Link to home
Start Free TrialLog in
Avatar of jerra
jerra

asked on

Strange .exe files appearing under c:\windows\temp\ when logging in via Terminal Services

The server which is used as domain controller/file server has had a major infection of viruses & trojans and I seem to have become overly suspicious after the whole ordeal... Two weeks ago we seemed to have gotten rid of all the nasty bits of software.
Anyways the other day when I was looking in the c:\windows\temp\ folder I saw perhaps 20 .exe files all having 4 digits in their name e.g. 1388.exe and being for kb big. I decided to delete them and then F-Secure prompted stating that this and that file contains a trojan. About five of the files where infected and I don't know whether they were recently infected or leftovers from when the server had various infections.
I noticed that a new .exe file is created each time you log into the server using Terminal Services. Repeated logins after that only modifies the file's modification attribute. I opened the 3 files that were there today using Textpad in binary mode and they all contained what seemed like an IP number and port. I don't have the specific number right now but it was something like 54.xxx.xxx.xxx:339. I think it started with 54 but the others I don't remember.

What is this, anyone have any idea?
SOLUTION
Avatar of Ron Malmstead
Ron Malmstead
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of jerra
jerra

ASKER

OK, regarding safemode and executing software. We have F-Secure AV and Adware, Spybot S&D and I have also downloaded the MS Malicious Software Removal Tool.
Of all these I have only been able to run Spybot in safemode. The MS Removal tool I haven't tried yet. Do Trend Micro, McAfee work in safemode?
Avatar of jerra
jerra

ASKER

One more thing, all problems started this July when the ISP made a migration to new hardware and they left the firewall open on port 80. Firewall is located at ISP and managed by the ISP.
ASKER CERTIFIED SOLUTION
Avatar of Mohamed Osama
Mohamed Osama
Flag of Egypt image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of jerra
jerra

ASKER

OK will do. I'll be at the office in a few days.
Avatar of Ron Malmstead
Ron Malmstead
Flag of United States of America image
AVG can scan in command line from safe mode...
Avatar of jerra
jerra

ASKER

OK, files analysed using virustotal.
Of three existing files one got a hit (1384.exe):
Prevx1       V2       2008.10.18       Malicious Software

Files 1380.exe & 1388.exe contains following information in binary --> 58.63.40.3:316

Directory listing of the suspicious files:
17.10.2008  15:06                14 1380.exe
20.10.2008  13:45             1 308 1384.exe
16.10.2008  23:29                14 1388.exe
---------------------------------------------------------------------------
HiJackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:48:25, on 21.10.2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adaptec\Adaptec RAID Services\StorServ.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\HP\HP Storage Manager\StorServ.exe
C:\WINDOWS\System32\ismserv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\sfmprint.exe
C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlservr.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wins.exe
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\F-Secure\FSGUI\fsguidll.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [XeroxRegistation] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2\Xerox\EReg\opbreg.exe" /Startup
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2329229114-3049913970-3677540923-1132\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'fsms_TARJA')
O4 - HKUS\S-1-5-21-2329229114-3049913970-3677540923-1132\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'fsms_TARJA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://ftp.sunet.se
O15 - ESC Trusted Zone: http://entsearch.symantec.com
O15 - ESC Trusted Zone: http://seer.entsupport.symantec.com
O15 - ESC Trusted Zone: http://www.symantec.com
O15 - ESC Trusted Zone: http://www4.symantec.com
O15 - ESC Trusted Zone: http://ftp.support.veritas.com
O15 - ESC Trusted Zone: http://softwareupdate.veritas.com
O15 - ESC Trusted Zone: http://download.windowsupdate.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131707945779
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hallimestarinkatu.teollisuustyokalut.fi
O17 - HKLM\Software\..\Telephony: DomainName = hallimestarinkatu.teollisuustyokalut.fi
O17 - HKLM\System\CCS\Services\Tcpip\..\{5491FD7D-17AB-44C2-99DF-EDE3265F0ADA}: NameServer = 192.168.2.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hallimestarinkatu.teollisuustyokalut.fi
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hallimestarinkatu.teollisuustyokalut.fi
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = hallimestarinkatu.teollisuustyokalut.fi
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adaptec Storage Manager Agent (AdaptecStorageManagerAgent) - Adaptec Incorporated - C:\Program Files\Adaptec\Adaptec RAID Services\StorServ.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - D:\programs\VERITAS\Backup Exec\NT\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - VERITAS Software Corporation - D:\programs\VERITAS\Backup Exec\NT\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - VERITAS Software Corporation - D:\programs\VERITAS\Backup Exec\NT\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - VERITAS Software Corporation - D:\programs\VERITAS\Backup Exec\NT\bengine.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - VERITAS Software Corporation - D:\programs\VERITAS\Backup Exec\NT\beserver.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Automatic Update Server (FSAUS) - BackWeb - C:\Program Files\F-Secure\FSAUS.PM\bin\server.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: F-Secure Policy Manager Server (fsms) - Unknown owner - C:\Program Files\F-Secure\Management Server 5\apache.exe
O23 - Service: F-Secure Policy Manager Web Reporting (fspmwr) - Unknown owner - C:\Program Files\F-Secure\Management Server 5\Web Reporting\bin\fspmwrservice.exe
O23 - Service: HP Storage Manager Agent (HPStorageManagerAgent) - Adaptec Incorporated - C:\Program Files\HP\HP Storage Manager\StorServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 8024 bytes
Avatar of Mohamed Osama
Mohamed Osama
Flag of Egypt image
I can not spot any active infection in this log, not that I have noticed anyway.
I would suggest at this stage an online scan on Kaspersky website, mostly because the engine is almost 100% accurate , regardless of the fact it is not going to clean the infection, it will certainly pinpoint any existing infections for further actions.

