RBoon 0 Posted October 18, 2022 Share Posted October 18, 2022 I recently started seeing multiple Com Surrogate entries when I bring up my Task Manager. My research tells me this is a potential problem and to run my antivirus program to determine what is causing the issue. My ESET is not detecting any issues. Questions: 1. Can I assume my system is safe if ESET is not finding anything? 2. Is there a way to eliminating the problem so I can be sure? 3. If the solution is to reload my OP System, do I download a new version or can I trust the back that is on my system? Any input you can lend would be appreciated. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted October 18, 2022 Administrators Share Posted October 18, 2022 Are you experiencing any issues? COM Surrogate is a dllhost.exe process running on malware-free systems too. Link to comment Share on other sites More sharing options...
RBoon 0 Posted October 19, 2022 Author Share Posted October 19, 2022 Unfortunately yes, At the same time I started started seeing multiple COM Surrogates running, my security service advised me that my identity had been stolen. Multiple issues with new credit have occurred. I have that under control but don't want to go through the effort of resetting every thing is someone has a data logger or keyboard capture running in the background. I reloaded my OP System once already on a clean/new drive. The issue reoccurred a couple of weeks later. Again, any insights you can lend would be appreciated. Link to comment Share on other sites More sharing options...
itman 1,659 Posted October 19, 2022 Share Posted October 19, 2022 (edited) 11 hours ago, RBoon said: I reloaded my OP System once already on a clean/new drive. The issue reoccurred a couple of weeks later. One likely source of reinfection is your router/gateway is hacked or misconfigured. Here's an example of COM based malware: https://codewhitesec.blogspot.com/2018/07/lethalhta.html . Detection of this can be had using the following YARA based behavioral rule: Quote sequence with maxspan=1m [process where event.type in ("start", "process_started") and process.name : "mshta.exe" and process.args : "-Embedding" ] by host.id, process.entity_id [network where event.type == "start" and process.name : "mshta.exe" and network.direction : ("incoming", "ingress") and network.transport == "tcp" and source.port > 49151 and destination.port > 49151 and source.ip != "127.0.0.1" and source.ip != "::1" ] by host.id, process.entity_id https://www.elastic.co/guide/en/security/current/incoming-dcom-lateral-movement-via-mshta.html The YARA rule in essence is monitoring mshta.exe start up execution. In this malware instance, svchost.exe starting it. Other monitoring activity is the use of a hidden localhost proxy server. COM and DCOM malware is very difficult to detect once it gets installed. Your best bet in removal of whatever malware you have would be to contact Eset North America for malware removal assistance. Edited October 19, 2022 by itman Link to comment Share on other sites More sharing options...
Recommended Posts