Loss of RDP via youngzsoft.com/cn

iMonkey69
iMonkey69 used Ask the Experts™
on
Good day all.  I have a strange occurance and am seeking the Experts whom know a way to work this out.

Recently a Windows 2003 lost RDP access from external or internal connections.
After some snooping I noticed that a telnet to 3389 produced a strange result:

+++º-²¦+¦+ú¼¦d+d-ú+++f+¦-¬-¦¦¦-= http://www.youngzsoft.com/cn/

CCProxy seems to be associated with the link, which is valid software....If you installed it??  We didn't.

So, scans produced a couple backdoor trojans and were cleaned but the problem persists.
Subsequent scans are clean.

So, I cannot see any programs relating to CCProxy or the like.  I'm  attaching a Hijack log for review.

Having said all that I DO know that the spoolsv.exe process seems to be the hijacked culprit.  A netstat -no produces: <local server IP>:3389 being ESTABLISHED about 20 times with the PID that macthes the spoolsv.exe.

However killing the process does not free it and a reboot re-establishes the port being blocked.

Nonetheless....I'm a little at a loss on how to trouble shoot this further.

Warmest regards,
C HJT.txt
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
I'll update this as I have resolved the issue....thanks.

Commented:
Did you find the answer?
I managed to resolve the issue. It took many types of utilities, but SpyHunter was the only one to catch it?  Not even ComboFix did away with it..

Thanks

Author

Commented:
It was a matter of finding the right tool to detect this virus.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial