DLLhost Surrogate Issue

XpL0d3r

XpL0d3r

New Member
Thread author
Oct 30, 2014
3
Hey guys,

Seems like this issue is pretty popular recently.

My issue may be slightly tricky to troubleshoot because the user is remote. I can connect to him over VPN which I have been doing, but will need to be logged in as the user who does NOT have admin rights. I can run programs as admin, but cannot log in as one).

Anyways:
OS: Windows 7 Enterprise x64 on our domain.
AV: Microsoft Endpoint Protection

Found multiple instances of dllhost32.exe running from within syswow64. Malware bites is detecting this and blocking hundreds of connections across multiple ports in the 50000 and 60000 range, all leading back to Russian IP's or ie90ff.com (also Russian).

FRST and Addition logs attached. Any help would be appreciated.

Thank you.
 

Attachments

  • FRST.txt
    37.6 KB · Views: 117
  • Addition.txt
    34.3 KB · Views: 259
XpL0d3r

XpL0d3r

New Member
Thread author
Oct 30, 2014
3
Quick update, user rebooted and no longer has access to the internet. He gets a correct IP from his router, and his settings look good, but no net. Had him reboot into safemode and it works. Checked his running processes in safe mode (w/ networking), and it's all basic stuff, Teamviewer (using that now to connect to him), and 20+ dllhost.exe's
 
XpL0d3r

XpL0d3r

New Member
Thread author
Oct 30, 2014
3
TwinHeadedEagle said:
We do not volunteer here to help someone making profit. Hope you understand.
Click to expand...

I understand fully, but out of curiosity where is this coming from? I work as a systems administrator, and a user here has this virus. He submitted a helpdesk ticket, I am simply doing my job in an attempt to resolve, and have come to a standstill so I came here for help. I make $ whether this gets resolved properly or not...

Also, just as an FYI for the future, you may want to put "We do not volunteer here to help someone making profit." somewhere in the rules, because it currently does not exist. Not that I broke this "rule" anyways, but it is nowhere to be found. I'm a forum moderator elsewhere, so I read the rules before posting, unlike 99% of others! =)

I guess a legitimate update though: the user had shipped his computer from his home office (we have sales managers all throughout the US who work out of their home) to our office here, so I now have possession of the laptop.

Going to follow COM Surrogate removal guide on here now that I have full control of the laptop. I'll report back.
 

Similar threads

SpyNetGirl
    • Like
    • +Reputation
    • Hundred Points
Harden Windows Security | Only with official documented methods | Always up to date
Replies
75
Views
10,751
Other security for Windows, Mac, Linux
Warencom
W
Bot
    • Like
    • +Reputation
A look at the ATM/PoS malware landscape from 2017-2019
Replies
0
Views
1,655
Kaspersky
Bot
Bot
Bot
    • Like
    • +Reputation
Stopping Active Directory attacks and other post-exploitation behavior with AMSI and machine learning
Replies
1
Views
2,460
Microsoft Defender
ForgottenSeer 85179
F

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top