Jump to content


  • Content Count

  • Joined

  • Last visited

Community Reputation

0 Neutral

About HexaPro

  • Rank

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. One more thing, they keep making .exe and .xml in "C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5" until your "C:\" partition is full. First time I notice it is when the "C:\" drive is full, there's like 30+GB of .exe and .xml in that folder.
  2. Yeah LOL, the one in that "C:\Windows\Fonts\Mysql" is the hardest one to delete. But once you managed to delete the whole folder, the virus would gone for several hours. If it isn't, it will keep laying it's eggs every seconds in "C:\Windows" and "C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5"
  3. That's all I can catch for now, I'll have to wait for them to re-appear for more files. There was doublepulsar.exe also.
  4. Ok, it's back again, but this time instead of using KNOPPIX I can directly access and erase the "C:\Windows\Fonts\Mysql" folder with custom shortcut. You can't directly open it from explorer but I can trick it with a shortcut, first I create a shortcut to "C:\Windows" then open it's properties and change the target to "C:\Windows\Fonts\Mysql" so I only need to click the shortcut to enter the folder and then erase the entire files within the folder. But it's really annoying to have to check the folders every several hours or minutes just to delete all the viruses. No permanent solution yet. I'll try that AMP later man, thanks.
  5. Ok, I think I have found a solution by creating an inbound rule in the firewall for all protocols, ports, IPs and programs, accept from computer of authenticated user. And also use KNOPPIX to remove the "C:\Windows\Fonts\Mysql" folder and it's content. Uploaded virus sample from that folder too to Microsoft Security Essentials and since yesterday the "C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5" folder has no virus in it yet. Hopefully this one is for real.
  6. I have done the safe mode rootkit scan, found nothing. Tried to clean with rootkit last night when no other computers were on, the result are good, caught lots of malwares and the server is fine for several hours. This morning I open the server again and the malware are already fill in their old spots, got like 200+ .exe malwares hiding in IE5 folder again, c64.exe and services.exe in "C:\Windows" again and many .bat .dll and .exe in "C:\Windows\Fonts\Mysql" I need a free active malware protection that can block those malwares from getting in.
  7. This server were never used on it's own, it's only turned on and left on logon screen every day and no user logged in since it's just a data center server, yet the virus still able to get in. Virus usually only able to enter a computer by user own mistake, at least there's a human factor there to assist the virus entrance, this one seem to enter by it's own. I will try tonight if no one in the office is accessing it anymore.
  8. O I'll try it later when nobody is using it. This one seem pretty persistent.
  9. Thanks, for the email. I'll give it a shot. And about the Malwarebyte Rootkit, it seem to work for several hours yesterday, but now it's coming back again. The Rootkit was able to sweep clean the C:\Windows\Fonts\MySQL tho. That's why it's been fine for several hours yesterday.
  10. Can you show me the link? I'll upload it right away. Thanks, I'll try it and I'll post the result later. Thanks, I've uploaded it there and here's the result. AhnLab-V3 Trojan/Win32.CoinMiner.R261580 ALYac Trojan.GenericKD.41182456 Antiy-AVL GrayWare/Win32.Generic Arcabit Trojan.Generic.D27464F8 Avast Win32:Miner-AY [Trj] AVG Win32:Miner-AY [Trj] BitDefender Trojan.GenericKD.41182456 ClamAV Win.Malware.Shadowbrokers-6958490-0 Comodo TrojWare.Win32.CoinMiner.BT@82eh14 Cyren W32/Malware.C.dam!Eldorado DrWeb Trojan.PWS.Panda.8062 Emsisoft Trojan.GenericKD.41182456 (B) ESET-NOD32 A Variant Of Win32/CoinMiner.BTO F-Prot W32/Malware.C.dam!Eldorado FireEye Trojan.GenericKD.41182456 Fortinet W32/UpackDam.G GData Win32.Application.CoinMiner.BQ Ikarus Trojan.Dropper Jiangmin Trojan.Generic.cwgjj K7AntiVirus Riskware ( 00543ad11 ) K7GW Riskware ( 00543ad11 ) Malwarebytes Trojan.BitCoinMiner MAX Malware (ai Score=88) MaxSecure Trojan.Malware.0.susgen McAfee CoinMiner-FAN!A538EBA45167 McAfee-GW-Edition CoinMiner-FAN!A538EBA45167 Microsoft Trojan:Win32/Fuerboos.A!cl NANO-Antivirus Trojan.Win32.CoinMiner.fogvwd Rising Trojan.CoinMiner!1.B84E (RDM+:cmRtazpksEPKxCx6W8nX7nQ/GCox) Sophos AV Mal/EncPk-BW Sophos ML Heuristic VBA32 BScope.Trojan.Miner VIPRE LooksLike.Win32.KryptPck!a (v) Zillya Trojan.Generic.Win32.704228 Ad-Aware Undetected AegisLab Undetected Alibaba Undetected Avast-Mobile Undetected Babable Undetected Baidu Undetected CAT-QuickHeal Undetected CMC Undetected Cylance Undetected eScan Undetected F-Secure Undetected Kaspersky Undetected Kingsoft Undetected Panda Undetected Qihoo-360 Undetected SUPERAntiSpyware Undetected TACHYON Undetected Tencent Undetected Trustlook Undetected ViRobot Undetected Yandex Undetected ZoneAlarm by Check Point Undetected Zoner Undetected Bkav Timeout Endgame Timeout Acronis Unable to process file type SecureAge APEX Unable to process file type CrowdStrike Falcon Unable to process file type Cybereason Unable to process file type eGambit Unable to process file type Palo Alto Networks Unable to process file type SentinelOne (Static ML) Unable to process file type Symantec Mobile Insight Unable to process file type Trapmine Unable to process file type Webroot Unable to process file type Thank you all, sorry for the late response, I thought I have successfully get rid of the virus, but apparently not. It's coming back again.
  11. These .exe keep showing up in (C:\Windows) on Windows Server 2008 R2 Datacenter even after manual deletion. I think it's a miner, it also create .xml and .exe in (C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5) and also in (C:\Windows\Fonts\Mysql) that I can't access.
  • Create New...