Jump to content

hijack.autoconfigurl.prxysvrrst Malware as well


Recommended Posts

Hi folks - don't mean to hijack the thread but I have the same problem and wanted to add what I found if it helps. MBAM was able to detect the entry in the registry, same as with Jurionx. Using the Process Monitor tool in Panda Antivirus, I was able to see that the same file ISUSPM.exe was making a connection to a URL and downloading a text file called proxy.txt. I've attached a screenshot where you can see this URL.

I found this thread while searching for a place to submit this file as a sample to you folks, seems like it's using a signed file from InstallShield to hide itself.  I did full scans with Avast, Defender, Avira and Panda but none were able to detect the source of the problem, and the only indication this happened was because the Google search results page had the old Google logo on it! If you'd like me to send you the file from my computer let me know! Hope this helps.

Screenshot.png

Link to post
Share on other sites

Hi,

Yes the file that was doing this is named ISUSPM.exe from C:\Program Files (x86)\Common Files\InstallShield\updateservice
I think my infection was pretty much the same one as OPs from the other thread, and I think I've been able to fix it. But this malicious file is disguising itself as InstallShield and isn't being detected by any antivirus or antimalware scan so I hoped my additional report would help in developing a signature or something for MBAB to pick the infected file up in scans. From my experience, only the malicious proxy in the registry and the scheduled task was detected, but the source (i.e. ISUSPM.exe) escaped detection. Hope you can look into that!

Thanks!

Link to post
Share on other sites

  • Root Admin

That file is actually not malicious and is a valid good file. Unfortunately the malware writers have learned a new trick of using a scheduled task with a valid good file but also running bad things with it. So we're looking to find the exact details on the triggering so that it can be prevented as well. At this time none of the antivirus products detect it either as it is a valid file and process, just pointed to a bad final result.

If you're certain you're okay I'll go ahead and close your topic but if you'd like us to check your system further let me know.

Cheers and thanks for the feedback

Ron

 

Link to post
Share on other sites

1 minute ago, AdvancedSetup said:

Unfortunately the malware writers have learned a new trick of using a scheduled task with a valid good file but also running bad things with it.

Ah that's unsettling. Hope you can detect the source of this infection then! Yes my system is clean as far as I'm aware, the problem hasn't come back for a couple of days so please close my topic, if I'm in need of assistance I will be back for help! :) 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.