Jump to content

Recommended Posts

I found someone hacked into my machine. I ran Malwarebytes but it didn't detect any problem. I used netstat, and I think I found the rogue process, it was called: srchsot.exe. It had installed itself deep in the Windows\System32 directory (\windows\system32\mui\dispspec\Microsoft\). There was an install.bat file and srchsot.exe file in that folder. The install had installed registry keys to auto start when machine restarts.

I killed process, delete those files, and associated registry keys.

When the process was running it was connected to: h1915849.stratoserver.net:6667 . Below was the suspicious netstat output which helped me track it.

TCP SAM-LAPTOP:3575 h1915849.stratoserver.net:6667 ESTABLISHED 4604

TCP SAM-LAPTOP:3586 v-client-5b.sjc.dropbox.com:https CLOSE_WAIT 5804

TCP SAM-LAPTOP:3588 sjc-not17.sjc.dropbox.com:http ESTABLISHED 812

Can you please update your database with this info?

Link to post
Share on other sites

Yepper, a PamoBot communicating IRC with Velillos2010.no-ip.org (85.214.215.52)

NICK PamoBot|655

USER PamoBot|867 192.168.0.13 Velillos2010.no-ip.org :PamoBot|584

PONG :152AC498

JOIN ##200##

PONG :IRC.Velillos.com

{ Associated with; http://www.minpop.com }

What anti virus software is installed on this computer ?

Link to post
Share on other sites

Greetings :)

In order to add detection for a threat to our database, we need a sample of the file. If you still have a copy of srchsot.exe, then please zip and attach it in a new topic here and our Research team will do an analysis on it and add detection for it if it is a threat.

Thanks :)

I found that I still had a copy in my Recycle bin (oops), and uploaded it to the MB site noted. Hopefully this will help.

Link to post
Share on other sites

I found that I still had a copy in my Recycle bin (oops), and uploaded it to the MB site noted. Hopefully this will help.

Ade got it and he'll recognize this IRC Bot.

I'm sorry that NAV and MBAM didn't catch this but its submission to Virus Total showed no recognition for that Bot.

The thing is, rarely does there exist one singular malware. The EXE dropped 7 DLL files and none of them seemed to be recognized either. You might want to to start a thread in the Malware Removal - HijackThis Logs thread after reading I'm infected - What do I do now? .

Link to post
Share on other sites

Hi all

Just to post to confirm it is an IRCBot and detection will be created for it.

Just for matter of interest it looks like all the AV's @ VirusTotal (0/42) would have been bypassed by this Trojan.

https://www.virustot...44b59/analysis/

@ Dave, the toolkit can not be called malicious and can be readily nuked just by emptying the temp folder.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.