C:\RDP

[drews1f]

Im extremely concerned after finding this on my server today.

Can anyone take a look and advise me what to do?

EDIT: i zipped the folder but its too big to upload. is there somewhere else i could upload it to?

[danny09411]

Im extremely concerned after finding this on my server today.

Can anyone take a look and advise me what to do?

EDIT: i zipped the folder but its too big to upload. is there somewhere else i could upload it to?

it means Remote Desktop Protocol if u are still unsure upload it to http://www.virustotal.com/

[drews1f]

This is definitely dodgey. I cant login via rdp anymore! when i do an error comes up saying:

tss-brute.exe - DLL initialization failed.

Ive uploaded c:/rdp/brute.exe to virustotal and got the post below.

How can i remove this to ensure my server is safe? :S

In c:/rdp/working there are files like:

mstsc.exe

vbc.exe

scan_ip.bat

Seriously worried now!

brute.exe

tss-brute.exe

[drews1f]

virus total:

Antivirus Version Last Update Result

a-squared 4.5.0.50 2010.02.15 -

AhnLab-V3 5.0.0.2 2010.02.15 -

AntiVir 7.9.1.170 2010.02.15 -

Antiy-AVL 2.0.3.7 2010.02.15 -

Authentium 5.2.0.5 2010.02.15 -

Avast 4.8.1351.0 2010.02.15 -

AVG 9.0.0.730 2010.02.15 -

BitDefender 7.2 2010.02.15 -

CAT-QuickHeal 10.00 2010.02.15 -

ClamAV 0.96.0.0-git 2010.02.15 -

Comodo 3945 2010.02.15 -

DrWeb 5.0.1.12222 2010.02.15 -

eSafe 7.0.17.0 2010.02.15 Win32.TrojanHorse

eTrust-Vet 35.2.7303 2010.02.15 -

F-Prot 4.5.1.85 2010.02.15 -

F-Secure 9.0.15370.0 2010.02.15 -

Fortinet 4.0.14.0 2010.02.15 -

GData 19 2010.02.15 -

Ikarus T3.1.1.80.0 2010.02.15 -

Jiangmin 13.0.900 2010.02.15 -

K7AntiVirus 7.10.972 2010.02.12 -

Kaspersky 7.0.0.125 2010.02.15 -

McAfee 5892 2010.02.14 -

McAfee+Artemis 5892 2010.02.14 -

McAfee-GW-Edition 6.8.5 2010.02.15 Heuristic.LooksLike.Trojan.Dldr.FraudLo.C

Microsoft 1.5406 2010.02.15 -

NOD32 4868 2010.02.15 -

Norman 6.04.08 2010.02.15 -

nProtect 2009.1.8.0 2010.02.15 -

Panda 10.0.2.2 2010.02.14 -

PCTools 7.0.3.5 2010.02.15 -

Prevx 3.0 2010.02.15 -

Rising 22.34.01.03 2010.02.11 -

Sophos 4.50.0 2010.02.15 -

Sunbelt 5678 2010.02.15 -

Symantec 20091.2.0.41 2010.02.15 Suspicious.Insight

TheHacker 6.5.1.4.194 2010.02.15 -

TrendMicro 9.120.0.1004 2010.02.15 -

VBA32 3.12.12.2 2010.02.15 -

ViRobot 2010.2.13.2186 2010.02.13 -

VirusBuster 5.0.21.0 2010.02.15 -

[danny09411]

This is definitely dodgey. I cant login via rdp anymore! when i do an error comes up saying:

tss-brute.exe - DLL initialization failed.

Ive uploaded c:/rdp/brute.exe to virustotal and got the post below.

How can i remove this to ensure my server is safe? :S

In c:/rdp/working there are files like:

mstsc.exe

vbc.exe

scan_ip.bat

Seriously worried now!

run this http://www.malwarebytes.org/fileassassin.php find the 2 files and delete them then should be ok let me know if it works

[drews1f]

shall i delete the whole RDP dir?

[danny09411]

shall i delete the whole RDP dir?

no just them 2 files and then see

[drews1f]

you should know that RDP dir was created on the 8th of feb. i think the whole thing is a hook for remote desktop connection?

although mstsc.exe in system32 is unmodified since 2006

[danny09411]

you should know that RDP dir was created on the 8th of feb. i think the whole thing is a hook for remote desktop connection?

although mstsc.exe in system32 is unmodified since 2006

ok i diden't know that

[drews1f]

=[