Page 8 of 12 FirstFirst ... 678910 ... LastLast
  1.    28 Dec 2015 #71
    Join Date : Dec 2015
    Posts : 2
    Windows 10

    Hi guys, I also registered to tell that I finally found the source of my infection, in an AnyDVD update scheduled task :

    This was triggered 3 times a week at 18:00
    Code:
    C:\WINDOWS\system32\wscript.exe //nologo //B //E:jscript "C:\Users\(me)\AppData\Roaming\AnyDVD HD\settings.ini"
    The malicious code is hidden in the ini file, as described in page 4.

    Kudos to people that hinted to check scheduled tasks, this thing was driving me crazy !

    PC-SÉBASTIEN-29_12_2015__83417,50.zip
    Last edited by sgauge; 29 Dec 2015 at 02:56.
      My ComputerSystem Spec
  2.    28 Dec 2015 #72
    Join Date : Apr 2015
    Posts : 12,952
    W10Prox64

    Quote Originally Posted by sgauge View Post
    Hi guys, I also registered to tell that I finally found the source of my infection, in an AnyDVD update scheduled task :

    This was triggered 3 times a week at 18:00
    Code:
    C:\WINDOWS\system32\wscript.exe //nologo //B //E:jscript "C:\Users\(me)\AppData\Roaming\AnyDVD HD\settings.ini"
    The malicious code is hidden in the ini file, as described in page 4.

    Kudos to people that hinted to check scheduled tasks, this thing was driving me crazy !
    Hi sgauge and welcome to Tenforums.
    Thanks for posting your information - every little bit helps.
    I wonder if you might help us further detect how this is happening, so we can get some tangible information to send out to Bleeping Computer and the AVs? If you would, please run the BSOD posting instructions found in this thread; even though this infection is not causing BSODs, we may be able to figure out the infection method of this thing, to block it in the future. Thanks.
      My ComputerSystem Spec
  3.    28 Dec 2015 #73
    Join Date : Oct 2013
    NW Florida
    Posts : 9,670
    Windows 10 Pro and Windows 10 Pro Insider

    @sgauge Please upload the BSOD Posting instructions BSOD - Posting Instructions - Windows 10 Forums. Upload them here. This will tell you how Screenshots and Files - Upload and Post in Ten Forums - Windows 10 Forums.
      My ComputersSystem Spec
  4.    28 Dec 2015 #74
    Join Date : Dec 2015
    Posts : 2
    Windows 10

    Found mine under C:\Users\username\AppData\Roaming\ConvertXtoDVD\settings.ini
      My ComputerSystem Spec
  5.    28 Dec 2015 #75
    Join Date : Apr 2015
    Posts : 12,952
    W10Prox64

    Quote Originally Posted by Maintown View Post
    Found mine under C:\Users\username\AppData\Roaming\ConvertXtoDVD\settings.ini
    Thanks for letting us know. Would you mind uploading the info in post #73, so we can try to find the source of this infection? Thanks.
      My ComputerSystem Spec
  6.    29 Dec 2015 #76
    Join Date : Dec 2015
    Posts : 2
    Windows 10

    Quote Originally Posted by essenbe View Post
    @sgauge Please upload the BSOD Posting instructions BSOD - Posting Instructions - Windows 10 Forums. Upload them here. This will tell you how Screenshots and Files - Upload and Post in Ten Forums - Windows 10 Forums.
    Hi there, I updated post #71 with the requested zip file.
      My ComputerSystem Spec
  7.    29 Dec 2015 #77
    Join Date : Apr 2015
    Posts : 12,952
    W10Prox64

    Quote Originally Posted by sgauge View Post
    Hi there, I updated post #71 with the requested zip file.
    Thanks!
      My ComputerSystem Spec
  8.    01 Jan 2016 #78
    Join Date : Dec 2015
    Posts : 5
    WIN 7

    I was infected too. But only by its "localhost.world" script part.
    Looking at the latter part of post #39 (by moraleja39), the one contributed by "mtmyoq.se" part of this Maleware, decoding its base64 encoded string:
    ==========
    ZnVuY3Rpb24gRmluZFByb3h5Rm9yVVJMKHVybCwgaG9zdCkgeyBpZiAoc2hFeHBNYXRjaChob3N0LCAid3d3Lmdvb2dsZS4qIikp IHJldHVybiAiUFJPWFkgMTI3LjAuMC4xOjgwODAiOyAgcmV0dXJuICJESVJFQ1QiO30
    ==========


    Leads to :
    ==========
    function FindProxyForURL(url, host) { if (shExpMatch(host, "www.google.*")) return "PROXY 127.0.0.1:8080"; return "DIRECT";}
    ==========

    Which seems (I presume - not an expert on "localhost" ports) that another flavor of this Maleware HiJacks any access to Google sites to a NOT used port (unless you have some server responding at port 8080 - alike your own WEB server running).

