Jump to content

Need Help Removing Trojan.0Access From a Server 2003 Terminal Server


Recommended Posts

Hi Folks,

Long time reader first time registered and unfortunately requiring your help. I am Sys admin for a company (been doing this almost 10 years now) and I am fairly proactive in my approach and any time there has been a problem in the past I have been able to fix it myself. Yesterday about 15 minutes after close of business our Trend Micro A/V detected 2 attempted infections of Mal_Xin12 inside c:\Recyclers within randomized sub folders. Being suspicious I connected to the server remotely & checked that folder which was full of folders that are hidden & read only (read only being greyed out to me so I cannot change it). This is a server at a business and since a lot of users connect inside the office using terminal services

I Ran Malware bytes straight away and came back with the following.

Malwarebytes Anti-Malware 1.65.1.1000

www.malwarebytes.org

Database version: v2012.11.22.03

Windows Server 2003 Service Pack 2 x64 NTFS

Internet Explorer 8.0.6001.18702

-REDACTED-

22/11/2012 8:53:51 PM

mbam-log-2012-11-22 (20-53-51).txt

Scan type: Full scan (C:\|W:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 2630875

Time elapsed: 1 hour(s), 57 minute(s), 28 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\RECYCLER\S-1-5-21-2325178024-1148597956-3244452826-1165\$3d7ca3209989d09805bd02795e88b5e0\n (Trojan.0Access) -> Quarantined and deleted successfully.

(end)

I let it clean and reboot the system, I am now waiting on a second Malware bytes scan to finish but from googling this infection I am fairly worried that I will not be rid of it so easily which is why I am posting here in anticipation of ongoing problems.

Really while I wait for a second scan to complete, I just wanted to ask for some help on what to do next if the system is still infected (which I suspect it will be) and if I need to post hijack this logs etc what information will I need to redact to guarantee privacy and security of the system here while trying to fix it.

Any help people can provide will be greatly appreciated.

Link to post
Share on other sites

As this is a business system please contact business support.

In order to assist you better please provide the following information when contacting Business Support.

Cleverbridge Order Reference Number:

Organization name:

Approved Contact name:

If you no longer have access to the order number you can contact Cleverbridge to obtain information about your order.

Cleverbridge customer service

Thank you

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.