Jump to content

Recommended Posts

So there is a scheduled task that runs every 3 hours on an old server 2003 machine.  This used to be covered by MB3 and still is installed however the newest version of mb3.2 says server is no longer supported.  I am a member of techbench and the toolset command line will run fine.  However no matter which utility I do get to successfully run nothing is detecting anything.  Ive tried MBAR, detect nothing, TDSSKiller detects nothing.  When all tasks are deleted somehow another pops up that loads a batch that makes a ton of system changes and reschedules itself back in the scheduler.

Have you guys seen, LSMOSEE.EXE before?

 

Link to post
Share on other sites

Thank you. Now follow the instructions below.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Scan mode
Follow the instructions below to download and execute a scan on your system with FRST, and provide the logs in your next reply.

  • Download the right version of FRST for your system:
    • FRST 32-bit
    • FRST 64-bit
      Note: Only the right version will run on your system, the other will throw an error message. So if you don't know what your system's version is, simply download both of them, and the one that works is the one you should be using.
  • Move the executable (FRST.exe or FRST64.exe) on your Desktop
  • Right-click on the executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds
  • Make sure the Addition.txt box is checked
  • Click on the Scan button
    KSJwAxg.png
  • On completion, two message box will open, saying that the results were saved to FRST.txt and Addition.txt, then open two Notepad files
  • Copy and paste the content of both FRST.txt and Addition.txt in your next reply

Link to post
Share on other sites

cc @miekiemoes, @blender

The 2 Staff I CC'd will be able to collect the sample you attached and examine it.

Where is that file located on the server? And the scheduled task for it? I think this entry is the missing piece (which means, you would need to remove it to get rid of the infection): 

WMI_ActiveScriptEventConsumer_fuckyoumm2_consumer: <==== ATTENTION

https://www.reddit.com/r/antivirus/comments/6maxrt/tenacious_malware_called_ismolsmo/

 

Link to post
Share on other sites

44 minutes ago, Aura said:

cc @miekiemoes, @blender

The 2 Staff I CC'd will be able to collect the sample you attached and examine it.

Where is that file located on the server? And the scheduled task for it? I think this entry is the missing piece (which means, you would need to remove it to get rid of the infection): 


WMI_ActiveScriptEventConsumer_censoredyoumm2_consumer: <==== ATTENTION

https://www.reddit.com/r/antivirus/comments/6maxrt/tenacious_malware_called_ismolsmo/

 

I will check it out now, thank you for the help!

Also the malicious batch file calls out to an FTP server that's at the IP address in the below screenshot.  L.A.

Thanks!

Capture.PNG

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.