http://www.kaspersky.com/virusscanner
Avatar of jerra
jerra

ASKER

Todays scan with the online virustotal service of files found in c:\windows\temp\3664.exe found something bad. F-Secure doesn't find anything, has been set to do scheduled scanning but it seems only to fill the hydra.log until there are no disc space. Doing a "right-click" scan of the temp folder F-Secure sure reports trojans but what good is that. I'll close this now and start reinstalling this server. Too much time has already been spent on various things to get it clean. Thanks all!

One more thing, the infected files all have the same icon:
Antivirus        Version        Last Update        Result
AhnLab-V3      2008.10.24.3      2008.10.24      -
AntiVir      7.9.0.9      2008.10.24      TR/Crypt.NSPI.Gen
Authentium      5.1.0.4      2008.10.24      -
Avast      4.8.1248.0      2008.10.25      Win32:TCPScan
AVG      8.0.0.161      2008.10.25      HackTool.EZA
BitDefender      7.2      2008.10.25      MemScan:Application.Portscan.D
CAT-QuickHeal      9.50      2008.10.24      -
ClamAV      0.93.1      2008.10.25      PUA.Packed.NPack-2
DrWeb      4.44.0.09170      2008.10.25      Tool.TcpScan
eSafe      7.0.17.0      2008.10.23      -
eTrust-Vet      31.6.6168      2008.10.25      -
Ewido      4.0      2008.10.24      -
F-Prot      4.4.4.56      2008.10.24      -
F-Secure      8.0.14332.0      2008.10.25      W32/Packed_Nspack.A.dropper
Fortinet      3.113.0.0      2008.10.25      -
GData      19      2008.10.25      MemScan:Application.Portscan.D
Ikarus      T3.1.1.44.0      2008.10.25      -
K7AntiVirus      7.10.506      2008.10.24      -
Kaspersky      7.0.0.125      2008.10.25      not-a-virus:NetTool.Win32.TCPScan.a
McAfee      5415      2008.10.25      potentially unwanted program HTool-SymScan
Microsoft      1.4005      2008.10.25      -
NOD32      3555      2008.10.25      Win32/NetTool.TCPScan.B
Norman      5.80.02      2008.10.24      W32/Packed_Nspack.A.dropper
Panda      9.0.0.4      2008.10.25      -
PCTools      4.4.2.0      2008.10.24      Packed/NSPack
Prevx1      V2      2008.10.25      -
Rising      21.00.51.00      2008.10.25      Hack.Win32.Scanner.f
SecureWeb-Gateway      6.7.6      2008.10.24      Trojan.Crypt.NSPI.Gen
Sophos      4.35.0      2008.10.25      PortScan
Sunbelt      3.1.1753.1      2008.10.25      -
Symantec      10      2008.10.25      -
TheHacker      6.3.1.0.126      2008.10.25      -
TrendMicro      8.700.0.1004      2008.10.24      PAK_Generic.005
VBA32      3.12.8.8      2008.10.25      suspected of Embedded.Riskware.Win32.TCPS
ViRobot      2008.10.24.1436      2008.10.24      -
VirusBuster      4.5.11.0      2008.10.24      Packed/NSPack
Additional information
File size: 254976 bytes
MD5...: cb9316e6fd2ec501fc59bdee1e551d9d
SHA1..: 23c066971f39f4b89d036be01e3561a6b3f2df81
SHA256: 4881b56059f03b61df3a081792aacc3455802f0112b2f094a9c057bbef140506
SHA512: 0e8cf2a2904c9dd8f987cbc8a0ec8b4057366a18bf96036a94828db5e98b5e24
1f440c7b46eeebfba369f2c5f36c8dcf70795956343576b77a366a67d0cc38a9
PEiD..: ASPack v2.12
TrID..: File type identification
ASPack compressed Win32 Executable (generic) (90.1%)
Win32 Executable Generic (5.7%)
Win16/32 Executable Delphi generic (1.3%)
Generic Win/DOS Executable (1.3%)
DOS Executable Generic (1.3%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x495001
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 10 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x68000 0x2aa00 8.00 27d032ca1c31022d0877df454cd79e1e
DATA 0x69000 0x2000 0xc00 7.82 11b651f44474fe7bb87ab3a2c8705e40
BSS 0x6b000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0x6c000 0x3000 0xe00 7.52 3f8d00283da49b336c8b96f701b8f0dc
.tls 0x6f000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0x70000 0x1000 0x200 0.19 63d64533d4cf8150c328ee9564d7d709
.reloc 0x71000 0x9000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x7a000 0x1b000 0xa400 7.82 af393b9285ff1b7938422895e282a1af
.aspack 0x95000 0x8000 0x7600 5.01 f3e3bd0b36bbe8658305c8013951abc0
.adata 0x9d000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e

