Solved

Strange .exe files appearing under c:\windows\temp\ when logging in via Terminal Services

Posted on 2008-10-19
10
1,949 Views
Last Modified: 2013-11-22
The server which is used as domain controller/file server has had a major infection of viruses & trojans and I seem to have become overly suspicious after the whole ordeal... Two weeks ago we seemed to have gotten rid of all the nasty bits of software.
Anyways the other day when I was looking in the c:\windows\temp\ folder I saw perhaps 20 .exe files all having 4 digits in their name e.g. 1388.exe and being for kb big. I decided to delete them and then F-Secure prompted stating that this and that file contains a trojan. About five of the files where infected and I don't know whether they were recently infected or leftovers from when the server had various infections.
I noticed that a new .exe file is created each time you log into the server using Terminal Services. Repeated logins after that only modifies the file's modification attribute. I opened the 3 files that were there today using Textpad in binary mode and they all contained what seemed like an IP number and port. I don't have the specific number right now but it was something like 54.xxx.xxx.xxx:339. I think it started with 54 but the others I don't remember.

What is this, anyone have any idea?
0
Comment
Question by:jerra
  • 6
  • 2
  • 2
10 Comments
 
LVL 25

Assisted Solution

by:Ron M
Ron M earned 150 total points
ID: 22753337
sounds like trojan viruses, ...  They are probably re-propogating from the profiles of terminal server users.

I would reboot this server into safe mode, and run a full system scan.
I would use both anti-spyware software, like spybot,... and a good virus scanner, like Trend Micro or McAfee.

After you get it cleaned up...  think about maybe disabling internet access from the terminal server sessions.
0
 

Author Comment

by:jerra
ID: 22755381
OK, regarding safemode and executing software. We have F-Secure AV and Adware, Spybot S&D and I have also downloaded the MS Malicious Software Removal Tool.
Of all these I have only been able to run Spybot in safemode. The MS Removal tool I haven't tried yet. Do Trend Micro, McAfee work in safemode?
0
 

Author Comment

by:jerra
ID: 22755391
One more thing, all problems started this July when the ISP made a migration to new hardware and they left the firewall open on port 80. Firewall is located at ISP and managed by the ISP.
0
 
LVL 23

Accepted Solution

by:
Admin3k earned 350 total points
ID: 22756808
Submit the file to http://www.virustotal.com/  for an online scan using several AV engines, once you have identified the nature of the executable, please post a Hijack this log along with the malware name.

0
 

Author Comment

by:jerra
ID: 22759604
OK will do. I'll be at the office in a few days.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 25

Expert Comment

by:Ron M
ID: 22759654
AVG can scan in command line from safe mode...
0
 

Author Comment

by:jerra
ID: 22767181
OK, files analysed using virustotal.
Of three existing files one got a hit (1384.exe):
Prevx1       V2       2008.10.18       Malicious Software

Files 1380.exe & 1388.exe contains following information in binary --> 58.63.40.3:316

Directory listing of the suspicious files:
17.10.2008  15:06                14 1380.exe
20.10.2008  13:45             1 308 1384.exe
16.10.2008  23:29                14 1388.exe
---------------------------------------------------------------------------
HiJackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:48:25, on 21.10.2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adaptec\Adaptec RAID Services\StorServ.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\HP\HP Storage Manager\StorServ.exe
C:\WINDOWS\System32\ismserv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\sfmprint.exe
C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlservr.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wins.exe
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\F-Secure\FSGUI\fsguidll.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [XeroxRegistation] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2\Xerox\EReg\opbreg.exe" /Startup
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2329229114-3049913970-3677540923-1132\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'fsms_TARJA')
O4 - HKUS\S-1-5-21-2329229114-3049913970-3677540923-1132\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'fsms_TARJA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://ftp.sunet.se
O15 - ESC Trusted Zone: http://entsearch.symantec.com
O15 - ESC Trusted Zone: http://seer.entsupport.symantec.com
O15 - ESC Trusted Zone: http://www.symantec.com
O15 - ESC Trusted Zone: http://www4.symantec.com
O15 - ESC Trusted Zone: http://ftp.support.veritas.com
O15 - ESC Trusted Zone: http://softwareupdate.veritas.com
O15 - ESC Trusted Zone: http://download.windowsupdate.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131707945779
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hallimestarinkatu.teollisuustyokalut.fi
O17 - HKLM\Software\..\Telephony: DomainName = hallimestarinkatu.teollisuustyokalut.fi
O17 - HKLM\System\CCS\Services\Tcpip\..\{5491FD7D-17AB-44C2-99DF-EDE3265F0ADA}: NameServer = 192.168.2.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hallimestarinkatu.teollisuustyokalut.fi
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hallimestarinkatu.teollisuustyokalut.fi
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = hallimestarinkatu.teollisuustyokalut.fi
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adaptec Storage Manager Agent (AdaptecStorageManagerAgent) - Adaptec Incorporated - C:\Program Files\Adaptec\Adaptec RAID Services\StorServ.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - D:\programs\VERITAS\Backup Exec\NT\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - VERITAS Software Corporation - D:\programs\VERITAS\Backup Exec\NT\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - VERITAS Software Corporation - D:\programs\VERITAS\Backup Exec\NT\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - VERITAS Software Corporation - D:\programs\VERITAS\Backup Exec\NT\bengine.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - VERITAS Software Corporation - D:\programs\VERITAS\Backup Exec\NT\beserver.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Automatic Update Server (FSAUS) - BackWeb - C:\Program Files\F-Secure\FSAUS.PM\bin\server.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: F-Secure Policy Manager Server (fsms) - Unknown owner - C:\Program Files\F-Secure\Management Server 5\apache.exe
O23 - Service: F-Secure Policy Manager Web Reporting (fspmwr) - Unknown owner - C:\Program Files\F-Secure\Management Server 5\Web Reporting\bin\fspmwrservice.exe
O23 - Service: HP Storage Manager Agent (HPStorageManagerAgent) - Adaptec Incorporated - C:\Program Files\HP\HP Storage Manager\StorServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 8024 bytes
0
 
