Jump to content

Recommended Posts

Posted

I recently started seeing multiple Com Surrogate entries when I bring up my Task Manager.  

My research tells me this is a potential problem and to run my antivirus program to determine what is causing the issue.  My ESET is not detecting any issues.  

Questions:

1.  Can I assume my system is safe if ESET is not finding anything?

2. Is there a way to eliminating the problem so I can be sure?

3. If the solution is to reload my OP System, do I download a new version or can I trust the back that is on my system?

Any input you can lend would be appreciated.

 

  • Administrators
Posted

Are you experiencing any issues? COM Surrogate is a dllhost.exe process running on malware-free systems too.

image.png

Posted

Unfortunately yes,  At the same time I started started seeing multiple COM Surrogates running, my security service advised me that my identity had been stolen.  Multiple issues with new credit have occurred.   I have that under control but don't want to go through the effort of resetting every thing is someone has a data logger or keyboard capture running in the background.

I reloaded my OP System once already on a clean/new drive.  The issue reoccurred a couple of weeks later.

Again, any insights you can lend would be appreciated.

Posted (edited)
11 hours ago, RBoon said:

I reloaded my OP System once already on a clean/new drive.  The issue reoccurred a couple of weeks later.

One likely source of reinfection is your router/gateway is hacked or misconfigured.

Here's an example of COM based malware: https://codewhitesec.blogspot.com/2018/07/lethalhta.html . Detection of this can be had using the following YARA based behavioral rule:

Quote

sequence with maxspan=1m [process where event.type in ("start",
"process_started") and process.name : "mshta.exe" and
process.args : "-Embedding" ] by host.id, process.entity_id
[network where event.type == "start" and process.name : "mshta.exe"
and network.direction : ("incoming", "ingress") and
network.transport == "tcp" and source.port > 49151 and
destination.port > 49151 and source.ip != "127.0.0.1" and source.ip !=
"::1" ] by host.id, process.entity_id

https://www.elastic.co/guide/en/security/current/incoming-dcom-lateral-movement-via-mshta.html

The YARA rule in essence is monitoring mshta.exe start up execution. In this malware instance, svchost.exe starting it. Other monitoring activity is the use of a hidden localhost proxy server.

COM and DCOM malware is very difficult to detect once it gets installed. Your best bet in removal of whatever malware you have would be to contact Eset North America for malware removal assistance.

Edited by itman
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...