Malware\Hacking tool on server

I recently took on a client that has 5 workstations and one server. Of course they had no antivirus on their server and when I logged onto the server using the administrative log on I found a Hacking program running on the server. The program was called FRDPB v1.1.2 and the site it showed on the bottom of the program was I followed the link and it was a Russian site but couldn't read Russian. Anyway, I used Malwarebytes to remove the virus\hack tool but the next day it is back on the server, my mistake didn't change the admin password after removal. I now have the password changed but I want to make sure this "tool" has been removed and to make sure the server is secure. Unfortunaley the server isn't configured as a domain contoller but does control their workgroup. Also, when I go to log onto the server there are 5 users listed on the startup screen Station 1, Station 2, Station 3, Guest, and Administrator. Now I don't know if this is what I am supposed to see when I go to logon to a 2008 workgroup server but I think it is odd also those users are not listed in the Users section of control panel.

I know I have been long winded but wanted to describe the problem so you have some history. I would like to know first how to get rid of this program and second how to secure this server? I have loaded Trend Micro Worry Free standard onto the server however it didn't seem to stop the hack tool.

Below is the log from Hijackthis and there are quite a few items I am unsure about.

Running processes:
C:\Program Files (x86)\TeamViewer\Version6\TeamViewer.exe
C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe
C:\Program Files (x86)\Trend Micro\Security Server\PCCSRV\Apache2\bin\ApacheMonitor.exe
C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/SoftAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: Trend Micro NSC BHO - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.6.1165\6.6.1081\TmIEPlg32.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
O4 - Global Startup: Monitor Apache Servers.lnk = Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O15 - ESC Trusted Zone:
O15 - ESC Trusted IP range:
O16 - DPF: {9BBB3919-F518-4D06-8209-299FC243FC44} (Encrypt Class) - https://atlas-jd:4343/SMB/console/html/root/
O16 - DPF: {9DCD8EB7-E925-45C9-9321-8CA843FBEDCC} (Security Server Management Console) - https://atlas-jd:4343/SMB/console/html/root/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O18 - Protocol: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.6.1165\6.6.1081\TmIEPlg32.dll
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Unknown owner - C:\Windows\system32\AEADISRV.EXE (file missing)
O23 - Service: Application Services2 (AeLookupsrc2) - Youngzsoft - C:\Windows\system32\dri2\svchost.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Trend Micro Solution Platform (Amsp) - Trend Micro Inc. - C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
O23 - Service: Apache2 - Apache Software Foundation - c:\Program Files (x86)\Trend Micro\Security Server\PCCSRV\Apache2\bin\Apache.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe
O23 - Service: Intel(R) Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\AMT\LMS.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Trend Micro Security Server Master Service (ofcservice) - Trend Micro Inc. - C:\Program Files (x86)\Trend Micro\Security Server\PCCSRV\web\service\ofcservice.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%Systemroot%\system32\rqs.exe,-200 (rqs) - Unknown owner - C:\Windows\system32\rqs.exe (file missing)
O23 - Service: @gpapi.dll,-114 (RSoPProv) - Unknown owner - C:\Windows\system32\RSoPProv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: TeamViewer 6 (TeamViewer6) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe
O23 - Service: Trend Micro Smart Scan Service (TMiCRCScanService) - Trend Micro Inc. - C:\Program Files (x86)\Trend Micro\Security Server\PCCSRV\WSS\iCRCService.exe
O23 - Service: Trend Micro Security Agent Communicator (TmListen) - Trend Micro Inc. - C:\Program Files\Trend Micro\Security Agent\tmlisten.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Intel(R) Management and Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files (x86)\Common Files\Intel\Privacy Icon\UNS\UNS.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

End of file - 7083 bytes

Thank You
TimSr. System AdminAsked:
Who is Participating?
Hi tparus,
As far as the tool goes frdpb is a bruteforce tool for remote desktop.

There are 3 items used in this attack:

1.) frdpb (RDP Bruteforce tool)
2.) RDP.nse (Nmap port scanner script w/Nmap of course)
3.) A batch file to help automate the scanning for vulnerable hosts.

I received a copy of this tool along with instructions on how to use it. The reason I am explaining this is so you have an understanding of how this person gained access to your server.

Analysis of the tool shows it connects to the normal RDP port on 3389 and begins it's attack with a dictionary file of passwords and usersnames it wishes to try for. I believe you had a weak password installed on the server or it was easy guessable. I have the password list used by the tool itself as well through thorough investigation.

It also appears the tool is no longer being hosted from that site and is no longer a distribution site just a file hosting server.

