On startup it was running "cmd.exe /c C:\SysWOW64\del.bat" in the background .. this file was created from the Administrator account. It's content is the following script:
- Code: Select all
@Echo Off cd /d C:\Windows\SysWOW64\ :Start del svchost.exe If Exist svchost.exe Goto Start del %0
It seemed it never reached the last line, in which the script would delete itself. I'm supposing this is a failed attempt to hijack the system svchost. I could not find *anything* on Google.
Scary!
Any ideas on how to investigate this further?