Avast threat warning on local IP file

Discussion in 'Computer Software and Operating Systems' started by Pacheko17, Jun 25, 2016.

  1. Pacheko17
    OP

    Pacheko17 かっこい男の子

    Member
    1,272
    1,204
    Jan 31, 2015
    Brazil
    Somewhere in the south
    There is this file called wpad.dat that keeps getting Avast crazy. It is running on svchost.exe and comes from the Local IP.

    I'm currently connected to my dad's office and I don't think there's much to worry about since it's blocked, but every time I come here and connect to the WiFi, the alert shows up.

    Doesn't happen at home or literally anywhere else, quite obvious that it's a server-side infection.

    Avast warning:
    [​IMG]
    JS:Banker is a apparently a password stealing trojan. Shit makes me scared as all hell lol.
    But everything is fine, I connected to this WiFi for the first time months ago and got this, nothing happened whatsoever so I guess it really is blocked.

    Dad said he'll warn the operator. But any input on this would be greatly appreciated.
     
    Last edited by Pacheko17, Jun 25, 2016
  2. Cyan

    Cyan GBATemp's lurking knight

    Global Moderator
    18,710
    9,008
    Oct 27, 2002
    France
    Engine room, learning
    Does your dad have a file named "wpad.dat" on his server's root? if he does, he probably know what this file is.
    if that file is not on his local server (or if he doesn't even have a server) maybe he should scan his computer for threats, check why svchost is sending this.

    that filename is funny as "wpad" is used in wii homebrew for "Wii pad" functions, but not used as a .dat file.
     
    Pacheko17 likes this.
  3. Pacheko17
    OP

    Pacheko17 かっこい男の子

    Member
    1,272
    1,204
    Jan 31, 2015
    Brazil
    Somewhere in the south
    He doesn't know, he doesn't operate the server. I could go check it out but I don't know the password for the server computer. And yeah, I laughed when that popped up xD


    According to wikipedia, this is a wpad file:
    "The Web Proxy Auto-Discovery Protocol (WPAD) is a method used by clients to locate the URL of a configuration file using DHCP and/or DNS discovery methods. Once detection and download of the configuration file is complete, it can be executed to determine the proxy for a specified URL."

    I guess it's used to download the configuration files probably to block websites. Because weird thing is, his computer couldn't acess Facebook, Youtube or other websites that are blocked by the company's firewall, but after he formatted it, installed Avast and connected to the internet, the warning showed up too and now he can use stuff normally.
     
  4. Joom

    Joom  ❤❤❤

    Member
    4,288
    2,944
    Jan 8, 2016
    United States
    Something is using a RunPE code to inject itself into svchost, and the DAT file is most likely a database of dumped passwords that is decrypted by the malware itself and sent to a remote server. Many stealers and keyloggers do this since storing the dump in plaintext would allow the victim to happen across it and wonder why all their passwords are being stored in a file.
     
    Last edited by Joom, Jun 26, 2016
  5. Pacheko17
    OP

    Pacheko17 かっこい男の子

    Member
    1,272
    1,204
    Jan 31, 2015
    Brazil
    Somewhere in the south
    So does that mean my PC got infected or nope?

    Already ran multiple scans with Avast and MalwareBytes, they caught nothing.
     
  6. Joom

    Joom  ❤❤❤

    Member
    4,288
    2,944
    Jan 8, 2016
    United States
    Don't ever assume your system is clean just because an AV doesn't detect anything. Attackers use what's known as a crypter to encrypt malware in order to bypass detections. Use CCleaner to check your startup entries for anything suspicious, and check AppData as malware is typically dropped there in order to bypass the UAC prompt. Also, your dad's company should do the same for the server you connect to.
     
  7. Pacheko17
    OP

    Pacheko17 かっこい男の子

    Member
    1,272
    1,204
    Jan 31, 2015
    Brazil
    Somewhere in the south
    Dad already warned the system operator, I'll check out AppData and then download CCleaner to have a look. Thanks ^^
     
  8. Pacheko17
    OP

    Pacheko17 かっこい男の子

    Member
    1,272
    1,204
    Jan 31, 2015
    Brazil
    Somewhere in the south
    AppData is fine, nothing out of the ordinary and nothing weird on CCleaner too. Guess I'm good to go.

    Sorry for double post
     
  9. Joom

    Joom  ❤❤❤

    Member
    4,288
    2,944
    Jan 8, 2016
    United States
    That's good. Do you happen to have a firewall installed that prints out detailed network activity? Like, what connections are being made amongst processes? It'd be a good idea to see if svchost is calling home to somewhere weird. If you don't have one, Comodo is decent and free.
     
    Pacheko17 likes this.
  10. 0x40

    0x40 GBAtemp Regular

    Member
    234
    65
    Apr 20, 2013
    Malware can hide itself from the filesystem, so not finding anything doesn't necessarily mean it's clean. I would back up everything of value and format/reinstall if I were you.
     
  11. Pacheko17
    OP

    Pacheko17 かっこい男の子

    Member
    1,272
    1,204
    Jan 31, 2015
    Brazil
    Somewhere in the south
    Checked. svchost is calling only to local ip addresses and to my default gateway.