dontdrama 0 Posted July 8, 2018 Share Posted July 8, 2018 Can you help me remove this virus? I have windows 10 64 bit. Malwarebytes instructions were difficult to carry out so I have switched to ESET for my primary anti virus. Thanks. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,295 Posted July 8, 2018 Administrators Share Posted July 8, 2018 Please post a screen shot of how ESET detects the malware. Also providing relevant details from the Detected threats log would help. Link to comment Share on other sites More sharing options...
itman 1,758 Posted July 8, 2018 Share Posted July 8, 2018 (edited) If you are infected with Powerliks as noted in the Malwarebytes removal article: Quote Trojan.Poweliks is know to use dllhost.exe *32 COM Surrogate as a process when has infected in a computer. If you are seeing a very large numbers of dllhost.exe *32 COM Surrogate using a lot of CPU and RAM, then this trojan might be on your machine. https://malwaretips.com/blogs/dllhost-exe-32-com-surrogate-removal/ I believe it will still be required to run the stand alone Eset Powerliks Remover: http://download.eset.com/special/ESETPoweliksCleaner.exe as noted in the removal article. Or alternatively, you can run Eset's "Specialized Cleaner" directly from the Eset GUI itself. It also is supposed to remove Powerliks. Instructions on how to run it are here: https://support.eset.com/kb3322/?locale=en_US&viewlocale=en_US Edited July 8, 2018 by itman Link to comment Share on other sites More sharing options...
Administrators Marcos 5,295 Posted July 9, 2018 Administrators Share Posted July 9, 2018 For cleaning Powershell malware that is either not recognized or not possible to clean by a product for whatever reason, we have a standalone tool that can be used with the assistance of customer care. The malware cleaning service is provided to users with a paid license. Link to comment Share on other sites More sharing options...
dontdrama 0 Posted July 9, 2018 Author Share Posted July 9, 2018 I purchased the license. how do i remove virus? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,295 Posted July 9, 2018 Administrators Share Posted July 9, 2018 To start off, how do you know that your computer is infected? After you've installed ESET and modules were updated to the latest version, did ESET detect some malware but was unable to clean it? Link to comment Share on other sites More sharing options...
dontdrama 0 Posted July 9, 2018 Author Share Posted July 9, 2018 I discovered the infection from instructions online but don't remember exactly how. "Com Surrogate keeps appearing and disapperaing in my task manager and something is interfering with my google searches. Nothing I've done with eset has detected the virus. Link to comment Share on other sites More sharing options...
itman 1,758 Posted July 9, 2018 Share Posted July 9, 2018 For reference, the OP started a session in Malwarebytes Forum malware assistance section here: https://forums.malwarebytes.com/topic/232551-how-to-remove-dllhostexe-32-com-surrogate-virus/ . The session didn't go very well for him with their suggestions being above the level OP is able to perform per his statements there. Link to comment Share on other sites More sharing options...
dontdrama 0 Posted July 9, 2018 Author Share Posted July 9, 2018 What exactly does that mean for the process of getting the virus removed? English please. Link to comment Share on other sites More sharing options...
itman 1,758 Posted July 9, 2018 Share Posted July 9, 2018 (edited) Here's the FRST fix MBAM wanted the OP to run: Quote IFEO\SppExtComObj.exe: [Debugger] SppExtComObjPatcher.exe @Marcos, appears the "culprit" is SppExtComObjPatcher.exe. Don't know if Eset detects it as a hacktool as some other AV's do. Perhaps Eset detects as a PUA? Ref.: https://www.tenforums.com/general-support/61432-sppextcomobj-exe.html Edited July 9, 2018 by itman Link to comment Share on other sites More sharing options...
dontdrama 0 Posted July 9, 2018 Author Share Posted July 9, 2018 What exactly does that mean for the process of getting the virus removed? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,295 Posted July 9, 2018 Administrators Share Posted July 9, 2018 @dontdrama Please gather logs with ELC and provide the generated zip archive. Link to comment Share on other sites More sharing options...
dontdrama 0 Posted July 9, 2018 Author Share Posted July 9, 2018 I'm getting an error message when I try to send you the logs "your only allowed to send 10mb"? Link to comment Share on other sites More sharing options...
dontdrama 0 Posted July 9, 2018 Author Share Posted July 9, 2018 ...and when I try to a zipped file, I get an error message saying "it can't be zipped. It may be in use". Link to comment Share on other sites More sharing options...
