Windows 10: SppExtComObj.Exe

Hi There,
My Malwarebytes (recently installed) has been blocking an outbound connection to a website 94.242.206.249 using the process SppExtComObj.Exe.
I have searched and it seems that this file is a valid process.
The file version is dated 30.10.15, 10.0.10586.10.
Is this something I should be worried about?
Thanks for any help
Paul

:)

 

SppExtComObj.exe -Embedding

Can anyone solved this problem?

Log Name: System

Source: Microsoft-Windows-DistributedCOM

Date: 4/7/2017 10:24:10 PM

Event ID: 10000

Task Category: None

Level: Error

Keywords: Classic

User: NETWORK SERVICE

Computer: dell-pc

Description:

Unable to start a DCOM Server: {3C296D07-90AE-4FAC-86F9-65EAA8B82D22}. The error:

"2"

Happened while starting this command:

C:\WINDOWS\system32\SppExtComObj.exe -Embedding

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>

<Provider Name="Microsoft-Windows-DistributedCOM" Guid="{1B562E86-B7AA-4131-BADC-B6F3A001407E}" EventSourceName="DCOM" />

<EventID Qualifiers="0">10000</EventID>

<Version>0</Version>

<Level>2</Level>

<Task>0</Task>

<Opcode>0</Opcode>

<Keywords>0x8080000000000000</Keywords>

<TimeCreated SystemTime="2017-04-07T14:24:10.618164200Z" />

<EventRecordID>22050</EventRecordID>

<Correlation />

<Execution ProcessID="936" ThreadID="8788" />

<Channel>System</Channel>

<Computer>dell-pc</Computer>

<Security UserID="S-1-5-20" />

</System>

<EventData>

<Data Name="param1">C:\WINDOWS\system32\SppExtComObj.exe -Embedding</Data>

<Data Name="param2">2</Data>

<Data Name="param3">{3C296D07-90AE-4FAC-86F9-65EAA8B82D22}</Data>

</EventData>

</Event>

System

- Provider

[ Name] Microsoft-Windows-DistributedCOM

[ Guid] {1B562E86-B7AA-4131-BADC-B6F3A001407E}

[ EventSourceName] DCOM

- EventID 10000

[ Qualifiers] 0

Version 0

Level 2

Task 0

Opcode 0

Keywords 0x8080000000000000

- TimeCreated

[ SystemTime] 2017-04-07T14:24:10.618164200Z

EventRecordID 22050

Correlation

- Execution

[ ProcessID] 936

[ ThreadID] 8788

Channel System

Computer dell-pc

- Security

[ UserID] S-1-5-20

- EventData

param1 C:\WINDOWS\system32\SppExtComObj.exe -Embedding

param2 2

param3 {3C296D07-90AE-4FAC-86F9-65EAA8B82D22}

 

SppExtComObj.exe -Embedding

Hello,

The issue that you are facing is more complex than what is typically answered in the Microsoft Answers forums. We suggest posting your query in our
TechNet Forum, where we have support professionals who are well equipped with the knowledge on such issues.

Let us know if you have other concerns.

 

Hi Paul,
SppExtComObj.Exe is a KMS Connection Broker (Key Management Services by MS).

It's trying to connect to a non-MS server:

MBAM is correct to block this. If you are using illegal software, I suggest you remove it, then run a custom full scan with MBAM.

 

Thank you for your quick response and I hope nothing is illegal on my machine! I will do a full check with MBAM to make sure all is well and will permanently block this site.
Thanks!

 

Sounds good. Let us know if it finds anything. *Smile

 

I'm a bit paranoid due to getting a Crypto locker a few months back (I clicked on a bad email drrr and the backup was connected double drrr and it cost me plenty to get the files back that I lost), so ran the following:
- MBAM
- Spybot
- Sophus
- ESET
- SFC /scannow
- Panda
- CCleaner

Ok some things were found but all seemed to be low risk stuff, missing links, cookies etc but, the website block now doesn't come up so maybe I got it.

I have a feeling that I really should rebuild this computer from scratch, painful as that will be.

Paul

 

Oh dear - I am sorry to hear that. Those are all good programs to run (although I would use SuperAntiSpyware Free over Spybot). I assume now you have only ONE active anti-virus running on the machine?

You might want to add these:
RKILL

TDSSKiller (Kaspersky-onetime run for rootkits)
Make sure to tick all the boxes and let the computer reboot so it can run the scan fully.

RKILL (again) Because everything RKILL does is undone by a reboot.

ADWCleaner (will reboot to clean)
Feel free to post the log after you run it and I'll have a looksee for what's leftover. Usually these crypto malware are easy to clean or even remove themselves after they've delivered their payload.

RKILL again

JRT

Note: RKILL will put a log on your desktop called rkill.txt, and will overwrite it each time you run the scan, so if you want to keep them, rename them rkill01.txt, rkill02.txt, etc.

For future protection against these encryption nasties (and a lot of others), I would make the following recommendations:

One good active anti-virus (ESET is excellent, if you can afford it - usually on sale at Newegg on a regular basis)
MBAM (free or pro)
MBAE (free)
CryptoPrevent Free
SuperAntiSpyware Free

A file backup system which uses "versioning".
Alternating backups: 2 drives, one disconnected at all times, and rotate them on a regular basis.

