Jump to content

How to remove Dllhost.exe *32 COM Surrogate Virus


Recommended Posts

Can you help me remove this virus? I have windows 10 64 bit. Malwarebytes instructions were difficult to carry out so I have switched to ESET for my primary anti virus. Thanks.

Link to comment
Share on other sites

  • Administrators

Please post a screen shot of how ESET detects the malware. Also providing relevant details from the Detected threats log would help.

Link to comment
Share on other sites

If you are infected with Powerliks as noted in the Malwarebytes removal article:

Quote

Trojan.Poweliks is know to use dllhost.exe *32 COM Surrogate as a process when has infected in a computer. If you are seeing a very large numbers of dllhost.exe *32 COM Surrogate using a lot of CPU and RAM, then this trojan might be on your machine.

https://malwaretips.com/blogs/dllhost-exe-32-com-surrogate-removal/

I believe it will still be required to run the stand alone Eset Powerliks Remover: http://download.eset.com/special/ESETPoweliksCleaner.exe as noted in the removal article.

Or alternatively, you can run Eset's "Specialized Cleaner" directly from the Eset GUI itself. It also is supposed to remove Powerliks. Instructions on how to run it are here: https://support.eset.com/kb3322/?locale=en_US&viewlocale=en_US

Edited by itman
Link to comment
Share on other sites

  • Administrators

For cleaning Powershell malware that is either not recognized or not possible to clean by a product for whatever reason, we have a standalone tool that can be used with the assistance of customer care. The malware cleaning service is provided to users with a paid license.

Link to comment
Share on other sites

  • Administrators

To start off, how do you know that your computer is infected? After you've installed ESET and modules were updated to the latest version, did ESET detect some malware but was unable to clean it?

Link to comment
Share on other sites

I discovered the infection from instructions online but don't remember exactly how. "Com Surrogate keeps appearing and disapperaing in my task manager and something is interfering with my google searches. Nothing I've done with eset has detected the virus. 

Link to comment
Share on other sites

For reference, the OP started a session in Malwarebytes Forum malware assistance section here: https://forums.malwarebytes.com/topic/232551-how-to-remove-dllhostexe-32-com-surrogate-virus/ . The session didn't go very well for him with their suggestions being above the level OP is able to perform per his statements there.

Link to comment
Share on other sites

Here's the FRST fix MBAM wanted the OP to run:

Quote

IFEO\SppExtComObj.exe: [Debugger] SppExtComObjPatcher.exe

@Marcos, appears the "culprit" is SppExtComObjPatcher.exe. Don't know if Eset detects it as a hacktool as some other AV's do. Perhaps Eset detects as a PUA?

Ref.: https://www.tenforums.com/general-support/61432-sppextcomobj-exe.html

Edited by itman
Link to comment
Share on other sites

  • Administrators

ELC generates a zip file so you don't have to zip it again. If it's too big, upload it to OneDrive, DropBox, etc. and provide a download link.

Link to comment
Share on other sites

A comment about SppExtComObjPatcher.exe. It's presence on a device is usually a strong indication that a Microsoft software "cracker" was employed to get around valid licensing requirements; usually for MS Office. 

Link to comment
Share on other sites

On 7/9/2018 at 1:08 AM, Marcos said:

For cleaning Powershell malware that is either not recognized or not possible to clean by a product for whatever reason, we have a standalone tool that can be used with the assistance of customer care. The malware cleaning service is provided to users with a paid license.

So I paid for your service with the promise that you had a tool to solve my problem, but you don't. Then you accuse me of having a virus that is the result of trying to get around some licensing requirements BEFORE you even see any of my logs. WOW. 

Link to comment
Share on other sites

  • Administrators

1, The cleaning service is paid. If you contact customer care via the web form (https://www.eset.com/int/support/contact/), US support would arrange a remote session with you.
2, I've checked your logs but didn't find any signs of malware infection. I would say that the computer is clean. PowerShell is not running and is not either registered in the system to run automatically. Maybe you could tell a customer care representative during a remote session what you deem suspicious, he or she would explain you why it is normal and that there's no reason to be concerned.

In cases when there is malware infection and we are unable to help, it's possible to request a refund within 30 days after the purchase.

Link to comment
Share on other sites

I will also suggest this to rule out my suspicions you may have a "cracked" version of Microsoft's license validator installed.

1. Open Windows Explorer and navigate to the C:\Windows directory.

2. Enter the following - "SppExtComObjPatcher.exe" - less the quote marks into the Search box. When the search completes, note the C:\Windows sub-directory it is located in.

3. Go to the VirusTotal web site here: https://www.virustotal.com/#/home/upload . Navigate to the C:\Windows sub-directory where SppExtComObjPatcher.exe is located and submit it for a scan.

When the Virustotal scan is completed it will show all AV solutions that detected something malicious with the file. Post what the detection rate score was; e.g 16/64 etc.. Also post if NOD32  detected anything. 

Link to comment
Share on other sites

  • Administrators

Strange, SppExtComObjPatcher.exe was not listed in the ESI log so it's not running and is not registered in autorun locations either.

Link to comment
Share on other sites

1 hour ago, Marcos said:

SppExtComObjPatcher.exe was not listed in the ESI log

Like I stated previously, it showed up in the Farber Recovery Scan Tool log that OP posted on Malwarebytes forum. My understanding of what is going on in this hack is the legit process, SppExtComObj.exe, which actually connects to Microsoft servers for license validation gets hijacked and redirected to the attacker's C&C server/s. Unless one was monitoring outbound connections for this process, it would go unnoticed. Appears MBAM detects this hijacking; possibly by C&C server IP blacklisting. There is also a .dll hook set in the processing.

Anyway GitHub has the thing listed as a "research" POC here: https://github.com/CHEF-KOCH/KMS-activator . Also just to do "a look see" at the code involved, the old version will provide that here: https://github.com/CHEF-KOCH/KMS-activator/blob/master/old/1-SppExtComObjPatcher.cmd . Note the registry entries involved. Also it appears that running KMS Activator with the bugger installed, will actually give you an option to uninstall it …………………..

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...