LVL 23

Expert Comment

by:Admin3k
ID: 22786125
I can not spot any active infection in this log, not that I have noticed anyway.
I would suggest at this stage an online scan on Kaspersky website, mostly because the engine is almost 100% accurate , regardless of the fact it is not going to clean the infection, it will certainly pinpoint any existing infections for further actions.

http://www.kaspersky.com/virusscanner
0
 

Author Comment

by:jerra
ID: 22802168
Todays scan with the online virustotal service of files found in c:\windows\temp\3664.exe found something bad. F-Secure doesn't find anything, has been set to do scheduled scanning but it seems only to fill the hydra.log until there are no disc space. Doing a "right-click" scan of the temp folder F-Secure sure reports trojans but what good is that. I'll close this now and start reinstalling this server. Too much time has already been spent on various things to get it clean. Thanks all!

One more thing, the infected files all have the same icon:
Antivirus        Version        Last Update        Result
AhnLab-V3      2008.10.24.3      2008.10.24      -
AntiVir      7.9.0.9      2008.10.24      TR/Crypt.NSPI.Gen
Authentium      5.1.0.4      2008.10.24      -
Avast      4.8.1248.0      2008.10.25      Win32:TCPScan
AVG      8.0.0.161      2008.10.25      HackTool.EZA
BitDefender      7.2      2008.10.25      MemScan:Application.Portscan.D
CAT-QuickHeal      9.50      2008.10.24      -
ClamAV      0.93.1      2008.10.25      PUA.Packed.NPack-2
DrWeb      4.44.0.09170      2008.10.25      Tool.TcpScan
eSafe      7.0.17.0      2008.10.23      -
eTrust-Vet      31.6.6168      2008.10.25      -
Ewido      4.0      2008.10.24      -
F-Prot      4.4.4.56      2008.10.24      -
F-Secure      8.0.14332.0      2008.10.25      W32/Packed_Nspack.A.dropper
Fortinet      3.113.0.0      2008.10.25      -
GData      19      2008.10.25      MemScan:Application.Portscan.D
Ikarus      T3.1.1.44.0      2008.10.25      -
K7AntiVirus      7.10.506      2008.10.24      -
Kaspersky      7.0.0.125      2008.10.25      not-a-virus:NetTool.Win32.TCPScan.a
McAfee      5415      2008.10.25      potentially unwanted program HTool-SymScan
Microsoft      1.4005      2008.10.25      -
NOD32      3555      2008.10.25      Win32/NetTool.TCPScan.B
Norman      5.80.02      2008.10.24      W32/Packed_Nspack.A.dropper
Panda      9.0.0.4      2008.10.25      -
PCTools      4.4.2.0      2008.10.24      Packed/NSPack
Prevx1      V2      2008.10.25      -
Rising      21.00.51.00      2008.10.25      Hack.Win32.Scanner.f
SecureWeb-Gateway      6.7.6      2008.10.24      Trojan.Crypt.NSPI.Gen
Sophos      4.35.0      2008.10.25      PortScan
Sunbelt      3.1.1753.1      2008.10.25      -
Symantec      10      2008.10.25      -
TheHacker      6.3.1.0.126      2008.10.25      -
TrendMicro      8.700.0.1004      2008.10.24      PAK_Generic.005
VBA32      3.12.8.8      2008.10.25      suspected of Embedded.Riskware.Win32.TCPS
ViRobot      2008.10.24.1436      2008.10.24      -
VirusBuster      4.5.11.0      2008.10.24      Packed/NSPack
Additional information
File size: 254976 bytes
MD5...: cb9316e6fd2ec501fc59bdee1e551d9d
SHA1..: 23c066971f39f4b89d036be01e3561a6b3f2df81
