Avast threat warning on local IP file

[Pacheko17]

There is this file called wpad.dat that keeps getting Avast crazy. It is running on svchost.exe and comes from the Local IP.

I'm currently connected to my dad's office and I don't think there's much to worry about since it's blocked, but every time I come here and connect to the WiFi, the alert shows up.

Doesn't happen at home or literally anywhere else, quite obvious that it's a server-side infection.

Avast warning:

JS:Banker is a apparently a password stealing trojan. Shit makes me scared as all hell lol.
But everything is fine, I connected to this WiFi for the first time months ago and got this, nothing happened whatsoever so I guess it really is blocked.

Dad said he'll warn the operator. But any input on this would be greatly appreciated.

 

[Cyan]

Does your dad have a file named "wpad.dat" on his server's root? if he does, he probably know what this file is.
if that file is not on his local server (or if he doesn't even have a server) maybe he should scan his computer for threats, check why svchost is sending this.

that filename is funny as "wpad" is used in wii homebrew for "Wii pad" functions, but not used as a .dat file.

 

[Pacheko17]

Does your dad have a file named "wpad.dat" on his server's root? if he does, he probably know what this file is.
if that file is not on his local server (or if he doesn't even have a server) maybe he should scan his computer for threats, check why svchost is sending this.

that filename is funny as "wpad" is used in wii homebrew for "Wii pad" functiond, but not used as a .dat file.

He doesn't know, he doesn't operate the server. I could go check it out but I don't know the password for the server computer. And yeah, I laughed when that popped up xD


According to wikipedia, this is a wpad file:
"The Web Proxy Auto-Discovery Protocol (WPAD) is a method used by clients to locate the URL of a configuration file using DHCP and/or DNS discovery methods. Once detection and download of the configuration file is complete, it can be executed to determine the proxy for a specified URL."

I guess it's used to download the configuration files probably to block websites. Because weird thing is, his computer couldn't acess Facebook, Youtube or other websites that are blocked by the company's firewall, but after he formatted it, installed Avast and connected to the internet, the warning showed up too and now he can use stuff normally.

 

[Joom]

Something is using a RunPE code to inject itself into svchost, and the DAT file is most likely a database of dumped passwords that is decrypted by the malware itself and sent to a remote server. Many stealers and keyloggers do this since storing the dump in plaintext would allow the victim to happen across it and wonder why all their passwords are being stored in a file.

 

[Pacheko17]

Something is using a RunPE code to inject itself into svchost, and the DAT file is most likely a database of dumped passwords that is decrypted by the malware itself and sent to a remote server. Many stealers and keyloggers do this since storing the dump in plaintext would allow the victim to happen across it and wonder while all their passwords are being stored in a file.

So does that mean my PC got infected or nope?

Already ran multiple scans with Avast and MalwareBytes, they caught nothing.

 

[Joom]

So does that mean my PC got infected or nope?

Already ran multiple scans with Avast and MalwareBytes, they caught nothing.

Don't ever assume your system is clean just because an AV doesn't detect anything. Attackers use what's known as a crypter to encrypt malware in order to bypass detections. Use CCleaner to check your startup entries for anything suspicious, and check AppData as malware is typically dropped there in order to bypass the UAC prompt. Also, your dad's company should do the same for the server you connect to.

 

[Pacheko17]

Don't ever assume your system is clean just because an AV doesn't detect anything. Attackers use what's known as a crypter to encrypt malware in order to bypass detections. Use CCleaner to check your startup entries for anything suspicious, and check AppData as malware is typically dropped there in order to bypass the UAC prompt. Also, your dad's company should do the same for the server you connect to.

Dad already warned the system operator, I'll check out AppData and then download CCleaner to have a look. Thanks ^^

 

[Pacheko17]

Don't ever assume your system is clean just because an AV doesn't detect anything. Attackers use what's known as a crypter to encrypt malware in order to bypass detections. Use CCleaner to check your startup entries for anything suspicious, and check AppData as malware is typically dropped there in order to bypass the UAC prompt. Also, your dad's company should do the same for the server you connect to.

AppData is fine, nothing out of the ordinary and nothing weird on CCleaner too. Guess I'm good to go.

Sorry for double post

 

[Joom]

That's good. Do you happen to have a firewall installed that prints out detailed network activity? Like, what connections are being made amongst processes? It'd be a good idea to see if svchost is calling home to somewhere weird. If you don't have one, Comodo is decent and free.

 

[0x40]

AppData is fine, nothing out of the ordinary and nothing weird on CCleaner too. Guess I'm good to go.

Sorry for double post

Malware can hide itself from the filesystem, so not finding anything doesn't necessarily mean it's clean. I would back up everything of value and format/reinstall if I were you.

 

[Pacheko17]

That's good. Do you happen to have a firewall installed that prints out detailed network activity? Like, what connections are being made amongst processes? It'd be a good idea to see if svchost is calling home to somewhere weird. If you don't have one, Comodo is decent and free.

Checked. svchost is calling only to local ip addresses and to my default gateway.