Some days ago, this problem also exists! It's a headache! Using anti-virus software such as NOD32, rising, and McAfee does not help! Only McAfee found two files, EQ and TT, under system32, but after clearing them, they will be automatically generated later! No hair is always cleared completely!
Then I checked the network status with Trojan killer v5.31 and found that 1433 of the traffic was very large! Isn't 1433 the default port of sqlserver? It indicates that someone is connecting to my data warehouse (the machine is equipped with slqserver2000for Testing). At the same time, the ftp.exe process accesses a remote computer port and does not know what to download! Probably not a good thing! It seems that the camera is monitored! What should I do? After the ftp.exeand cmd.exe processes are disabled! It wasn't long before it was automatically turned on again! However, I found that the opened time was irregular! Sometimes it will be opened and called soon, and sometimes it will appear again for a long time! It seems that it was manually executed by someone else! Think carefully! It seems that the problem lies in sqlserver. I checked the relevant information on the Internet and finally noticed the Stored Procedure xp_mongoshell:
The command shell of the xp_cmdshell operating system. This process is an extended stored procedure used to execute a specified command string and return any output as a text line.
In general, xp_mongoshell is not necessary for the Administrator. The elimination of xp_mongoshell will not cause the server
Any impact.
You can remove xp_cmdshell:
Use master
Exec sp_dropextendedproc n 'xp _ export shell'
Go
If necessary, you can restore xp_mongoshell back:
Use master
Exec sp_addextendedproc n 'xp _ cmdshell', n'xp log70. dll'
Go
[Experience]
It is best to eliminate the xp_mongoshell storage process of the server.
Close it! Haha .... Use the Trojan horse to view the network status! Haha .. The 1433's ports are also normal, and ftp.exeand cmd.exe have never appeared again! It seems that the problem lies in the security settings! I have posted this experience and hope you can have a reference when you encounter the same problem!