SHA256: 4881b56059f03b61df3a081792aacc3455802f0112b2f094a9c057bbef140506
SHA512: 0e8cf2a2904c9dd8f987cbc8a0ec8b4057366a18bf96036a94828db5e98b5e24
1f440c7b46eeebfba369f2c5f36c8dcf70795956343576b77a366a67d0cc38a9
PEiD..: ASPack v2.12
TrID..: File type identification
ASPack compressed Win32 Executable (generic) (90.1%)
Win32 Executable Generic (5.7%)
Win16/32 Executable Delphi generic (1.3%)
Generic Win/DOS Executable (1.3%)
DOS Executable Generic (1.3%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x495001
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 10 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x68000 0x2aa00 8.00 27d032ca1c31022d0877df454cd79e1e
DATA 0x69000 0x2000 0xc00 7.82 11b651f44474fe7bb87ab3a2c8705e40
BSS 0x6b000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0x6c000 0x3000 0xe00 7.52 3f8d00283da49b336c8b96f701b8f0dc
.tls 0x6f000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0x70000 0x1000 0x200 0.19 63d64533d4cf8150c328ee9564d7d709
.reloc 0x71000 0x9000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x7a000 0x1b000 0xa400 7.82 af393b9285ff1b7938422895e282a1af
.aspack 0x95000 0x8000 0x7600 5.01 f3e3bd0b36bbe8658305c8013951abc0
.adata 0x9d000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e

( 11 imports )
> kernel32.dll: GetProcAddress, GetModuleHandleA, LoadLibraryA
> user32.dll: GetKeyboardType
> advapi32.dll: RegQueryValueExA
> oleaut32.dll: SysFreeString
> advapi32.dll: RegQueryValueExA
> version.dll: VerQueryValueA
> gdi32.dll: UnrealizeObject
> user32.dll: CreateWindowExA
> oleaut32.dll: SafeArrayPtrOfIndex
> comctl32.dll: ImageList_SetIconSize
> shell32.dll: ShellExecuteExA

( 0 exports )
Norman Sandbox: [ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* File might be compressed.
* Accesses executable file from resource section.
* File length: 254976 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\scan.exe.
* Creates file C:\WINDOWS\syswmi.exe.
* Creates file C:\WINDOWS\ip.txt.

[ Changes to registry ]
* Accesses Registry key \"HKCU\Software\Borland\Locales\".
* Accesses Registry key \"HKLM\Software\Borland\Locales\".
* Accesses Registry key \"HKCU\Software\Borland\Delphi\Locales\".

[ Network services ]
* Connects to \"www.y251.com\" on port 20 (IP).
* Sends data stream (151 bytes) to remote address \"www.y251.com\", port 20.

[ Process/window information ]
* Creates an event called .
* Creates a mutex Fexcep_Auto_2967_scan.
* Attemps to Open scan.exe NULL.
* Creates process \"scan.exe\".

[ Signature Scanning ]
* C:\WINDOWS\scan.exe (15360 bytes) : W32/Packed_Nspack.A.

packers (Avast): ASPack, NsPack
packers (F-Prot): Aspack
packers (Kaspersky): ASPack, NSPack

<a href="http://img444.imageshack.us/my.php?image=virusicondd6.jpg" target="_blank"><img src="http://img444.imageshack.us/img444/5292/virusicondd6.th.jpg" border="0" alt="Free Image Hosting at www.ImageShack.us" /></a><br /><br /><a href="http://img604.imageshack.us/content.php?page=blogpost&files=img444/5292/virusicondd6.jpg" title="QuickPost"><img src="http://imageshack.us/img/butansn.png" alt="QuickPost" border="0"></a> Quickpost this image to Myspace, Digg, Facebook, and others!
0
 

Author Comment

by:jerra
ID: 22802170
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now