Strange .exe files appearing under c:\windows\temp\ when logging in via Terminal Services

Posted on 2008-10-19
Last Modified: 2013-11-22
The server which is used as domain controller/file server has had a major infection of viruses & trojans and I seem to have become overly suspicious after the whole ordeal... Two weeks ago we seemed to have gotten rid of all the nasty bits of software.
Anyways the other day when I was looking in the c:\windows\temp\ folder I saw perhaps 20 .exe files all having 4 digits in their name e.g. 1388.exe and being for kb big. I decided to delete them and then F-Secure prompted stating that this and that file contains a trojan. About five of the files where infected and I don't know whether they were recently infected or leftovers from when the server had various infections.
I noticed that a new .exe file is created each time you log into the server using Terminal Services. Repeated logins after that only modifies the file's modification attribute. I opened the 3 files that were there today using Textpad in binary mode and they all contained what seemed like an IP number and port. I don't have the specific number right now but it was something like I think it started with 54 but the others I don't remember.

What is this, anyone have any idea?
Question by:jerra
  • 6
  • 2
  • 2
LVL 25

Assisted Solution

by:Ron Malmstead
Ron Malmstead earned 150 total points
ID: 22753337
sounds like trojan viruses, ...  They are probably re-propogating from the profiles of terminal server users.

I would reboot this server into safe mode, and run a full system scan.
I would use both anti-spyware software, like spybot,... and a good virus scanner, like Trend Micro or McAfee.

After you get it cleaned up...  think about maybe disabling internet access from the terminal server sessions.

Author Comment

ID: 22755381
OK, regarding safemode and executing software. We have F-Secure AV and Adware, Spybot S&D and I have also downloaded the MS Malicious Software Removal Tool.
Of all these I have only been able to run Spybot in safemode. The MS Removal tool I haven't tried yet. Do Trend Micro, McAfee work in safemode?

Author Comment

ID: 22755391
One more thing, all problems started this July when the ISP made a migration to new hardware and they left the firewall open on port 80. Firewall is located at ISP and managed by the ISP.
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

LVL 23

Accepted Solution

Admin3k earned 350 total points
ID: 22756808
Submit the file to  for an online scan using several AV engines, once you have identified the nature of the executable, please post a Hijack this log along with the malware name.


Author Comment

ID: 22759604
OK will do. I'll be at the office in a few days.
LVL 25

Expert Comment

by:Ron Malmstead
ID: 22759654
AVG can scan in command line from safe mode...

Author Comment

ID: 22767181
OK, files analysed using virustotal.
Of three existing files one got a hit (1384.exe):
Prevx1       V2       2008.10.18       Malicious Software

Files 1380.exe & 1388.exe contains following information in binary -->

Directory listing of the suspicious files:
17.10.2008  15:06                14 1380.exe
20.10.2008  13:45             1 308 1384.exe
16.10.2008  23:29                14 1388.exe
HiJackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:48:25, on 21.10.2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Adaptec\Adaptec RAID Services\StorServ.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\HP\HP Storage Manager\StorServ.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlservr.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\F-Secure\FSGUI\fsguidll.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [XeroxRegistation] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2\Xerox\EReg\opbreg.exe" /Startup
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2329229114-3049913970-3677540923-1132\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'fsms_TARJA')
O4 - HKUS\S-1-5-21-2329229114-3049913970-3677540923-1132\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'fsms_TARJA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O15 - ESC Trusted Zone:
O15 - ESC Trusted Zone:
O15 - ESC Trusted Zone:
O15 - ESC Trusted Zone:
O15 - ESC Trusted Zone:
O15 - ESC Trusted Zone:
O15 - ESC Trusted Zone:
O15 - ESC Trusted Zone:
O15 - ESC Trusted Zone:
O15 - ESC Trusted Zone: http://*
O15 - ESC Trusted Zone: http://* (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\Software\..\Telephony: DomainName =
O17 - HKLM\System\CCS\Services\Tcpip\..\{5491FD7D-17AB-44C2-99DF-EDE3265F0ADA}: NameServer =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain =
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adaptec Storage Manager Agent (AdaptecStorageManagerAgent) - Adaptec Incorporated - C:\Program Files\Adaptec\Adaptec RAID Services\StorServ.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - D:\programs\VERITAS\Backup Exec\NT\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - VERITAS Software Corporation - D:\programs\VERITAS\Backup Exec\NT\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - VERITAS Software Corporation - D:\programs\VERITAS\Backup Exec\NT\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - VERITAS Software Corporation - D:\programs\VERITAS\Backup Exec\NT\bengine.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - VERITAS Software Corporation - D:\programs\VERITAS\Backup Exec\NT\beserver.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Automatic Update Server (FSAUS) - BackWeb - C:\Program Files\F-Secure\FSAUS.PM\bin\server.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: F-Secure Policy Manager Server (fsms) - Unknown owner - C:\Program Files\F-Secure\Management Server 5\apache.exe
O23 - Service: F-Secure Policy Manager Web Reporting (fspmwr) - Unknown owner - C:\Program Files\F-Secure\Management Server 5\Web Reporting\bin\fspmwrservice.exe
O23 - Service: HP Storage Manager Agent (HPStorageManagerAgent) - Adaptec Incorporated - C:\Program Files\HP\HP Storage Manager\StorServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

End of file - 8024 bytes
LVL 23

Expert Comment

ID: 22786125
I can not spot any active infection in this log, not that I have noticed anyway.
I would suggest at this stage an online scan on Kaspersky website, mostly because the engine is almost 100% accurate , regardless of the fact it is not going to clean the infection, it will certainly pinpoint any existing infections for further actions.

Author Comment

ID: 22802168
Todays scan with the online virustotal service of files found in c:\windows\temp\3664.exe found something bad. F-Secure doesn't find anything, has been set to do scheduled scanning but it seems only to fill the hydra.log until there are no disc space. Doing a "right-click" scan of the temp folder F-Secure sure reports trojans but what good is that. I'll close this now and start reinstalling this server. Too much time has already been spent on various things to get it clean. Thanks all!

One more thing, the infected files all have the same icon:
Antivirus        Version        Last Update        Result
AhnLab-V3      2008.10.24.3      2008.10.24      -
AntiVir      2008.10.24      TR/Crypt.NSPI.Gen
Authentium      2008.10.24      -
Avast      4.8.1248.0      2008.10.25      Win32:TCPScan
AVG      2008.10.25      HackTool.EZA
BitDefender      7.2      2008.10.25      MemScan:Application.Portscan.D
CAT-QuickHeal      9.50      2008.10.24      -
ClamAV      0.93.1      2008.10.25      PUA.Packed.NPack-2
DrWeb      2008.10.25      Tool.TcpScan
eSafe      2008.10.23      -
eTrust-Vet      31.6.6168      2008.10.25      -
Ewido      4.0      2008.10.24      -
F-Prot      2008.10.24      -
F-Secure      8.0.14332.0      2008.10.25      W32/Packed_Nspack.A.dropper
Fortinet      2008.10.25      -
GData      19      2008.10.25      MemScan:Application.Portscan.D
Ikarus      T3.      2008.10.25      -
K7AntiVirus      7.10.506      2008.10.24      -
Kaspersky      2008.10.25      not-a-virus:NetTool.Win32.TCPScan.a
McAfee      5415      2008.10.25      potentially unwanted program HTool-SymScan
Microsoft      1.4005      2008.10.25      -
NOD32      3555      2008.10.25      Win32/NetTool.TCPScan.B
Norman      5.80.02      2008.10.24      W32/Packed_Nspack.A.dropper
Panda      2008.10.25      -
PCTools      2008.10.24      Packed/NSPack
Prevx1      V2      2008.10.25      -
Rising      2008.10.25      Hack.Win32.Scanner.f
SecureWeb-Gateway      6.7.6      2008.10.24      Trojan.Crypt.NSPI.Gen
Sophos      4.35.0      2008.10.25      PortScan
Sunbelt      3.1.1753.1      2008.10.25      -
Symantec      10      2008.10.25      -
TheHacker      2008.10.25      -
TrendMicro      8.700.0.1004      2008.10.24      PAK_Generic.005
VBA32      2008.10.25      suspected of Embedded.Riskware.Win32.TCPS
ViRobot      2008.10.24.1436      2008.10.24      -
VirusBuster      2008.10.24      Packed/NSPack
Additional information
File size: 254976 bytes
MD5...: cb9316e6fd2ec501fc59bdee1e551d9d
SHA1..: 23c066971f39f4b89d036be01e3561a6b3f2df81
SHA256: 4881b56059f03b61df3a081792aacc3455802f0112b2f094a9c057bbef140506
SHA512: 0e8cf2a2904c9dd8f987cbc8a0ec8b4057366a18bf96036a94828db5e98b5e24
PEiD..: ASPack v2.12
TrID..: File type identification
ASPack compressed Win32 Executable (generic) (90.1%)
Win32 Executable Generic (5.7%)
Win16/32 Executable Delphi generic (1.3%)
Generic Win/DOS Executable (1.3%)
DOS Executable Generic (1.3%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x495001
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 10 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x68000 0x2aa00 8.00 27d032ca1c31022d0877df454cd79e1e
DATA 0x69000 0x2000 0xc00 7.82 11b651f44474fe7bb87ab3a2c8705e40
BSS 0x6b000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0x6c000 0x3000 0xe00 7.52 3f8d00283da49b336c8b96f701b8f0dc
.tls 0x6f000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0x70000 0x1000 0x200 0.19 63d64533d4cf8150c328ee9564d7d709
.reloc 0x71000 0x9000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x7a000 0x1b000 0xa400 7.82 af393b9285ff1b7938422895e282a1af
.aspack 0x95000 0x8000 0x7600 5.01 f3e3bd0b36bbe8658305c8013951abc0
.adata 0x9d000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e

