Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Potential RDP Malware/trojan/rootkit tsp*.tmp file


  • Please log in to reply
No replies to this topic

#1 pavman

pavman

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 21 March 2018 - 07:56 PM

I usually use my home desktop computer to rdp into my laptop when I'm at home so I don't have to work with a different keyboard and mouse.

 

I recently hooked my laptop up to the network via ethernet and was creating a new rdp profile for it, when I noticed the following in the mui (recents) list:

 

MySession

Someothersession

tsp4958.tmp

tsp13C.tmp

tsp2D58.tmp

tsp...

 

You get the idea.  I have removed a number of these from the list, but they keep showing up.  When I click on one, windows pops up with: Invalid connection file (C:\users\USER\appdata\local\temp\tsp4958.tmp) specified

 

I looked in the directory and none of these files exist (I have my explorer settings set to show all, os, and hidden files, etc).

 

I searched my registry, but when I go into HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client, I only see the sessions I normally connect to or my known rdp file names and can't fund the MUI list where these are displayed.

 

I decided to create an account here since I cannot find anything about these temp files online and I don't use anything like bitvise tunnelier which might lead to temporary rdp files showing up in the MUI list (not sure if it does).  I do have Real VNC client I use for a mac on the same network, but that's not RDP-related.  I occasionally run mstsc.exe directly when not using and rdp file, but pinned the rdp exe to the desktop to use more convenient resolutions.

 

Anyone have any idea what these files might be, what might be creating them, etc?  I'm attaching a screenshot of mui I see in the submenu for the rdp icon on my task bar.

 

Hopefully someone here can help me determine:

  1. What may be causing these temp rdp session files
  2. If I have a major security breach (e.g. rootkit, malware, trojan).  I did a quick scan w/ Comodo AV, but didn't find anything relevant to virus or security threat.

This is on windows 7 with Comodo, so hopefully this is the right forum.  Feel free to move it to some place more useful if that is not the case.

Attached Files


Edited by hamluis, 22 March 2018 - 04:11 AM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users