Detecting WinShellEventLogging malicious tasks with Pooface, Spdc32.exe, and CBInt.exe Malware

There is this annoying malware that I found on a bunch of computers that seemed to be just downloading adware and several malicious programs. Most of the files were not recognized or cleaned automatically by Microsoft Windows Defender. I first noticed this malware when looking in Task Manager and seeing a few executables running that did not belong. There was spdc32.exe, SBCint.exe, and Pooface.exe. Upon killing these processes, and hunting for the source of these files, it seemed to start in the Windows\Temp folder. However, this most likely was related to two Task Scheduler tasks that were found in all of the infected computers. These tasks were called WIN Shell EventLogging and WIN Shell EVENT NOTIFICATION. If you have these tasks in your task scheduler, disable them immediately and then delete them, all that they do is download more spyware/adware/malware secretly into your temp folders.

If you look in task manager or Process Explorer and see spdc32.exe, or SBCint.exe, or pooface.exe, or if you see any folders in the Windows\TEMP directory that look like these pictures, there’s a good chance that you also may have this CRAPware lurking somewhere. The most interesting thing about this set of malware files is that it spread around the network and was only affecting the WIndows Server 2012R2, or WIndows 10 technical previews. It did not seem to infect windows 7 desktops or Windows 8.1 either. The source of this malware is still being investigated, but I have a feeling it may have been introduced with a torrent ISO download of one of the earlier WIndows 10 Technical preview builds, as this is where it seemed to originate. The good news is that after simply deleting all of these found executables and tasks, the computers seem to be clean, and we are looking at them very thoroughly. However before deleting these files, I took hashes of them and added Software Restriction Policies forbidding running any of these executables on all of the machines in this network. AppLocker has also been introduced however, we are still running in audit mode at this time. If you have any questions about this malware please contact me because I could not finish the article as I am now in the hospital for almost 2 months. poofaceEXEfileLocationblowfishDLLsLocation