Note: MBAM have an anti-encryption BETA right now, which will eventually be rolled into their paid version of MBAM Pro.

Of course, nothing beats common sense. *Wink But, if you were using, say, gmail, and collecting your emails online using your browser (and not an email client), a lot of this stuff would never even reach your inbox, and if it did, it would likely be flagged. (Not to plug gmail, but they have pretty aggressive email scanning, and ferret out quite a bit, and warn you with other stuff.)

Depending on the infection you had (if you know the name, or can provide all scan logs), I could research it to see if it warrants a clean install.

 

Thanks again and you are being a big help. The cryptolocker cost me US$1200 in ransom and computer expert help and a full week of down time. I didn't know anything about Bitcoin, I do now!
I have paid for ESET and also run MBAM free and their BETA anti encryption program.
i will give the other suggested programs a go too although it might take a few days to do it all.
i have been using Second Copy 8 for backup. I like it because it's simple and saves the files in their normal format so that I can get at them easily. Since the cyptolocker, I have 3 backups, 2 daily that I rotate and a master weekend one which backups both my data disk and an OS image. I work from home BTW. I have been having problems with this program recently as well as other weird things. Do you know another good easy to use backup software which saves files as they are. I have a lot of very big Outlook files and even if I don't open them, they get backed up anyway because outlook loads them and this is seen as a changed file by SC8.
My current thought is to uninstall SC8 and some other troublesome programs, then do a Windows 10 repai install, run all the scans, then reload the problem programs. I expect that it hasn't helped messing with the registry lol.
Your thoughts please?
thanks again!

 

Ouch! You're lucky you got your files back - some of these creeps take the money and run.

Great. When they roll that into their paid version, it may be worth looking at a subscription.

No problem. Actually, they all run pretty quickly. But, no rush.

That sounds like a good setup. *Smile

Hmmm... I am not familiar with Second Copy 8 - have never used it. I do know that Macrium Reflect Free allows you to mount the images and even extract specific files from the images (just did this on a system I was working on that wouldn't boot). I personally have 2 backup schemes in addition to my Operating System backup, (for which I use Macrium): CrashPlan and Robocopy. CrashPlan compresses and provides versioning, while Robocopy is basically a copy function (so data is in original state). But, you really could do everything with Macrium, and backups would be smaller since they're compressed, and can be verified as they're made. Really, since you can extract files from the images, it makes things quite nice. You can also set it up for incremental and differential images, although I don't do that - I always make full images (makes life easier if I have to restore).

Here's some info on it:
Solved Tell your backup software, win Macrium Reflect Home license! - Windows 10 Forums

To get started with system imaging, see these tutorials:

• System Image - Create in Windows 10 - Windows 10 Forums
• Macrium Reflect - Backup Restore - Windows 10 Forums

 

Was it really Cryptolocker that you had? or Torrentlocker? or something else? Because Cryptolocker was taken down, and a possible decryption scheme was released (for free). Torrentlocker made copies of your data, encrypted it, and then deleted the original, so many people got their data back by using recovery software or ShadowExplorer. Just curious - not that it makes any difference now...*Sad

 

I already use macrium for the weekly OS disk image although I use SC8 for backing up the weekly data disk. In fact I restored the operating system 2 weeks ago from a macrium image and that worked well. As for the data file backup, I just like to see the actual files are there. I'll have a look at robocopy and see what that's all about thanks.

 

It cerainly said it was cryptolocker and looked like it. Australia where I am has been targeted with this malware this year with lots being affected. This is where I got mine from in May:

Thousands targeted by 'ransomware' email scam which copies AGL Energy bills

Fortunately it didn't jump to the second machine in the network as we didn't have the share as a drive letter and I managed to stop the process with spyhunter (which I don't use now) when I saw it happening. The encryption started at A and did my account files first and was half way through my archive files when I stopped it. It deleted all restore points first and as I had the backup connected it infected that at exactly the same time. This is how I learnt the hard way re a single permanently connected backup drive. Happy with my backup setup now (will ditch SC8 if it doesn't start behaving properly and support doesn't get back to me) but my machine has had a few problems in the last couple of weeks, hence why I am here in the first place, probably nothing to do with the cryptolocker but like I said, I'm paranoid now lol.
Ok I will let you know how I go.

 

Just checked out Robocopy and not sure that's for me or my misses. For daily backup with SC8 you can set it up to backup each time you shut down and it will switch the computer off after the backup is complete. It's a simple single click on the program icon.

 

Okay, try this: Open Macrium, in the Restore Tab, navigate to one of your backups, select Browse Image, select partition C, notice the drive letter it will assign when it mounts it as a virtual drive. Go to file explorer and have a look at that virtual drive - you'll see all your files in their "natural state", which could then be copied from there to someplace you want at any time.

Okay I just read that article link and I noticed:

You said you had a professional IT person working on your system, so they made sure it was clean right? Or, did they completely reinstall the operating system? What are the problems you're having with the system?
Just for the record: Spyhunter has a less-than-stellar reputation in the industry.

Yes, Robocopy...I believe it can be setup to run using Task Scheduler (I haven't gotten around to that yet myself).