Hidden.exe and scan1000.exe

Hello again,

My Symantec AV program has detected two files that it thinks are Hacker Tools or Trojans. The files are Hidden.exe and Scan1000.exe. Both files are located in the directory created by Microsoft Security Patch KB823559. I can not move, quarantine or delete these 2 files.

This is a web server, so I expect some network activity, but I am receiving close to 10,000 packets per minute. The light on my switch port is solid, indicating the traffic is almost constant. I have another webserver/email gateway that barely gets any traffic.

Spybot did not detect these files as malicious.

Any thoughts are greatly appreciated!!

 

you have been hacked,

and you are being used as a scan str0

 

well, you are hacked.... hidden.exe = a program to hide a program. and scan1000.exe = a scanprog for scanning the internet.

Most of the time hackers come inside by:
MsSQL, MySQL, Radmin, Remote Anything.

But also other things can be opend.


when you want some help, i can give you

 

.... or pm me, now registerd

 

i suggest trying tds3 anti trojan.



Download the trial version of TDS-3 anti trojan from here:
http://www.diamondcs.com.au/tds/downloads/tds3setup.exe
Install it, but do not launch it yet

Update it: right click the link below, select "save as"
http://www.diamondcs.com.au/tds/radius.td3

Save it to the directory where you installed TDS-3, overwriting the previous radius.td3 if prompted.

Then launch tds-3. In the top bar of TDS window click System Testing> Full System Scan.
Detections will appear in the lower pane of TDS window. After the scan is finished ( it'll take a while ) right click the list > select delete! Delete everything labelled positive identification

if you get any files detected as suspicious , please post the scanlog of tds, to save right click the alert pane> select save as txt, it will save as scandump.txt to the folder where you installed tds
we'd like to see whats going on there, we'd also like to retrieve all possible unknown/undetected nasties...

 

Well,

Things just continue to get interesting. I was able to boot into safe mode and delete these files. I had to give myself full permissions to the files and I was able to delete them in safe mode.

My Symantec AV program and the scan from TrendMicro's website showed a clean system. All is right witht he world.... or so he thought....

My Windows 2000 server "appears" to be clean, but I noticed a "nbthlp" service listed in the Services applet. It says to start automatically, but it did not. It points to C:\winnt\system32\nbthlp.exe, but there is no file there.

I tried the Attrib command from a DOS box, but it came back with no file by that name. Perhaps the hidden.exe program has hidden this file.

I looked in the registry and found a couple of entries referencing nbthlp.exe and was able to delete these. Upon reboot, the service is no longer listed. However, there were other references to nbthlp (no .exe extension) and these I could not delete.

Does the TDS-3 program work on Windows 2000 Advanced Server and/or Windows Server 2003?

Thanks,