computerspecialistnj Posted August 23, 2017 ID:1156356 Share Posted August 23, 2017 So there is a scheduled task that runs every 3 hours on an old server 2003 machine. This used to be covered by MB3 and still is installed however the newest version of mb3.2 says server is no longer supported. I am a member of techbench and the toolset command line will run fine. However no matter which utility I do get to successfully run nothing is detecting anything. Ive tried MBAR, detect nothing, TDSSKiller detects nothing. When all tasks are deleted somehow another pops up that loads a batch that makes a ton of system changes and reschedules itself back in the scheduler. Have you guys seen, LSMOSEE.EXE before? Link to post Share on other sites More sharing options...
Aura Posted August 23, 2017 ID:1156358 Share Posted August 23, 2017 Hi uturn0427 Can you upload the file to VirusTotal and post the report URL for it here so we can take a look at it? If possible, can you attach it as well? Link to post Share on other sites More sharing options...
computerspecialistnj Posted August 23, 2017 Author ID:1156386 Share Posted August 23, 2017 (edited) https://www.virustotal.com/#/file/f7816b99d8a117e626714cb81ca47282e38cae578d4dfd074bbcf67253ddb51c/detection Mbam-Reports(Contains Virus).zip Edited August 23, 2017 by uturn0427 Link to post Share on other sites More sharing options...
Aura Posted August 23, 2017 ID:1156392 Share Posted August 23, 2017 Thank you. Now follow the instructions below. Farbar Recovery Scan Tool (FRST) - Scan mode Follow the instructions below to download and execute a scan on your system with FRST, and provide the logs in your next reply. Download the right version of FRST for your system:FRST 32-bit FRST 64-bitNote: Only the right version will run on your system, the other will throw an error message. So if you don't know what your system's version is, simply download both of them, and the one that works is the one you should be using. Move the executable (FRST.exe or FRST64.exe) on your Desktop Right-click on the executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users) Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds Make sure the Addition.txt box is checked Click on the Scan button On completion, two message box will open, saying that the results were saved to FRST.txt and Addition.txt, then open two Notepad files Copy and paste the content of both FRST.txt and Addition.txt in your next reply Link to post Share on other sites More sharing options...
computerspecialistnj Posted August 23, 2017 Author ID:1156406 Share Posted August 23, 2017 Addition.txt FRST.txt Link to post Share on other sites More sharing options...
computerspecialistnj Posted August 23, 2017 Author ID:1156407 Share Posted August 23, 2017 FYI Eset Online Scanner shows detection of these on Virustotal so I'm assuming I can remove it with that but am continuing this process because I want to help MB3 detection rates. Is the submitted file enough or would you like to continue? Link to post Share on other sites More sharing options...
Aura Posted August 23, 2017 ID:1156420 Share Posted August 23, 2017 cc @miekiemoes, @blender The 2 Staff I CC'd will be able to collect the sample you attached and examine it. Where is that file located on the server? And the scheduled task for it? I think this entry is the missing piece (which means, you would need to remove it to get rid of the infection): WMI_ActiveScriptEventConsumer_fuckyoumm2_consumer: <==== ATTENTION https://www.reddit.com/r/antivirus/comments/6maxrt/tenacious_malware_called_ismolsmo/ Link to post Share on other sites More sharing options...
computerspecialistnj Posted August 23, 2017 Author ID:1156427 Share Posted August 23, 2017 44 minutes ago, Aura said: cc @miekiemoes, @blender The 2 Staff I CC'd will be able to collect the sample you attached and examine it. Where is that file located on the server? And the scheduled task for it? I think this entry is the missing piece (which means, you would need to remove it to get rid of the infection): WMI_ActiveScriptEventConsumer_censoredyoumm2_consumer: <==== ATTENTION https://www.reddit.com/r/antivirus/comments/6maxrt/tenacious_malware_called_ismolsmo/ I will check it out now, thank you for the help! Also the malicious batch file calls out to an FTP server that's at the IP address in the below screenshot. L.A. Thanks! Link to post Share on other sites More sharing options...
Aura Posted August 29, 2017 ID:1158288 Share Posted August 29, 2017 So, did you manage to remove the infection? Link to post Share on other sites More sharing options...
Aura Posted September 1, 2017 ID:1159396 Share Posted September 1, 2017 Hi uturn0427, Are you still with me? Link to post Share on other sites More sharing options...
Aura Posted September 4, 2017 ID:1160310 Share Posted September 4, 2017 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts