Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is Windows 10 spying on users


  • Please log in to reply
5 replies to this topic

#1 touchdownjohnson

touchdownjohnson

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 29 December 2014 - 08:37 PM

I notice when I go view Task Manger to see what running I see a 2 background apps that say "COM Surrogate" and then it disappears. So I restarted the computer and it's there again and I right click right away to view it's properties. It is in ‪C:\Windows\System32\dllhost.exe. Digital Signatures comes from Microsoft Windows. So people with Windows 10 can you view if you have the file in Task Manger. My computer is in ghost mode so nothing can be installed. Only time when it's not in ghost mode is to run updates. The only program that is install is products from Adobe and Keyscrambler from qfxsoftware.

 

The windows 10 came straight from microsoft website. According to search the web COM Surrogate is consider a spyware and in regedit the file is here AB8902B4-09CA-4bb6-B78D-A8F59079A8D5.

 

Please look into your regedit and let me know if you see AB8902B4-09CA-4bb6-B78D-A8F59079A8D5.



BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:44 AM

Posted 29 December 2014 - 10:15 PM

Hello TDJ

This AB8902B4-09CA-4bb6-B78D-A8F59079A8D5, looks like it is the Trojan Powelik

I am moving this from WIN 10 to the Am I Infected forum..


newtool3_zpsae6d2122.png

Please download Powelikscleaner (by ESET) and save it to your Desktop.

1. Double-click on ESETPoweliksCleaner.exe to start the tool.

2. Read the terms of the End-user license agreement and click Agree.

3. The tool will run automatically. If the cleaner finds a Poweliks infection, press the Y key on your keyboard to remove it.

newtool1_zpsa1caa06e.png

4. If Poweliks was detected "Win32/Poweliks was successfully removed from your system" will be displayed. Press any key to exit the tool and reboot your PC.

newtool2_zps0e6d39b1.png

The tool will produce a log in the same directory the tool was run from.

Please copy and paste the log in your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:44 PM

Posted 30 December 2014 - 06:01 AM

Sorry for this should be treated as another separate infection. (Sorry for the interruption).Please Follow the Above Post-


Edited by noknojon, 30 December 2014 - 10:55 PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:44 AM

Posted 30 December 2014 - 06:18 AM

POWELIKS Levels Up With New Autostart Mechanism

When executed, POWELIKS creates the following registry entry:

[HKEY_CURRENT_USER\Software\Classes\clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32]


poweliks2_fig1.jpg
.
poweliks2_fig4.jpg
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:44 AM

Posted 30 December 2014 - 10:58 AM

So, please run post 2.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:44 AM

Posted 30 December 2014 - 01:28 PM

@ touchdownjohnson

In reviewing your comments in Post #1, it appears you may be confusing information you read in regards to Windows 10 Technical Preview spying on you with a keylogger and search information you found in regards to COM Surrogate, often related to Poweliks infection. Poweliks typically affects the ability to browse or download files using Internet Explorer and causes PowerShell error alerts. Task Manager typically shows numerous occurrences of (COM Surrogate) dllhost.exe or dllhst3g.exe. If using a 64-bit version of Windows, then these entries will be listed as dllhost.exe *32 or dllhst3g.exe *32. That is why your search yielded results for the {AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} registry key which is indicative of Poweliks.

I cannot determine by your comments if you actually found that key or are just asking other Windows 10 users to check for it.

BTW...dllhost.exe is the COM+ hosting process, a legitimate Windows process used to load needed DLL files that are used by Microsoft Windows and other programs. Therefore, the presence of that file is not always indicative of malware infection...see What does the COM Surrogate do and why does it always stop working?

You should only be concerned if seeing numerous occurrences of (COM Surrogate) dllhost.exe/dllhost.exe *32 or dllhst3g.exe/dllhst3g.exe *32 continuing to spawn as described here.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users