Administrators Marcos 5,295 Posted July 9, 2018 Administrators Share Posted July 9, 2018 ELC generates a zip file so you don't have to zip it again. If it's too big, upload it to OneDrive, DropBox, etc. and provide a download link. Link to comment Share on other sites More sharing options...
dontdrama 0 Posted July 9, 2018 Author Share Posted July 9, 2018 Can I email them to you. Link to comment Share on other sites More sharing options...
dontdrama 0 Posted July 9, 2018 Author Share Posted July 9, 2018 essp.logs.zipped.zip Link to comment Share on other sites More sharing options...
itman 1,758 Posted July 9, 2018 Share Posted July 9, 2018 A comment about SppExtComObjPatcher.exe. It's presence on a device is usually a strong indication that a Microsoft software "cracker" was employed to get around valid licensing requirements; usually for MS Office. Link to comment Share on other sites More sharing options...
dontdrama 0 Posted July 9, 2018 Author Share Posted July 9, 2018 I have no idea what any of that means and what that has to do with me. Link to comment Share on other sites More sharing options...
dontdrama 0 Posted July 9, 2018 Author Share Posted July 9, 2018 I managed to download the file to dropbox and create a link here: https://www.dropbox.com/s/zl44oa97ac3v2xy/essp_logs.zip?dl=0 Link to comment Share on other sites More sharing options...
dontdrama 0 Posted July 10, 2018 Author Share Posted July 10, 2018 On 7/9/2018 at 1:08 AM, Marcos said: For cleaning Powershell malware that is either not recognized or not possible to clean by a product for whatever reason, we have a standalone tool that can be used with the assistance of customer care. The malware cleaning service is provided to users with a paid license. So I paid for your service with the promise that you had a tool to solve my problem, but you don't. Then you accuse me of having a virus that is the result of trying to get around some licensing requirements BEFORE you even see any of my logs. WOW. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,295 Posted July 10, 2018 Administrators Share Posted July 10, 2018 1, The cleaning service is paid. If you contact customer care via the web form (https://www.eset.com/int/support/contact/), US support would arrange a remote session with you. 2, I've checked your logs but didn't find any signs of malware infection. I would say that the computer is clean. PowerShell is not running and is not either registered in the system to run automatically. Maybe you could tell a customer care representative during a remote session what you deem suspicious, he or she would explain you why it is normal and that there's no reason to be concerned. In cases when there is malware infection and we are unable to help, it's possible to request a refund within 30 days after the purchase. Link to comment Share on other sites More sharing options...
itman 1,758 Posted July 10, 2018 Share Posted July 10, 2018 I will also suggest this to rule out my suspicions you may have a "cracked" version of Microsoft's license validator installed. 1. Open Windows Explorer and navigate to the C:\Windows directory. 2. Enter the following - "SppExtComObjPatcher.exe" - less the quote marks into the Search box. When the search completes, note the C:\Windows sub-directory it is located in. 3. Go to the VirusTotal web site here: https://www.virustotal.com/#/home/upload . Navigate to the C:\Windows sub-directory where SppExtComObjPatcher.exe is located and submit it for a scan. When the Virustotal scan is completed it will show all AV solutions that detected something malicious with the file. Post what the detection rate score was; e.g 16/64 etc.. Also post if NOD32 detected anything. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,295 Posted July 10, 2018 Administrators Share Posted July 10, 2018 Strange, SppExtComObjPatcher.exe was not listed in the ESI log so it's not running and is not registered in autorun locations either. Link to comment Share on other sites More sharing options...
itman 1,758 Posted July 10, 2018 Share Posted July 10, 2018 (edited) 1 hour ago, Marcos said: SppExtComObjPatcher.exe was not listed in the ESI log Like I stated previously, it showed up in the Farber Recovery Scan Tool log that OP posted on Malwarebytes forum. My understanding of what is going on in this hack is the legit process, SppExtComObj.exe, which actually connects to Microsoft servers for license validation gets hijacked and redirected to the attacker's C&C server/s. Unless one was monitoring outbound connections for this process, it would go unnoticed. Appears MBAM detects this hijacking; possibly by C&C server IP blacklisting. There is also a .dll hook set in the processing. Anyway GitHub has the thing listed as a "research" POC here: https://github.com/CHEF-KOCH/KMS-activator . Also just to do "a look see" at the code involved, the old version will provide that here: https://github.com/CHEF-KOCH/KMS-activator/blob/master/old/1-SppExtComObjPatcher.cmd . Note the registry entries involved. Also it appears that running KMS Activator with the bugger installed, will actually give you an option to uninstall it ………………….. Edited July 10, 2018 by itman Link to comment Share on other sites More sharing options...
Recommended Posts