    So it seems that this Maleware has 2 parts: the "localhost.world" script, and the "mtmyoq.se" part.
    And that folks are infected by only 1 of them. Not by both at the same time.
    Strange.
      My ComputerSystem Spec
  9.    01 Jan 2016 #79
    Join Date : Apr 2015
    Posts : 12,952
    W10Prox64

    Quote Originally Posted by rolibark View Post
    I was infected too. But only by its "localhost.world" script part.
    Looking at the latter part of post #39 (by moraleja39), the one contributed by "mtmyoq.se" part of this Maleware, decoding its base64 encoded string:
    ==========
    ZnVuY3Rpb24gRmluZFByb3h5Rm9yVVJMKHVybCwgaG9zdCkgeyBpZiAoc2hFeHBNYXRjaChob3N0LCAid3d3Lmdvb2dsZS4qIikp IHJldHVybiAiUFJPWFkgMTI3LjAuMC4xOjgwODAiOyAgcmV0dXJuICJESVJFQ1QiO30
    ==========


    Leads to :
    ==========
    function FindProxyForURL(url, host) { if (shExpMatch(host, "www.google.*")) return "PROXY 127.0.0.1:8080"; return "DIRECT";}
    ==========

    Which seems (I presume - not an expert on "localhost" ports) that another flavor of this Maleware HiJacks any access to Google sites to a NOT used port (unless you have some server responding at port 8080 - alike your own WEB server running).

    So it seems that this Maleware has 2 parts: the "localhost.world" script, and the "mtmyoq.se" part.
    And that folks are infected by only 1 of them. Not by both at the same time.
    Strange.
    Hi rolibark and welcome to Tenforums.

    Thanks very much for posting this info. Every little bit helps! Would you mind uploading the info in post #73, so we can try to find the source of this infection? Thanks!
      My ComputerSystem Spec
  10.    02 Jan 2016 #80
    Join Date : Dec 2015
    Posts : 5
    WIN 7

    Hi,
    As I said - I was infected only by its "localhost.world" script part (not by its "mtmyop.se" part)
    And I had the same cause for this Malware (the Adobe Updater) as "moraleja39" had.
    So (I guess) there's no need for my system info.
      My ComputerSystem Spec

 
Page 8 of 12 FirstFirst ... 678910 ... LastLast


Similar Threads
Thread Forum
Solved Edge browser can't access LOCALHOST type of IP addresses (build 10122
Hi there same problem with EDGE (the new browser) - can't access localhost type of addresses. I use several media servers with Web interface for controls etc. Get around - use loopback adapter -- but why should I -- Chrome / FF / IE all work...
Browsers and Email
Solved Dont forget EDGE CAN access Localhost type IP addresses now
Hi there Edge has been modified so you CAN set it to access local host type of sites (at least in build 10240). This was mentioned a while ago but just as a reminder -- many people have servers etc that have a web interface with a localhost or...
Installation and Upgrade
Why is Edge only offering google.fr as an option, not google.co.uk?
Hi, I've just installed windows 10 which all seems to have gone very well. The only problem I can't currently fix is that google seems to think I am in France! When I go to Edge/Settings/Advanced settings/search in the address bar with the only...
Browsers and Email
Windows 10 Hyper-V stop work | fail to connect do localhost
:sick: Hi, since yesterday my Hyper-V stoped work. I have no clue of whats going on. I tried to uninstall and install it again, but didn't work. Does someone knows how to purge hyper-v configuration when remove/uninstall it? Because it seems...
Virtualization
Loopback/localhost acces in apps
This is aimed at Win 8, but should be the same for 10 As some of us have found out, modern apps such as Edge are not allowed to send network traffic to the local host, so things like media servers and routers do not work I have just been...
Software and Apps
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 19:45.
Find Us
Twitter Facebook Google+ Ten Forums iOS App Ten Forums Android App



Windows 10 Forums