Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Reinfecting Adware and Possbly Packed & Autorun Malware


  • This topic is locked This topic is locked
1 reply to this topic

#1 Caramello222

Caramello222

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:58 AM

Posted 02 December 2015 - 09:10 PM

I was advised to repost my malware topic "Win32/Virtumonde & Reinfecting Friends" here by a fellow staffer, to receive assistants from someone with the same OS as me, Windows 8.1. The source of the reinfecting malicious ads and tracking cookies in my appdata, banner ads in flashplayer, and audio pop-ups by ad doubleclick net and stalker banner ads on some websites couldn't be found. I've added MVP's host file list to my hosts file but some it's being bypassed and the very first entry on the host list "fr a2dfp net" is always listening. The information below came from Process Explorer properties TCP/IP tab and all the empty spaces in the web addresses and IPs is a dot, I left out the dots to try to prevent hyperlinks. 

        System:4

Protocol                  Local Address                                                      Remote Address                         State                                 Service

TCP                   cornbread cfl rr com:netbios-ssn                               fr a2dfp net:0                             LISTENING

TCP                   fr a2dfp net:microsoft-ds                                           fr a2dfp net:0                              LISTENING                                                                                           TCP                   fr a2dfp net:8092                                                       fr a2dfp net:0                              LISTENING

UDP                   cornbread cfl rr com:netbios-ns                                 *:*

UDP                   cornbread cfl rr com:netbios-dgm                              *:*

TCPV6               cornbread:445                                                          cornbread:0                                LISTENING

TCPV6               cornbread:8092                                                        cornbread:0                                LISTENING

 That website is also in mDNSResponder.exe:1472 (Bonjour service), CLMSServerpDVD12.exe:114544 & 212872 (CyberLink PowerDVD12 Media Server Service), lass.exe:612, services.exe:604, spoolsv.exe:1276, svchost.exe:760 (RPCSS service), svchost.exe:928 (Local Service Network Restricted, Event Log service), svchost.exe:929 (Dhcp service), svchost.exe:976 (Netsvcs, Schedule service), svchost.exe:1072 (Network Service, (Dnscache service), svchost.exe:2720 (Local Service And No Impersonation) has a local address 0.0.0.0:1900 communicating with a remote address *:* using SSDPSRV service, fr a2dfp net is in wininit.exe:552, and iexplorer along with 5 established connections with 'ec2-52-19-170-37 eu-west-1 compute amazonaws com' 2 connections with 'server-54-192-48-122 jfk5 r cloudfront net' 1 connection with 'server-54-230-82-121 mia50 r cloudfront net' 4 connections with an IP '72 21 91 127' and 2 connections with IP '72 21 91 96', also 'yv-in-f100 1e100 net' and '104 20 92 192' and more will pile on the longer I stay connected to the internet. I think this malware is using DLLs app extentions because I see a lot of them have an unknown source that uses them. I also have lagging issues with graphics and sound, the problem only starts when I have my computer running for about 2 hours then the cursor, graphics, and sound become choppy. The problem happens faster if about 4-6 times a schedule task starts after 4 mintues of idle time or 2 sleep modes which causes apps that were open to crash. I've tried to stop task scheduler from starting every 4 idle minutes by disabling idle tasks but it's always enabled again after every restart or shut down. The images on my icons are slowly disappearing from my taskbar, my favorites list in Internet Explorer 11, and the apps and pinned sites in the lower half of the start screen. Oddly I can see them when I boot into safe mode and when boot normal after safe mode but again after my computer has been running for awhile they disappear again. I'm also having moments of is it me or malware because I can't prove it and I'm not 100% sure. But I don't remember seeing so many blue lettered folders and files (the names are in blue instead of black, and is that a sing of packed or compressed?) odd named folders and files, lower cased letters used for the names of files and folders, info missing from details tabs on files especially missing copyrights, folder and files with a blank sheet of white paper as it's icon and processes in task manager that pop in and out fast. If you know of an article I can read about files and folders what is odd but normal and what's malicious I would truly appreciate it. I know some of the things I listed above can be normal but I learned that slowly by thinking I found malware only to be told no I didn't that's normal.

     I did get some warings of malware from Virus Total when I recently used Processes Explorer and Autoruns.

  File Name                                                                AV company                                AV Dectection

"SOMAW81.dll"                                                            Bkav                                              W64.HfsAutoA.ADC0

"Microsoft.Live.dll"                                                        Bkav                                              W64.HfsAutoA.3918

"SystemPropertiesPerformance.exe

967cc606b1d3040bc5d6b5b45072aa0.tmp"                Bkav                                               HW64.packed.CA7C

"LocationNotifications.exe

0826471bf829234aa02f3c8358d6a3ca.temp"              Bkav                                              HW64.packed.698C

dnsapi.dll                                                                     Antiy-AVL                                        Trojan/Win32.BTS Generic

If more information is need please let me know, I'll be more than happy to give it. Thank you for your time.



BC AdBot (Login to Remove)

 


#2 Chris Cosgrove

Chris Cosgrove

  • Moderator
  • 7,207 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:03:58 PM

Posted 06 December 2015 - 05:40 PM

As it seems that Nasdaq has not finished with your topic in AII -

 

http://www.bleepingcomputer.com/forums/t/594644/win32virtumonde-reinfecting-friends/

 

I have decided to lock this topic for the time being since having two topics on the same problem open at one time just leads to confusion. I have sent Nasdaq a PM and I am waiting for a reply which should clarify things. If he is finished, or if he feels reasonably sure that malware is not at the root of your problems then I will re-open this and put a post in this topic to say so.

 

Chris Cosgrove






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users