Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Terminal Server (Win 2003) trojan/bruteforce keeps coming back

  • Please log in to reply
1 reply to this topic

#1 PToms


  • Members
  • 4 posts
  • Local time:11:57 AM

Posted 15 July 2011 - 08:21 AM

We have a Windows 2003 server that is a Terminal Server for branch office and home/remote use. A month or so ago I got a warning from our ISP that somebody had detected remote desktop attempts from our IP address. I ran our virus scanner (Vipre Enterprise) and found nothing, didn't see anything unusual. That weekend, the "deep scan" found something it called "HackTool.Win32.BruteForce" in notepad.exe, "Packed.Win32.Upack(v)" in ippipi.exe, and "Trojan.Win32.Meredrop" in csrss.exe, all in the C:\Windows\system32\ras folder. It also found vnc.exe in that folder.

I looked at the folder and found this: bad.txt, config.ini, FAQ.txt, good.txt, 1321s.txt, 1321s.zip, IP.rar, IP.txt, ipippipi.txt, IPs.zip, libeay32.dll, lo.txt, msvcr71.dll, NEN.txt, p.txt, QTCore3.dll, QTGui4.dll, ras.zip, source.txt, ssleay32.dll, start.bat, vnc.exe, VNC_bypauth.txt, and Winlogo.zip. There was also a Winlogo folder containing: 2Winlogo.zip, Hookmsgina.dll, install.bat, jks.dat, On.reg, pass.txt, ReadLog.bat, readme.txt, Un.reg, Uninstall.bat, and wminotify.dll.

The ".txt" files are mostly either lists of IP addresses, or lists of logon names (admin and variants) and password guesses. Start.bat is hundreds of lines like: vnc.exe -i -p 3389 -cT -T 500" I could delete (I copied first) the entire thing except wminotify.dll.
Uninstall.bat says:
@del %systemroot%\system32\wminotify.dll
@del %systemroot%\system32\jks.dat
@regedit -s Un.reg
@echo Ѿж...

I ran it, and it said that wminotify.dll was 'access denied'. Since Un.reg was "[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wminotify]", I restarted the machine (at night, remotely), and ran unistall again. It said that jks.dat was not found. I thought it was unusual for malware to have an uninstall, but thought I got lucky (ever the blind optimist). A few days later, everything was back. It has reappeared several times, sometimes in the \Help\Tours folder, sometimes in \Dell\Drivers. I'm assuming there's something running in there that keeps putting it back, but the virus scanner can't find it. I'm not sure what else to try, as I suspect that many of the scanners/tools commonly used for this kind of thing aren't meant for servers.

Any suggestions would be greatly appreciated. I'll also need to know, if you suggest a tool to run, if it is background/reporting, or disruptive. If it's report only, I can do it anytime, if it's going to disrupt stuff (like combofix, where it cuts off network and shuts down processes, etc.), I obviously need to avoid doing that during the day.


BC AdBot (Login to Remove)


#2 Broni


    The Coolest BC Computer

  • BC Advisor
  • 42,771 posts
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:57 AM

Posted 15 July 2011 - 12:02 PM

Welcome aboard Posted Image

With the information you have provided I believe you will need help from the malware removal team.
Please make sure that you read the information about getting started first.
Then start a new thread HERE and include or required logs.
Including a link to this thread will be helpful.

Good luck and be patient. Help is on the way!

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users