If you wish to protect your server from such attacks you can block remote access to the port 3389 to all users remotely or filter the incoming requests to only certain domain/ip addresses are accepted or completely disable RDP all together. You have already effectively changed your password which was a excellent step tirades protecting your server. Make sure you password has atleast a minimum of 2 uppercase letters, 2 numeric digits, 2 special characters, a password length of atleast 12 characters.  This should help against bruteforce attacks like this as it would take them years for them to just guess.

@Greg_Hejl Hi,
Safemode has not been a good suggestion for a while now being that for one malwarebytes scanner is designed to be run with in normal mode and safemode disables portions of the scanner itself. Only suggest safemode when a user cannot access through normal mode. Most removal tools are designed this way and safemode is just not the right solution for safety of the user and a better removal experience. There is another caveat for this as well. If the malware is a destructive malware it is suggested to not run the system at all and either remove th drive and disinfect using a operating system that can mount the drive seperatomg but not run the files on the filesystem or use a livecd that can mount the drive and scan/remove the offending malware. Getting back to safemode topic. If running the tool fails in normal mode it needs to be renamed and thus ran again, some malware detect the window name and kill the process. So it is very important to know how the tool works to make the best solution possible.

Much respect, Russell
When you ran this scan did you have Internet Explorer running in the background? I only ask because I have run into a couple infections lately that were causing Internet Explorer to be running in the background and I notice two instances running on this scan.

Have you run a full virus scan with an antivirus tool of your choice? Trendmicro and McAfee both have online versions that you can scan the system with for free.

I've also started running TDSSKiller on all the boxes that I suspect may have some sort of infection.
TimSr. System AdminAuthor Commented:
As for your first question I don't believe I was running IE however I might have had it open to this site when I ran Hijackthis.

I ran a full scan of Malwarebytes and it found nothing however when I first discovered this program running it found a bunch of Trojans and Malware but those were removed and when I logged on today and saw that program running again I ended the program deleted the user it had created then ran that program again and it found nothing. When I ran Trend Micro it found a few trojans and cleaned them. When I ran TDSSKiller it found nothing as well.

One other thing I am having problems with is Windows Update, it will not update. I have ran a script to regestier the DLL's and restart the services but it still wont update. When I look at the Hijackthis log there are alot of entries where the files are missing, what needs to be done on those?
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

What error messages are you getting when trying to run windows update?
TimSr. System AdminAuthor Commented:
I get two errors. When I run update it says it has 5 updates to install and starts with KB2616676 which gets error code 80070426 then it tries to install IE9 and gets error code C355. After those two updates fail it tells me that all 5 updates have failed. I don't know if this has anything to do with it but I was able to install Service Pack 1 but after that I started encountering errors. It was after the installation of SP1 I discovered this hacking tool and removed it so I think all these problems are related to the removal of the Trojan(s).
Greg HejlPrincipal ConsultantCommented:
malwarebytes has to be run in safemode to remove all traces of malware
Can you check and see if the Cryptographic Service are running when you are trying to run the updates.If not start it and then run updates.
There is a long-running post about the safe mode debate:

Basically, running scans in safe-mode (along with boot disk av's and hdd slaving) are no longer as effective as they once were.  It is far more effective to run a scan on the pc when the rogue processes are running.
Thanks phototropic! Didn't know the links.  :)
Greg HejlPrincipal ConsultantCommented:
Thanks for the link phototrophic - I have started running mbam in safe mode because the last two viruses i have battled did not allow mbam to install.\ or run when not in safe mode...  I have had better success with combofix.
TimSr. System AdminAuthor Commented:
Well it looks like the virus/hack tool is no longer running so that is good however can someone look at the Hijackthis file I posted? I shows a bunch of missing files that are system files and I still cannot update the server. Thanks for all the suggestions and info on the hack tool that was on this server.

Weak passwords are always asking for trouble. I'm glad I took this client on when I did otherwise they would have many more problems. It's amazing how companies ignore common security practices for computers and fail to realize the importance of these machines to their organization.
Greg HejlPrincipal ConsultantCommented:
sfc /scannow will fix those

need the OS disk

It's OK.  The "file missing" report is Hijack This attempting to deal with a 64-bit os.  If you are running 64-bit, just ignore the "file missing" 023 entries.

Here is a great article about this issue:
TimSr. System AdminAuthor Commented:
Will this solution work on a Windows 2008 server since it mostly talks about Windows XP.
Like I said, if you are running a 64-bit os, you can safely ignore all those 023 "file missing" entries in the HJT log.  It's a bug in HJT. You do not need to run sfc /scannow.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.