Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

taskeng.exe strange install packages and router hacking


  • This topic is locked This topic is locked
3 replies to this topic

#1 quicksolve

quicksolve

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 25 May 2016 - 01:29 PM

to be super brief, there is rediculous svchost activity on several of our machines +50 to 75% activity. selecting svchost it with the resource monitor there are installation packages referenced such as f25ea8f7e140dc26298b535a8f6a53f2 which coincidentailly are referenced in emails that we are getting from strange servers in russia, etc. as well as taskeng.exe running and stopping and connected to these install install packages.

 

these emails, when viewed in HTML have no content and referfence images linked back to servers in russia and easern europe. opening the emails and looking at the contents we see prose referring to restaurants, virus fixing, pay to play lockout services and general threats. these emails constnatly change with specific java script so that they make it through our firwalls that have been breeched and reset many times. IP packet monitoring and Wireshark points to .js scripts and IPV6 code running even thought we have locked down all these ports. clearly there is an issue and my guess is that it is specific keycapture spyware and/or full screen scraping. we noticed bogus certificates in the certificate root  as well. needless to say this is a concerted effort.

 

running al the necessary vius checks, firewall checks, etc., reveals nothing and this has been happening for more than 3yrs. what other options are there? this is gettng a bit out of control to be honest.

 

thanks.



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,962 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:31 AM

Posted 26 May 2016 - 07:51 AM


Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===
Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).
  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.
POST THE LOG FOR MY REVIEW.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===


Please post the logs.

Let me know what problems persists.

#3 quicksolve

quicksolve
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 30 May 2016 - 08:24 AM

Ok, brief update:

    1) using the resource monitor, I saw continuous traffic to: 224-0-0-252 and found this entry for Vista that also applies to Win7 64 bit, Win 8 and Win 10: http://www.vistaheads.com/forums/microsoft-public-windows-vista-networking-sharing/329050-continuous-data-transfer-ip-224-0-0-252-a.html and so with that, I Turned off Multicast Name Resolution = Enabled in Config and the registry via these details: http://www.computerstepbystep.com/turn-off-multicast-name-resolution.html
    2) the problem here is still the same, at bootup and randomly while computers are in use, svchost.exe CPU usage goes through the roof. For example, going to this page: using google to investigate a184-87-179-64.deploy.static.akamaitechnologies.com  which also was taking up a tremendous amount of CPU usage, I went to this page: https://www.robtex.com/en/advisory/dns/mk/com/microsoft/forums/ and staying on that page for 5 seconds, svchost.exe pins the CPU at 95%
    3) When there is no browser or browser tab is open to any other page than google, all is fine, certain pages however for no reason pin the CPU.
    4) Lastly, there is quite a bit of activity to 239.255.255.250 for no reason and finding this http://www.dslreports.com/forum/r7781197-who-is-239-255-255-250-why-do-they-want-access and disabling it seems to eliminate SOME svchost.exe CPU usage, but not all.

All of the above is fine, but the issue still remains in this post: anon emails with what looks like specific Win update package install ID codes keep coming and the PC is broadcasting data on many strange IP addresses.

Look forward to any extra details that you can see here.



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,962 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:31 AM

Posted 31 May 2016 - 07:01 AM

Please run the tools I suggested.

This is the first step required. I need to clean what will be found as unwanted.

Will take it from there.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users