Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I have found something


  • This topic is locked This topic is locked
1 reply to this topic

#1 pankajgupta

pankajgupta

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 08 February 2017 - 09:26 AM

i have found something
No any antivirus or antimalware or tool could find this malware but microsoft security essentials did. here is the image http://imgur.com/a/SAysT

---------------------------------------------------------

i found few files in %system32%/system folder

 1. cab.exe

 2  msinfo.exe

 3. upslist.txt

 

upslist.txt consist of 

 

http://down.mykings.pw:8888/my1.html c:\windows\system\my1.bat
 
----------------------------------------------------------
 
i downloaded & installed tcplogview.exe from nirsoft
after collecting log for 5 hours i could figure out the IP address these .exe malwares were and are connected to
222.186.49.178
60.250.76.52
 
and also somehow these .exe malwares managed to connect sqlservr.exe, regsvr32.exe, rundll32.exe to the same above listed IPs
 
I have blocked these IP from firewall.
deleted these malicious exe files 
and now, it seems my computer is clean.
though, the trigger or originator still may be going undetected which were creating these files repeatedly, (i have deleted many times, they come again)
 
My computer is actually a server connected to different machines for business purposes..
 
After resolving these IP, i could find location of these IPs are China and Japan
svchost used to peak to full RAM performance, slowing down my server transactions
 
Now, the question is how to remove originator, which i think is still in my computer?
 
 
 


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:22 AM

Posted 09 February 2017 - 10:01 PM

You have this topic working here,,,

https://www.bleepingcomputer.com/forums/t/639278/msinfoexe-what-is-this/#ipboard_body

I am closing this.
please stay with that topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users