Jump to content

How to remove Dllhost.exe *32 COM Surrogate Virus


Recommended Posts

@Marcos, I forgot to also mention that there are legit versions/uses of SppExtComObjPatcher.exe. For example, it is present on most OEM PC's where the OS is preinstalled at the factory.

That's why diagnosis of its malicious use as a HackTool is difficult.

-EDIT- My take on this is if the following reg keys exist, then the HackTool has been installed:

 

:CreateIFEOEntry
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%~1" /f /v "Debugger" /t REG_SZ /d "SppExtComObjPatcher.exe" >nul 2>&1
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%~1" /f /v "KMS_Emulation" /t REG_DWORD /d %KMS_Emulation% >nul 2>&1
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%~1" /f /v "KMS_ActivationInterval" /t REG_DWORD /d %KMS_ActivationInterval% >nul 2>&1
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%~1" /f /v "KMS_RenewalInterval" /t REG_DWORD /d %KMS
Edited by itman
Link to comment
Share on other sites

Also of note and suspicious is this reg. key shown in the OP's FRST log:

Quote

HKU\S-1-5-21-2002098159-2731206880-1568780985-1002\...\Run: [DellSystemDetect] => C:\Users\dontdrama\AppData\Local\Apps\2.0\6J84N4V5.KOJ\O8W0VDWR.A4J\dell..tion_831211ca63b981c5_0008.0005_9a48d74816d64e41\DellSystemDetect.exe [313264 2017-07-26] (Dell)
IFEO\SppExtComObj.exe: [Debugger] SppExtComObjPatcher.exe

 

Link to comment
Share on other sites

There is a "huge" thread on My Digital Life in regards to folks using KMS Activator to get around Microsoft licensing restrictions: https://forums.mydigitallife.net/threads/kms-activate-windows-8-1-en-pro-and-office-2013.49686/ . Given its "popularity," does not surprise me that the "techniques" it uses would be used maliciously as in this Hybrid-Analysis sample: https://www.hybrid-analysis.com/sample/35aab857af5e679cb5b71b3e93c6dd45e2f2448e2d081095e954833fdf06f1e4?environmentId=100

Edited by itman
Link to comment
Share on other sites

@Marcos, did you notice how the malicious KMS sample at Hybrid-Analysis got around Windows Defender's detection of it? It simply added exclusions to it for the malicious components:

Quote

REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v %WINDIR%\system32\SppExtComObjPatcher.exe /d 0 /t "REG_DWORD"

REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v %WINDIR%\system32\SppExtComObjHook.dll /d 0 /t "REG_DWORD"

Love it!

Edited by itman
Link to comment
Share on other sites

I contacted support. They wanted me to explain my issue but I can't because I don't understand what my issue is. I asked them to read the forum discussion to see what my issue is but they said they "aren't able to go to the forum and read it". Are these the same people who are going to fix my computer, but can't go online and read this discussion?

Link to comment
Share on other sites

3 hours ago, dontdrama said:

I asked them to read the forum discussion to see what my issue is but they said they "aren't able to go to the forum and read it". Are these the same people who are going to fix my computer, but can't go online and read this discussion?

That is weird. Anyone with Internet access can read Eset Forum postings. E-mail them this link: https://forum.eset.com/topic/16014-how-to-remove-dllhostexe-32-com-surrogate-virus/

Link to comment
Share on other sites

Also believe it is time to summarize.

  1. The existence of this code,SppExtComObj.exe: [Debugger] SppExtComObjPatcher.exe, in this reg. key, Image File Execution Options, is a possible indicator of past malware activity. Supporting the assumption is that that SppExtComObj.exe no longer exists in the %WINDIR%\system32\ directory. It could have been removed by a prior security solution. If this activity was employed maliciously, it would have allowed the attacker to establish a remote connection. Using this connection, additional malware could have been downloaded. If that malware was a backdoor, it would almost impossible to detect unless a signature exists for it.
  2. Complicating matters is KMS Activator that creates the above reg. entries can be used intentionally for both legit and nefarious purposes. The are also known malicious variants of KMS Activator.
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...