Jump to content

hijack.autoconfigurl.prxysvrrst Malware

Jurionx
 Share

Recommended Posts

  • Replies 68
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Posted Images

  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Well that was an interesting evening of research. WinPatrol does not monitor it in the free version. So I went out looking for other tools that might be able to do it in real time and so far could not find any others that actually work. There are a couple of other tools out there but development stopped on them years ago and they don't seem to work too well on Windows 10 or at least did not provide even close to real time reporting that I was looking for.

If you think you can get the autoconfig entry to load on demand or quickly then you could monitor it in real time using Process Monitor from Microsoft.
https://technet.microsoft.com/en-us/sysinternals/bb896645

This program will save very large files quickly as it monitors everything going on with the system.

Extract the files from the zip into their own folder. Then run Procmon.exe with Admin rights by right clicking over it and choose "Run as administrator"
With it running try to get the autoconfig change to happen if you can. Then click on File Save and save the Process Monitor Log file so some location you can find. Then zip fhat file up and if it's 30MB or less send it to me in a PM.

 

 

 

 

Link to post
Share on other sites
AlexSmith

AlexSmith

Posted
Posted (edited)
41 minutes ago, Jurionx said:

@AdvancedSetup The malware injects itself at 0200 hrs my time, and I had Procmon running and saved the file, however, it's 69MB in size. Here's a Drive link for you to get the file.

 

https://drive.google.com/file/d/0B93uw01hFu8yUG9odWZsTTdBa3c/view?usp=sharing

BINGO!! This is exactly what was needed. The program that is launching nslookup AND creating the registry key is what appears to be a compromised/hijacked version of Install Shield at C:\Program Files (x86)\Common Files\InstallShield\updateservice\ISUSPM.exe. That also happens to be one of your Scheduled Tasks.

AutoProxyURLMalware001.PNG

AutoProxyURLMalware002.PNG

AutoProxyURLMalware003.PNG

Edited by AlexSmith
Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Please delete the scheduled task for this. If you need help or want me to write a script to remove it let me know but you should be able to  manually remove it.

 

Task: {BB5B6B42-5F41-4F73-86AE-40E646634EDC} - System32\Tasks\InstallShield® Update Service Scheduler => C:\Program Files (x86)\Common Files\InstallShield\updateservice\ISUSPM.exe [2016-04-21] (InstallShield®)
C:\Program Files (x86)\Common Files\InstallShield\updateservice

Then restart the computer and let me know if that has taken care of it.

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

No problem. Please run the following. Then monitor the situation and let me know how things are now.

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

 

Thanks

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted (edited)

Thanks. The file scans clean 0/56 detections from Virus Total

https://www.virustotal.com/en/file/ac8eb654b491c3c321938307893469a1a78067e828981f2269093517cf158a9d/analysis/1463554376/

Reboot the computer a couple times and keep an eye on it and let me know.

 

 

Edited by AdvancedSetup
Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Great, glad to hear it. Where it came from is difficult as one needs to actually be more concerned and spend a significant amount of time in forensic study which we typically don't have time for and thus try to detect and remove it instead.

 

At this time there are no more signs of an infection on your system.
However if you are still seeing any signs of an infection please let me know.

Let's go ahead and remove the tools and logs we've used during this process.

Most of the tools used are potentially dangerous to use unsupervised or if ran at the wrong time.
They are often updated daily so if you went to use them again in the future they would be outdated anyways.

The following procedures will implement some cleanup procedures to remove these tools.
 
bwebb7v.jpgDownload Delfix from here and save it to your desktop. (you may already have this)

  • Ensure Remove disinfection tools is checked.
  • Click the Run button.
  • Reboot


Any other programs or logs that are still remaining, you can manually delete. (right click.....Delete)
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST folder, FRST-OlderVersion folder, MBAR folder, etc....AdwCleaner > just run the program and click uninstall.


 
If there are any other left over Folders, Files, Logs then you can delete them on your own.
 
Please visit the following link to see how to delete old System Restore Points. Please delete all of them and create a new one at this time.
How to Delete System Protection Restore Points in Windows 7 and Windows 8

Remove all but the most recent Restore Point on Windows XP


As Java seems to get exploited on a regular basis I advise not using Java if possible but to at least disable java in your web browsers
How do I disable Java in my web browser? - Disable Java

A lot of reading here but if you take the time to read a bit of it you'll see why/how infections and general damage are so easily inflicted on the computer. There is also advice on how to prevent it and keep the system working well. Don't forget about good, solid backups of your data to an external drive that is not connected except when backing up your data. If you leave a backup drive connected and you do get infected it can easily damage, encrypt, delete, or corrupt your backups as well and then you'd lose all data.
Nothing is 100% bulletproof but with a little bit of education you can certainly swing things in your favor.


If you're not currently using Malwarebytes Premium then you may want to consider purchasing the product which can also help greatly reduce the risk of a future infection.

 

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.