Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Malware or Ransomware Hitting MS-Web Servers


  • Please log in to reply
2 replies to this topic

#1 Anan-Zitawi

Anan-Zitawi

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 10 March 2018 - 11:33 AM

Dear All 

 

this is my first post here , so please forgive me if it is posted by someone else before 

 

since 20 days I published one of My VMs (win 2008 + IIS + SQL) on the web , and since the first minute of publishing my Main Firewall started logging all attempts of attack to get into the server (port scan , telnet , password guessing , ... etc  )

 

today I found there is two suspicious services named (zzxx , xxzz) are listed in the services.msc console and are set to run manually !!!???

 

Services were run with the following commands 

 

 
 
can any one tell me what is this ???? and how to recover 
 
Pictures attached can explain more

 

 29025788_10214682728994613_5331378792596

 

 

 

 

 

 

 

29027391_10214682728914611_7336083167850

 

 

 

28698815_10214682728394598_4689156453729

Attached Files


Edited by hamluis, 10 March 2018 - 01:35 PM.
Moved from MRL to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:35 AM

Posted 10 March 2018 - 01:41 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===


:step1:
Please download Malwarebytes Anti-Malware from here
  • Right-click on the MBAM icon and select Run as administrator to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • Once the MBAM dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool database.
  • On the left menu pane click the Settings tab, and then select the Protection tab on the top.
  • Under the Scan Options, turn on the button Scan for rootkits and Scan within archives.
  • Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button
  • Note: The scan may take some time to finish, so please be patient.
  • If potential threats are detected, ensure to checkmark all the listed items, and click the Quarantine Selected button.
  • While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log can also be viewed by clicking the log to select it, then clicking the View Report button.
Please post the log for my review.

Note: If asked to restart the computer, please do so immediately.
===

:step2:
Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

:step3:
Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Please post the logs for my review.

Wait for further instructions.
==============================

#3 Anan-Zitawi

Anan-Zitawi
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 10 March 2018 - 03:03 PM

attachlogs.png

 

I can't find these options 

 

any way , log files are attached through my G-DRIVE 

 

https://drive.google.com/file/d/1r8DLLR-bQENnWOTMI9eQi9-UruWxCqJJ/view?usp=sharing

 

 






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users