Jump to content
Sign in to follow this  
drews1f

C:\RDP

Recommended Posts

Im extremely concerned after finding this on my server today.

Can anyone take a look and advise me what to do?

EDIT: i zipped the folder but its too big to upload. is there somewhere else i could upload it to?

Share this post


Link to post
Share on other sites

This is definitely dodgey. I cant login via rdp anymore! when i do an error comes up saying:

tss-brute.exe - DLL initialization failed.

Ive uploaded c:/rdp/brute.exe to virustotal and got the post below.

How can i remove this to ensure my server is safe? :S

In c:/rdp/working there are files like:

mstsc.exe

vbc.exe

scan_ip.bat

Seriously worried now!

brute.exe

tss-brute.exe

Share this post


Link to post
Share on other sites

virus total:

Antivirus Version Last Update Result

a-squared 4.5.0.50 2010.02.15 -

AhnLab-V3 5.0.0.2 2010.02.15 -

AntiVir 7.9.1.170 2010.02.15 -

Antiy-AVL 2.0.3.7 2010.02.15 -

Authentium 5.2.0.5 2010.02.15 -

Avast 4.8.1351.0 2010.02.15 -

AVG 9.0.0.730 2010.02.15 -

BitDefender 7.2 2010.02.15 -

CAT-QuickHeal 10.00 2010.02.15 -

ClamAV 0.96.0.0-git 2010.02.15 -

Comodo 3945 2010.02.15 -

DrWeb 5.0.1.12222 2010.02.15 -

eSafe 7.0.17.0 2010.02.15 Win32.TrojanHorse

eTrust-Vet 35.2.7303 2010.02.15 -

F-Prot 4.5.1.85 2010.02.15 -

F-Secure 9.0.15370.0 2010.02.15 -

Fortinet 4.0.14.0 2010.02.15 -

GData 19 2010.02.15 -

Ikarus T3.1.1.80.0 2010.02.15 -

Jiangmin 13.0.900 2010.02.15 -

K7AntiVirus 7.10.972 2010.02.12 -

Kaspersky 7.0.0.125 2010.02.15 -

McAfee 5892 2010.02.14 -

McAfee+Artemis 5892 2010.02.14 -

McAfee-GW-Edition 6.8.5 2010.02.15 Heuristic.LooksLike.Trojan.Dldr.FraudLo.C

Microsoft 1.5406 2010.02.15 -

NOD32 4868 2010.02.15 -

Norman 6.04.08 2010.02.15 -

nProtect 2009.1.8.0 2010.02.15 -

Panda 10.0.2.2 2010.02.14 -

PCTools 7.0.3.5 2010.02.15 -

Prevx 3.0 2010.02.15 -

Rising 22.34.01.03 2010.02.11 -

Sophos 4.50.0 2010.02.15 -

Sunbelt 5678 2010.02.15 -

Symantec 20091.2.0.41 2010.02.15 Suspicious.Insight

TheHacker 6.5.1.4.194 2010.02.15 -

TrendMicro 9.120.0.1004 2010.02.15 -

VBA32 3.12.12.2 2010.02.15 -

ViRobot 2010.2.13.2186 2010.02.13 -

VirusBuster 5.0.21.0 2010.02.15 -

Share this post


Link to post
Share on other sites

This is definitely dodgey. I cant login via rdp anymore! when i do an error comes up saying:

tss-brute.exe - DLL initialization failed.

Ive uploaded c:/rdp/brute.exe to virustotal and got the post below.

How can i remove this to ensure my server is safe? :S

In c:/rdp/working there are files like:

mstsc.exe

vbc.exe

scan_ip.bat

Seriously worried now!

run this http://www.malwarebytes.org/fileassassin.php find the 2 files and delete them then should be ok let me know if it works

Share this post


Link to post
Share on other sites

you should know that RDP dir was created on the 8th of feb. i think the whole thing is a hook for remote desktop connection?

although mstsc.exe in system32 is unmodified since 2006

Share this post


Link to post
Share on other sites

you should know that RDP dir was created on the 8th of feb. i think the whole thing is a hook for remote desktop connection?

although mstsc.exe in system32 is unmodified since 2006

ok i diden't know that

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×