Today I was diagnosing why a clients Internet was running so slow. After tracing the traffic I found it was one Windows 7 PC which was infected with a virus. The following processes were running on the machine all communicating with various Internet IP addresses.
http://now.avg.com/wp-content/uploads/2015/03/avg_technologies_vawtrak_banking_trojan_report.pdf
- conhost.exe
- cmd.exe
- ctfmon.exe
- dllhost.exe
- msiexec.exe
- notepad.exe
- presentationhost.exe
When killing one of these processes, they would simply respawn. The computer was also running very slow and sluggish with web browsers and windows explorer constantly hanging and freezing.
These symptoms are related to Trojan.VawTrak which the computer was infected with. Trojan.VawTrak copies it self into C:\ProgramData and spawns these processes with its malicious code.
Trojan.VawTrak can be cleaned up with Malware Bytes or manually.
Trojan.VawTrak is a virus you definitely want to get rid of as it is designed to steal online banking information. Some of the common tasks it performs are:
- Disables antivirus protection.
- Communicates with remote C&C servers – executes commands from a remote server, sends stolen information, downloads new versions of itself and web-injection frameworks.
- Hooks standard API functions, injects itself into new processes.
- Steals passwords, digital certificates, browser history, and cookies.
- Logs keystrokes.
- Takes screenshots of desktop or particular windows with highlighted mouse clicks.
- Captures user actions on desktop in an AVI video.
- Opens a VNC11 (Virtual Network Computing) channel for a remote control of the infected machine.
- Creates a SOCKS12 proxy server for communication through the victim's computer.
- Changes or deletes browser settings (e.g. disable Firefox SPDY13) and history. Vawtrak supports three major browsers to operate in – Internet Explorer, Firefox, and Chrome. It also supports password stealing from the other browsers.
- Modifies browser communication with a web server.
- Stores internal settings into encrypted registry keys.
http://now.avg.com/wp-content/uploads/2015/03/avg_technologies_vawtrak_banking_trojan_report.pdf