Yes.. still running XP :-/. Got my new HP box.. but don't have it configured, locked down etc.. Nevertheless...
I noticed duel instances of "iexplorer.exe" starting up despite not using IE. I thought it was firing up when I launched FF. After doing a little digging, I saw a scheduled task which was installed just a few days ago. I saw the sched task pointing to "c:\windows\temp" which.. clearly any process running from a temp directory is not good.. :-/.
Here is a simmary of the scheduled task:
--------------------------------code below was detected in c:\windows\temp directory as lsutlo.dcx
It was being called via a scheduled task with the command line of:
It was scheduled to run under the current user.
Scheduled to run daily at 12:11 AM.
Last run was discoverd to be 3:11 PM on the day found
Set toi run under: NT AUTHORITY\SYSTEM
=============== (EOS) =========================
Despite spending years in the industry.. doing everything from WIndows/AD/Networking and linux support at the workstations as well as server... reading code is not my forte'. I have a copy of the code "lsutlo.dcx", which clearly is some for of script/code.
If I was to post it, can someone eye-ball it and let me know what in the ba-jezus it's doing? The actual code was just over 7k bytes.
If posting such code here is a violation of acceptable usage, can I send it in text format to someone off-line what might be willing to decide?
I can tell you.. they used a great deal of usage of cryptic variables, amd tracing this is a PITA.. '
TIA for any assistance from anyone...
Edited by hamluis, 10 July 2014 - 06:22 AM.
Moved from XP to Am I Infected - Hamluis.