itman 1,748 Posted July 10, 2018 Share Posted July 10, 2018 (edited) @Marcos, I forgot to also mention that there are legit versions/uses of SppExtComObjPatcher.exe. For example, it is present on most OEM PC's where the OS is preinstalled at the factory. That's why diagnosis of its malicious use as a HackTool is difficult. -EDIT- My take on this is if the following reg keys exist, then the HackTool has been installed: :CreateIFEOEntry reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%~1" /f /v "Debugger" /t REG_SZ /d "SppExtComObjPatcher.exe" >nul 2>&1 reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%~1" /f /v "KMS_Emulation" /t REG_DWORD /d %KMS_Emulation% >nul 2>&1 reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%~1" /f /v "KMS_ActivationInterval" /t REG_DWORD /d %KMS_ActivationInterval% >nul 2>&1 reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%~1" /f /v "KMS_RenewalInterval" /t REG_DWORD /d %KMS Edited July 10, 2018 by itman Link to comment Share on other sites More sharing options...
itman 1,748 Posted July 10, 2018 Share Posted July 10, 2018 Also of note and suspicious is this reg. key shown in the OP's FRST log: Quote HKU\S-1-5-21-2002098159-2731206880-1568780985-1002\...\Run: [DellSystemDetect] => C:\Users\dontdrama\AppData\Local\Apps\2.0\6J84N4V5.KOJ\O8W0VDWR.A4J\dell..tion_831211ca63b981c5_0008.0005_9a48d74816d64e41\DellSystemDetect.exe [313264 2017-07-26] (Dell) IFEO\SppExtComObj.exe: [Debugger] SppExtComObjPatcher.exe Link to comment Share on other sites More sharing options...
itman 1,748 Posted July 10, 2018 Share Posted July 10, 2018 (edited) There is a "huge" thread on My Digital Life in regards to folks using KMS Activator to get around Microsoft licensing restrictions: https://forums.mydigitallife.net/threads/kms-activate-windows-8-1-en-pro-and-office-2013.49686/ . Given its "popularity," does not surprise me that the "techniques" it uses would be used maliciously as in this Hybrid-Analysis sample: https://www.hybrid-analysis.com/sample/35aab857af5e679cb5b71b3e93c6dd45e2f2448e2d081095e954833fdf06f1e4?environmentId=100 Edited July 10, 2018 by itman Link to comment Share on other sites More sharing options...
itman 1,748 Posted July 11, 2018 Share Posted July 11, 2018 (edited) @Marcos, did you notice how the malicious KMS sample at Hybrid-Analysis got around Windows Defender's detection of it? It simply added exclusions to it for the malicious components: Quote REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v %WINDIR%\system32\SppExtComObjPatcher.exe /d 0 /t "REG_DWORD" REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v %WINDIR%\system32\SppExtComObjHook.dll /d 0 /t "REG_DWORD" Love it! Edited July 11, 2018 by itman Link to comment Share on other sites More sharing options...
dontdrama 0 Posted July 12, 2018 Author Share Posted July 12, 2018 I contacted support. They wanted me to explain my issue but I can't because I don't understand what my issue is. I asked them to read the forum discussion to see what my issue is but they said they "aren't able to go to the forum and read it". Are these the same people who are going to fix my computer, but can't go online and read this discussion? Link to comment Share on other sites More sharing options...
itman 1,748 Posted July 12, 2018 Share Posted July 12, 2018 3 hours ago, dontdrama said: I asked them to read the forum discussion to see what my issue is but they said they "aren't able to go to the forum and read it". Are these the same people who are going to fix my computer, but can't go online and read this discussion? That is weird. Anyone with Internet access can read Eset Forum postings. E-mail them this link: https://forum.eset.com/topic/16014-how-to-remove-dllhostexe-32-com-surrogate-virus/ Link to comment Share on other sites More sharing options...
itman 1,748 Posted July 12, 2018 Share Posted July 12, 2018 Also believe it is time to summarize. The existence of this code,SppExtComObj.exe: [Debugger] SppExtComObjPatcher.exe, in this reg. key, Image File Execution Options, is a possible indicator of past malware activity. Supporting the assumption is that that SppExtComObj.exe no longer exists in the %WINDIR%\system32\ directory. It could have been removed by a prior security solution. If this activity was employed maliciously, it would have allowed the attacker to establish a remote connection. Using this connection, additional malware could have been downloaded. If that malware was a backdoor, it would almost impossible to detect unless a signature exists for it. Complicating matters is KMS Activator that creates the above reg. entries can be used intentionally for both legit and nefarious purposes. The are also known malicious variants of KMS Activator. Link to comment Share on other sites More sharing options...
Recommended Posts