Quote Originally Posted by ScP View Post
Another small update...

I've been contacted by two people with infected systems. Both had a variant of Troj/Agent-ACIA sitting in their ProgramData directory.


To check if you're infected, check if there are any AutoIt scripts (*.au3), Visual Basic scripts (*.vbs) or suspicious executables (*.exe) in C:\ProgramData and have a look at running processes.

Here's a list of some files you don't want to find:

Name         | SHA1 Checksum
<random>.au3 | b648d925d56404c325ae3f328cdd5dcc024b9077
<random>.exe | cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
abc.exe      | 5e6b86477ee431115ad125231606910a7fe83957
mario.vbs    | 7bb1a4beebe6c0f4dce3f6b4734adb64bbfe167b
In addition, if a script kiddie has tried to exploit the vulnerability in your TeamSpeak 3 Client, there's probably a file called ts3.bat in your Autostart directory. If you see this file, delete it immediately before it can unleash its evil magic...
Just some more info, if you were running Malwarebytes when starting your PC if you had ts3.bat it would prevent the .exe from getting downloaded. You'll then only have the .vbs and .bat to clear. The .exe & .au3 would not be present. It's likely that some other anti-virus software would have prevented this too.