( 11 imports )
> kernel32.dll: GetProcAddress, GetModuleHandleA, LoadLibraryA
> user32.dll: GetKeyboardType
> advapi32.dll: RegQueryValueExA
> oleaut32.dll: SysFreeString
> advapi32.dll: RegQueryValueExA
> version.dll: VerQueryValueA
> gdi32.dll: UnrealizeObject
> user32.dll: CreateWindowExA
> oleaut32.dll: SafeArrayPtrOfIndex
> comctl32.dll: ImageList_SetIconSize
> shell32.dll: ShellExecuteExA

( 0 exports )
Norman Sandbox: [ General information ]
* File might be compressed.
* Accesses executable file from resource section.
* File length: 254976 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\scan.exe.
* Creates file C:\WINDOWS\syswmi.exe.
* Creates file C:\WINDOWS\ip.txt.

[ Changes to registry ]
* Accesses Registry key \"HKCU\Software\Borland\Locales\".
* Accesses Registry key \"HKLM\Software\Borland\Locales\".
* Accesses Registry key \"HKCU\Software\Borland\Delphi\Locales\".

[ Network services ]
* Connects to \"\" on port 20 (IP).
* Sends data stream (151 bytes) to remote address \"\", port 20.

[ Process/window information ]
* Creates an event called .
* Creates a mutex Fexcep_Auto_2967_scan.
* Attemps to Open scan.exe NULL.
* Creates process \"scan.exe\".

[ Signature Scanning ]
* C:\WINDOWS\scan.exe (15360 bytes) : W32/Packed_Nspack.A.

packers (Avast): ASPack, NsPack
packers (F-Prot): Aspack
packers (Kaspersky): ASPack, NSPack

<a href="" target="_blank"><img src="" border="0" alt="Free Image Hosting at" /></a><br /><br /><a href="" title="QuickPost"><img src="" alt="QuickPost" border="0"></a> Quickpost this image to Myspace, Digg, Facebook, and others!

Author Comment

ID: 22802170

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The related questions "How do I recover the passwords for my Q-See DVR" and "How can I reset my Q-See DVR to eliminate a password" are seen several times a week.  Here we discuss the grim reality of the situation.
Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
Sending a Secure fax is easy with eFax Corporate ( First, just open a new email message. In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question