Loss of RDP via youngzsoft.com/cn

iMonkey69
iMonkey69 used Ask the Experts™
on
Good day all.  I have a strange occurance and am seeking the Experts whom know a way to work this out.

Recently a Windows 2003 lost RDP access from external or internal connections.
After some snooping I noticed that a telnet to 3389 produced a strange result:

+++º-²¦+¦+ú¼¦d+d-ú+++f+¦-¬-¦¦¦-= http://www.youngzsoft.com/cn/

CCProxy seems to be associated with the link, which is valid software....If you installed it??  We didn't.

So, scans produced a couple backdoor trojans and were cleaned but the problem persists.
Subsequent scans are clean.

So, I cannot see any programs relating to CCProxy or the like.  I'm  attaching a Hijack log for review.

Having said all that I DO know that the spoolsv.exe process seems to be the hijacked culprit.  A netstat -no produces: <local server IP>:3389 being ESTABLISHED about 20 times with the PID that macthes the spoolsv.exe.

However killing the process does not free it and a reboot re-establishes the port being blocked.

Nonetheless....I'm a little at a loss on how to trouble shoot this further.

Warmest regards,
C HJT.txt
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
View Solution Only
iMonkey69

Author

Commented:
I'll update this as I have resolved the issue....thanks.
Dawaz

Commented:
Did you find the answer?
Commented:
I managed to resolve the issue. It took many types of utilities, but SpyHunter was the only one to catch it?  Not even ComboFix did away with it..

Thanks
iMonkey69

Author

Commented:
It was a matter of finding the right tool to detect this virus.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial