I have a customer that things have always been just a little off on their server. Poking around I found a folder c:\logs in it are a few files. The file that has me most concerned is c:\logs\passwd.txt. It is some how collecting user names and passwords. I just recently created a few new accounts and their user names and password were in there.
They have a second server different domain so I created a new password. From what I can tell this item is only scanning this server.
Couple other files I found: G2NDW, OTj, and qVR. From what I can tell this are zero byte files. I am attaching a screenshot.
I have run malwarebytes, hijackthis, checked scheduled tasks, tdsskiller, rootkit revealer, and few other things. Nothing is jumping out at me. Does anyone have any ideas on other tools I can try to run or may have a clue as to what this program is.