drews1f Posted February 14, 2010 Im extremely concerned after finding this on my server today. Can anyone take a look and advise me what to do? EDIT: i zipped the folder but its too big to upload. is there somewhere else i could upload it to? Share this post Link to post Share on other sites
danny09411 Posted February 14, 2010 Im extremely concerned after finding this on my server today. Can anyone take a look and advise me what to do? EDIT: i zipped the folder but its too big to upload. is there somewhere else i could upload it to? it means Remote Desktop Protocol if u are still unsure upload it to http://www.virustotal.com/ Share this post Link to post Share on other sites
drews1f Posted February 15, 2010 This is definitely dodgey. I cant login via rdp anymore! when i do an error comes up saying: tss-brute.exe - DLL initialization failed. Ive uploaded c:/rdp/brute.exe to virustotal and got the post below. How can i remove this to ensure my server is safe? :S In c:/rdp/working there are files like: mstsc.exe vbc.exe scan_ip.bat Seriously worried now! brute.exe tss-brute.exe Share this post Link to post Share on other sites
drews1f Posted February 15, 2010 virus total: Antivirus Version Last Update Result a-squared 4.5.0.50 2010.02.15 - AhnLab-V3 5.0.0.2 2010.02.15 - AntiVir 7.9.1.170 2010.02.15 - Antiy-AVL 2.0.3.7 2010.02.15 - Authentium 5.2.0.5 2010.02.15 - Avast 4.8.1351.0 2010.02.15 - AVG 9.0.0.730 2010.02.15 - BitDefender 7.2 2010.02.15 - CAT-QuickHeal 10.00 2010.02.15 - ClamAV 0.96.0.0-git 2010.02.15 - Comodo 3945 2010.02.15 - DrWeb 5.0.1.12222 2010.02.15 - eSafe 7.0.17.0 2010.02.15 Win32.TrojanHorse eTrust-Vet 35.2.7303 2010.02.15 - F-Prot 4.5.1.85 2010.02.15 - F-Secure 9.0.15370.0 2010.02.15 - Fortinet 4.0.14.0 2010.02.15 - GData 19 2010.02.15 - Ikarus T3.1.1.80.0 2010.02.15 - Jiangmin 13.0.900 2010.02.15 - K7AntiVirus 7.10.972 2010.02.12 - Kaspersky 7.0.0.125 2010.02.15 - McAfee 5892 2010.02.14 - McAfee+Artemis 5892 2010.02.14 - McAfee-GW-Edition 6.8.5 2010.02.15 Heuristic.LooksLike.Trojan.Dldr.FraudLo.C Microsoft 1.5406 2010.02.15 - NOD32 4868 2010.02.15 - Norman 6.04.08 2010.02.15 - nProtect 2009.1.8.0 2010.02.15 - Panda 10.0.2.2 2010.02.14 - PCTools 7.0.3.5 2010.02.15 - Prevx 3.0 2010.02.15 - Rising 22.34.01.03 2010.02.11 - Sophos 4.50.0 2010.02.15 - Sunbelt 5678 2010.02.15 - Symantec 20091.2.0.41 2010.02.15 Suspicious.Insight TheHacker 6.5.1.4.194 2010.02.15 - TrendMicro 9.120.0.1004 2010.02.15 - VBA32 3.12.12.2 2010.02.15 - ViRobot 2010.2.13.2186 2010.02.13 - VirusBuster 5.0.21.0 2010.02.15 - Share this post Link to post Share on other sites
danny09411 Posted February 15, 2010 This is definitely dodgey. I cant login via rdp anymore! when i do an error comes up saying: tss-brute.exe - DLL initialization failed. Ive uploaded c:/rdp/brute.exe to virustotal and got the post below. How can i remove this to ensure my server is safe? :S In c:/rdp/working there are files like: mstsc.exe vbc.exe scan_ip.bat Seriously worried now! run this http://www.malwarebytes.org/fileassassin.php find the 2 files and delete them then should be ok let me know if it works Share this post Link to post Share on other sites
drews1f Posted February 15, 2010 shall i delete the whole RDP dir? Share this post Link to post Share on other sites
danny09411 Posted February 15, 2010 shall i delete the whole RDP dir? no just them 2 files and then see Share this post Link to post Share on other sites
drews1f Posted February 15, 2010 you should know that RDP dir was created on the 8th of feb. i think the whole thing is a hook for remote desktop connection? although mstsc.exe in system32 is unmodified since 2006 Share this post Link to post Share on other sites
danny09411 Posted February 15, 2010 you should know that RDP dir was created on the 8th of feb. i think the whole thing is a hook for remote desktop connection? although mstsc.exe in system32 is unmodified since 2006 ok i diden't know that Share this post Link to post Share on other sites
