Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


2003 Server keeps getting trojan/bruteforce infection

  • This topic is locked This topic is locked
2 replies to this topic

#1 PToms


  • Members
  • 4 posts
  • Local time:10:16 PM

Posted 15 July 2011 - 01:06 PM

I originally posted here: Am I infected post and was referred here. I started there because I'm not sure I can do the prerequisites required for posting in this forum. DDS told me it wouldn't run on Server 2003, and when I tried to research whether GMER was safe on Server I found lots of references to blue screens. Also, can somebody tell me, if GMER is generally safe for Server use, is it JUST a scan? In other words, this is a live Terminal Server that half our firm uses all day, is it okay to run this during the day, or is it going to cut people off, stop processes, reset connections, etc? I've used GMER and DDS and TDSSKiller and Combofix and a bunch of other stuff on desktops, but this is my first server infection. So here's my problem, if there's something I can do that WILL work (safely) on a Windows Server 2003 machine, please let me know (Below is copied from the other post, if you already checked that link, you can skip the rest...)

We have a Windows 2003 server that is a Terminal Server for branch office and home/remote use. A month or so ago I got a warning from our ISP that somebody had detected remote desktop attempts from our IP address. I ran our virus scanner (Vipre Enterprise) and found nothing, didn't see anything unusual. That weekend, the "deep scan" found something it called "HackTool.Win32.BruteForce" in notepad.exe, "Packed.Win32.Upack(v)" in ippipi.exe, and "Trojan.Win32.Meredrop" in csrss.exe, all in the C:\Windows\system32\ras folder. It also found vnc.exe in that folder.

I looked at the folder and found this: bad.txt, config.ini, FAQ.txt, good.txt, 1321s.txt, 1321s.zip, IP.rar, IP.txt, ipippipi.txt, IPs.zip, libeay32.dll, lo.txt, msvcr71.dll, NEN.txt, p.txt, QTCore3.dll, QTGui4.dll, ras.zip, source.txt, ssleay32.dll, start.bat, vnc.exe, VNC_bypauth.txt, and Winlogo.zip. There was also a Winlogo folder containing: 2Winlogo.zip, Hookmsgina.dll, install.bat, jks.dat, On.reg, pass.txt, ReadLog.bat, readme.txt, Un.reg, Uninstall.bat, and wminotify.dll.

The ".txt" files are mostly either lists of IP addresses, or lists of logon names (admin and variants) and password guesses. Start.bat is hundreds of lines like: vnc.exe -i -p 3389 -cT -T 500" I could delete (I copied first) the entire thing except wminotify.dll.
Uninstall.bat says:
@del %systemroot%\system32\wminotify.dll
@del %systemroot%\system32\jks.dat
@regedit -s Un.reg
@echo Ѿж...

I ran it, and it said that wminotify.dll was 'access denied'. Since Un.reg was "[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wminotify]", I restarted the machine (at night, remotely), and ran unistall again. It said that jks.dat was not found. I thought it was unusual for malware to have an uninstall, but thought I got lucky (ever the blind optimist). A few days later, everything was back. It has reappeared several times, sometimes in the \Help\Tours folder, sometimes in \Dell\Drivers. I'm assuming there's something running in there that keeps putting it back, but the virus scanner can't find it. I'm not sure what else to try, as I suspect that many of the scanners/tools commonly used for this kind of thing aren't meant for servers.

Any suggestions would be greatly appreciated. I'll also need to know, if you suggest a tool to run, if it is background/reporting, or disruptive. If it's report only, I can do it anytime, if it's going to disrupt stuff (like combofix, where it cuts off network and shuts down processes, etc.), I obviously need to avoid doing that during the day.

Thanks! Especially if you actually read all of this!

BC AdBot (Login to Remove)


#2 PToms

  • Topic Starter

  • Members
  • 4 posts
  • Local time:10:16 PM

Posted 18 July 2011 - 06:29 PM

Never mind. Tried to connect yesterday, and couldn't. Checked the event logs remotely, and they were full of Windows File Protection warnings and errors and all kinds of other scary stuff, so I restarted, and it didn't come back up. Went in to the office and found "Cannot find NTLDR". Ended up pulling an all-nighter doing a format and reinstall from scratch, couldn't even get recovery console to load. Lost the logs and stuff, too, so I can't do any more research on what it might've been. Hope I never see anything like it again...

#3 Budapest


    Bleepin' Cynic

  • Moderator
  • 23,579 posts
  • Gender:Male
  • Local time:12:16 PM

Posted 20 July 2011 - 05:02 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users