Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

3 COM surrogate in task manager


  • Please log in to reply
7 replies to this topic

#1 Darko13

Darko13

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:04 PM

Posted 06 April 2017 - 08:16 AM

Hi,

 

Today after starting up PC, i noticed shortly after windows booted small window on desktop, it was only there for less than second, very hrad to see. It looked like something was executed . After that i looked into task manager and i noticed i have there 3 COM surrogate processess, each 1 dissapear in 1-3 seconds after i click on it or try to look on properites. Iv had experience before with removing malware/ ransomware on my own so iv started searching on net but didnt find anything specific what this could be, so i run scans with antiviruses.

 

I have installed McAfee Plus full scan - 0 threats found.

I also installed MalwareBytes, also after multiple scans - 0 threats found. [currently its uninstalled]

 

Im also attaching addition from FRST64 scan.  Attached File  Addition.txt   42.1KB   8 downloads

 

Thanks in advance for your help.



BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:12:04 PM

Posted 08 April 2017 - 07:08 AM

hi,

 

Trojan.Poweliks malware. This malware displays multiple COM processes in task manager and also hogs the  CPU resources and will bog a machine down.

Havent actually seen it in several years. Looking at your logs this isnt what you have. As far as malware goes your logs look ok. Not malware.

In the addition log there are COM server errors listed. Couldnt say if these are related or what to to about it. All I can say is according to your logs you are malware free.


How Can I Reduce My Risk to Malware?


#3 Darko13

Darko13
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:04 PM

Posted 08 April 2017 - 01:17 PM

Yes, thos surrougates processes are ok, i installed meantime HitmanPro and i found fs.dll infected by malware, i did remove it with HitmanPro, but then my system started be unbootable after restart so i did fresh install of windows. So i think im good. thanks for help anyway. Btw can u tell me how can be fs.dll infected by malware. i really care about security and always try not to click on links etc/ have installed antivirus so im wondering where could i get malware...



#4 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:12:04 PM

Posted 09 April 2017 - 05:19 PM

hi,

 

 

found fs.dll infected by malware

Did Malwarebytes find any malware? Usually there would be more files present, not just a single dll file. Could have been a false positive. In any case you reinstalled Windows so you should be good to go.

I have some tips on my web site, link below.


How Can I Reduce My Risk to Malware?


#5 Darko13

Darko13
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:04 PM

Posted 10 April 2017 - 01:57 AM



In the addition log there are COM server errors listed. Couldnt say if these are related or what to to about it.

 

I runned FRST64 on this fresh install of windows and i have even more errors than last time. Could you explain what means User: NT AUTHORITY. Should i be worrying about these errors?

Also if i understand correctly, its ok if there are 3 COM surrogates in task manager if i dont have malware, right?

Attached File  FRST.txt   851.12KB   2 downloads Attached File  Addition.txt   29.16KB   2 downloads

System errors:
=============
Error: (04/10/2017 08:18:53 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (04/09/2017 06:19:14 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The CldFlt service failed to start due to the following error:
The request is not supported.

Error: (04/09/2017 05:57:44 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The CldFlt service failed to start due to the following error:
The request is not supported.

Error: (04/09/2017 05:55:14 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The CldFlt service failed to start due to the following error:
The request is not supported.

Error: (04/07/2017 01:45:08 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (04/07/2017 09:58:59 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{C2F03A33-21F5-47FA-B4BB-156362A2F239}
 and APPID
{316CDED5-E4AE-4B15-9113-7055D84DCC97}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (04/07/2017 09:58:59 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (04/07/2017 09:58:59 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{C2F03A33-21F5-47FA-B4BB-156362A2F239}
 and APPID
{316CDED5-E4AE-4B15-9113-7055D84DCC97}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (04/07/2017 09:58:59 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (04/07/2017 09:11:26 AM) (Source: Service Control Manager) (EventID: 7024) (User: )
Description: The BranchCache service terminated with the following service-specific error:
This program is blocked by group policy. For more information, contact your system administrator.

 



#6 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:12:04 PM

Posted 10 April 2017 - 07:33 PM

User: NT AUTHORITY: thats the local account admin: you.

I see errors listed in just about all FRST logs. I wouldnt be to worried about them unless you seem to be having issues with the machine.

The COM processes you see in task manager dont appear to be malware related. There caused by some other issue.

 

COM Surrogate explained here:

https://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/2-com-surrogate-running-in-task-manager/68f7ffb2-5918-4686-8ed1-28c87f72125b

 


How Can I Reduce My Risk to Malware?


#7 Darko13

Darko13
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:04 PM

Posted 11 April 2017 - 03:55 AM

User: NT AUTHORITY: thats the local account admin: you.

I see errors listed in just about all FRST logs. I wouldnt be to worried about them unless you seem to be having issues with the machine.

The COM processes you see in task manager dont appear to be malware related. There caused by some other issue.

 

COM Surrogate explained here:

https://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/2-com-surrogate-running-in-task-manager/68f7ffb2-5918-4686-8ed1-28c87f72125b

 

Machine is working 100% fine so i leave it be. Thank you vey much for your help and all the info you provided.



#8 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:12:04 PM

Posted 11 April 2017 - 04:12 PM

Ok, great. Your welcome. Happy Safe Surfing out there.


How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users