?

Thanks so much for helping.

Jamex

 

[TwinHeadedEagle]

I think it is a fake email. No, we only checked system partition, there is no real need to check other partitions.

For passwords, you can change them if you wish.


Glad I could help. We will delete all used tools and I'll give you some tips to harden your security and learn how to protect yourself

Recommended reading:
​

MUST READ - security tips:

• Computer Security - a short guide to staying safer online.
• Simple and easy ways to keep your computer safe and secure on the Internet

MUST READ - general maintenance:

• What to do if your Computer is running slowly?

The Importance of Software Updating:
​

In order to stay protected it is very important that you regularly update all of your software. Cybercriminals depend on the apathy of users around software updates to keep their malicious endeavor running.​

Operating systems, such as Windows, and applications, such as Adobe Reader or JAVA, are used by tens of millions of computers and devices around the world, making them a huge target for cybercriminals. Downloading updates and installing them can sometimes be tedious, but the advantages you get from the updates are certainly worth it.

• How to configure and use Automatic Updates in Windows
• How to update Java
• How to update Adobe Reader

Recommended additional software:
​

CCleaner - to clean unneeded temporary files.

Malwarebytes' Anti-Malware - to scan your system from time to time in search for malware.

Malwarebytes' Anti-Exploit - to prevent plenty of mostly exploited vulnerabilities.

McShield - to prevent infections spread by removable media.

Unchecky - to prevent from installing additional foistware, implemented in legitimate installations.

Adblock - to surf the web without annoying ads!

Post-cleanup procedures:​

Download DelFix by Xplode and save it to your desktop.

• Run the tool by right click on the
  
  icon and Run as administrator option.
• Make sure that these ones are checked:
  • Remove disinfection tools
  • Purge system restore
  • Reset system settings
• Push Run and wait until the tool completes his work.
• All tools we used should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

My help is free for everybody.
If you're happy with the help provided and/or wish to buy me a beer for the assistance you received, then you can consider a donation:
Thank you!​

Stay safe,
TwinHeadedEagle

 

[Jamex]

Hi,

it's definitely not a fake email it's a snail mail letter from my ISP on headed paper - see scan. I guess that I got rid of the main infection (as per my original post) by using Spybot & AVG Pro, and just had some residual infections left over, that's why you didn't see Conficker evidence.

However, I'm still concerned about my other internal drives, my Network Attached Storage and, to a lesser extent (Conficker is Windows only, right?) my wife's Macbook. Should I do extra scanning of my internal drives and NAS before deleting the tools?