Jump to content

drews1f

Members
  • Content Count

    34
  • Joined

  • Last visited

About drews1f

  • Rank
    Advanced Member
  • Birthday 01/01/1970

Profile Information

  • Interests
    SUPERANTISPYWARE
  1. drews1f

    C:\RDP

    you should know that RDP dir was created on the 8th of feb. i think the whole thing is a hook for remote desktop connection? although mstsc.exe in system32 is unmodified since 2006
  2. drews1f

    C:\RDP

    shall i delete the whole RDP dir?
  3. drews1f

    C:\RDP

    virus total: Antivirus Version Last Update Result a-squared 4.5.0.50 2010.02.15 - AhnLab-V3 5.0.0.2 2010.02.15 - AntiVir 7.9.1.170 2010.02.15 - Antiy-AVL 2.0.3.7 2010.02.15 - Authentium 5.2.0.5 2010.02.15 - Avast 4.8.1351.0 2010.02.15 - AVG 9.0.0.730 2010.02.15 - BitDefender 7.2 2010.02.15 - CAT-QuickHeal 10.00 2010.02.15 - ClamAV 0.96.0.0-git 2010.02.15 - Comodo 3945 2010.02.15 - DrWeb 5.0.1.12222 2010.02.15 - eSafe 7.0.17.0 2010.02.15 Win32.TrojanHorse eTrust-Vet 35.2.7303 2010.02.15 - F-Prot 4.5.1.85 2010.02.15 - F-Secure 9.0.15370.0 2010.02.15 - Fortinet 4.0.14.0 2010.02.15 - GData 19 2010.02.15 - Ikarus T3.1.1.80.0 2010.02.15 - Jiangmin 13.0.900 2010.02.15 - K7AntiVirus 7.10.972 2010.02.12 - Kaspersky 7.0.0.125 2010.02.15 - McAfee 5892 2010.02.14 - McAfee+Artemis 5892 2010.02.14 - McAfee-GW-Edition 6.8.5 2010.02.15 Heuristic.LooksLike.Trojan.Dldr.FraudLo.C Microsoft 1.5406 2010.02.15 - NOD32 4868 2010.02.15 - Norman 6.04.08 2010.02.15 - nProtect 2009.1.8.0 2010.02.15 - Panda 10.0.2.2 2010.02.14 - PCTools 7.0.3.5 2010.02.15 - Prevx 3.0 2010.02.15 - Rising 22.34.01.03 2010.02.11 - Sophos 4.50.0 2010.02.15 - Sunbelt 5678 2010.02.15 - Symantec 20091.2.0.41 2010.02.15 Suspicious.Insight TheHacker 6.5.1.4.194 2010.02.15 - TrendMicro 9.120.0.1004 2010.02.15 - VBA32 3.12.12.2 2010.02.15 - ViRobot 2010.2.13.2186 2010.02.13 - VirusBuster 5.0.21.0 2010.02.15 -
  4. drews1f

    C:\RDP

    This is definitely dodgey. I cant login via rdp anymore! when i do an error comes up saying: tss-brute.exe - DLL initialization failed. Ive uploaded c:/rdp/brute.exe to virustotal and got the post below. How can i remove this to ensure my server is safe? :S In c:/rdp/working there are files like: mstsc.exe vbc.exe scan_ip.bat Seriously worried now! brute.exe tss-brute.exe
  5. drews1f

    C:\RDP

    Im extremely concerned after finding this on my server today. Can anyone take a look and advise me what to do? EDIT: i zipped the folder but its too big to upload. is there somewhere else i could upload it to?
  6. Hello, A guy from work always looks at porn or something and his pc is absolutely crocked. Im not sure whether its even fixable. When you boot the pc it takes 2/3 minutes 'preparing network connections' and then when you login the network connection says its connected with no errors but there is no packet transfer. Also there is no information provided for ip, subnet, dns etc - its all blank. from cmd: ping 127.0.0.1 gives: Unable to contact IP driver, error code 2. ipconfig gives: An internal error occured: The request is not supported. Additional information: Unable to query host name. I have tried uninstalling the onboard network card and removing the drivers, then resintalling but exact same thing. I think tried a PCI network card and the exact same thing happens. I also tried the SAS Repair broken network connection, rebooted but made no difference! I ran SAS but it found nothing but a few cookies. I have now enclosed a hijackthis report as a last resort. ANyone got any ideas? ---- Logfile of HijackThis v1.99.1 Scan saved at 10:28:53, on 13/08/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Abbey\Introducer Internet Offline\MSSQL$ABBEYIIOFFLINE\Binn\sqlservr.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE C:\Program Files\Microsoft Office\Office10\WINWORD.EXE C:\WINDOWS\msagent\AgentSvr.exe C:\Documents and Settings\Keith\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/ O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 6238892914 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = MyFinancialServices.local O17 - HKLM\Software\..\Telephony: DomainName = MyFinancialServices.local O17 - HKLM\System\CCS\Services\Tcpip\..\{7D099830-99B5-46A5-83FF-87877EC98A48}: NameServer = 10.0.0.1 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = MyFinancialServices.local O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = MyFinancialServices.local O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: igfxcui - igfxsrvc.dll (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing) O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
  7. Dont worry chaps I managed to fix this myself! Because i didnt use IceSword to Kill ndis.sys before i copied the clean version for some reason my ndis.sys was showing as 0bytes. I went into repair mode and expanded ndis.sy_ to ndis.sys and this worked a treat! Cheers anyway
×
×
  • Create New...