Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspicious Process Running in FONTS subfolder


  • Please log in to reply
5 replies to this topic

#1 A Selene

A Selene

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:00 PM

Posted 02 January 2018 - 05:45 PM

Windows Small Business Server 2003 SP1 with Exchange Server 2003 (ver 6.5 [build 7638.2] SP2).

MXTOOLBOX.com reports no blacklist activity;
Does complain about SMTP Banner Check (Reverse DNS doesn't match SMTP Banner) & warns doesn't support TLS, but that's it.

 

A process running from C:\WINDOWS\Fonts\jacbncud\svchost.exe is using 50% of CPU (XEON X3323 @ 2.50 GHz).

The subfolder "jacbncud" is not visible unless searched for by name in Windows Explorer.

 

Process Explorer reveals it.

 

TREND MICRO WFBS 9.0 doesn't react to it,  nor does MALWAREBYTES.

 

But it seems to me that's a queer place for a process to be running from and it's using an awful lot of CPU time.

 

I'd be grateful for any constructive suggestions short of replacing the OS. (don't have the resources for that right now)

 

 



BC AdBot (Login to Remove)

 


m

#2 SleepyDude

SleepyDude

  • Malware Response Team
  • 2,931 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:09:00 PM

Posted 02 January 2018 - 06:02 PM

Hi,
 
Can you access C:\WINDOWS\Fonts\jacbncud using the command prompt?
 
See if you can copy the svchost.exe inside the folder to the Desktop and submit the file to VirusTotal post the resulting link.


• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#3 A Selene

A Selene
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:00 PM

Posted 02 January 2018 - 06:47 PM

Hi,
 
Can you access C:\WINDOWS\Fonts\jacbncud using the command prompt?
 
See if you can copy the svchost.exe inside the folder to the Desktop and submit the file to VirusTotal post the resulting link.

Thanks! 
I hope this is the link  you wanted:

https://www.virustotal.com/#/file/72bb9cd652724a6a1af51483b033146c23713ec8e839d31a6a386fab129c9f62/detection



#4 SleepyDude

SleepyDude

  • Malware Response Team
  • 2,931 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:09:00 PM

Posted 03 January 2018 - 04:37 AM

Hi,

 

Most likely the server got hacked! and they install a BitCoinMiner its possible that not all the components installed are detected as malware...

 

Try to do a scan using Eset On-line Scanner

Make sure that the option Remove found threats is ticked and the Scan Archives option is also ticked.
Click on Advanced Settings, an check the options:

  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology are ticked.

Click Scan and then wait for the scan to finish (it will take some time).

When the scan ends press the button LIST OF THREATS FOUND, click Export to Text File open the text file and Copy & Paste the contents to your reply.
Press the BACK button.
Press Finish
 

 

Is the server accessible from the Internet? If possible it should be put off-line or blocked/restricted using a firewall.


Edited by SleepyDude, 03 January 2018 - 04:40 AM.

• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#5 A Selene

A Selene
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:00 PM

Posted 08 February 2018 - 02:25 AM

Got it removed after submitting to Trend for analysis.



#6 SleepyDude

SleepyDude

  • Malware Response Team
  • 2,931 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:09:00 PM

Posted 08 February 2018 - 04:16 AM

Hi,

 

Thanks for the update.


• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users