I think I found the culprit!
As the DLL was upx'ed (UPX 3.00) I ran a search for other upx'ed files and found one: C:\WINDOWS\SYSTEM32\fsusd32.dll
At every logon fsusd32.dll created C:\WINDOWS\TEMP\1EB725F9.dll, this DLL was killed using Unlocker (
http://ccollomb.********/unlocker) as regsvr32 did not work. Great tool btw using a GUI to show/kill file locks.
Unlocker could not kill fsusd32.dll as this would result in a logout as it is being loaded thru winlogon.exe
Then I used HijackThis to see if fsusd32.dll was being loaded, it did:
O20 - Winlogon Notify: fsusd32 - C:\WINDOWS\SYSTEM32\fsusd32.dll
Removed it using HijackThis, rebooted and fsusd32.dll could be deleted
Hope this will do it....
I could only find 2 references to fsusd32.dll in google, one link says it is: Trojan-Downloader.Win32.Adload.dq (10-2006, ASPacked)
So maybe is was not "used" that much or this is an "update" (because of the UPX 3.00 packer instead of ASPack) and therefor is not recognized by any AV/Malware software?!
I still do not know how this server got infected as updates are run asap, nothing was installed on it and it has only the necessary ports available
I checked for references to changes using winlogon.exe and found them in setupapi.log, so I think it got installed on 2007/07/09...
I am keeping my fingers crossed