( 11 imports )
> kernel32.dll: GetProcAddress, GetModuleHandleA, LoadLibraryA
> user32.dll: GetKeyboardType
> advapi32.dll: RegQueryValueExA
> oleaut32.dll: SysFreeString
> advapi32.dll: RegQueryValueExA
> version.dll: VerQueryValueA
> gdi32.dll: UnrealizeObject
> user32.dll: CreateWindowExA
> oleaut32.dll: SafeArrayPtrOfIndex
> comctl32.dll: ImageList_SetIconSize
> shell32.dll: ShellExecuteExA

( 0 exports )
Norman Sandbox: [ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* File might be compressed.
* Accesses executable file from resource section.
* File length: 254976 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\scan.exe.
* Creates file C:\WINDOWS\syswmi.exe.
* Creates file C:\WINDOWS\ip.txt.

[ Changes to registry ]
* Accesses Registry key \"HKCU\Software\Borland\Locales\".
* Accesses Registry key \"HKLM\Software\Borland\Locales\".
* Accesses Registry key \"HKCU\Software\Borland\Delphi\Locales\".

[ Network services ]
* Connects to \"www.y251.com\" on port 20 (IP).
* Sends data stream (151 bytes) to remote address \"www.y251.com\", port 20.

[ Process/window information ]
* Creates an event called .
* Creates a mutex Fexcep_Auto_2967_scan.
* Attemps to Open scan.exe NULL.
* Creates process \"scan.exe\".

[ Signature Scanning ]
* C:\WINDOWS\scan.exe (15360 bytes) : W32/Packed_Nspack.A.

packers (Avast): ASPack, NsPack
packers (F-Prot): Aspack
packers (Kaspersky): ASPack, NSPack

<a href="http://img444.imageshack.us/my.php?image=virusicondd6.jpg" target="_blank"><img src="http://img444.imageshack.us/img444/5292/virusicondd6.th.jpg" border="0" alt="Free Image Hosting at www.ImageShack.us" /></a><br /><br /><a href="http://img604.imageshack.us/content.php?page=blogpost&files=img444/5292/virusicondd6.jpg" title="QuickPost"><img src="http://imageshack.us/img/butansn.png" alt="QuickPost" border="0"></a> Quickpost this image to Myspace, Digg, Facebook, and others!