you should check all your Load Points ... registry run keys, startup group, autoexec.bat, task scheduler, etc...
On Tue, Aug 16, 2011 at 10:26 AM, James Rankin <kz2...@googlemail.com>wrote: > Well, more weirdness. > > On a whim, I deleted all of the files out of the > %windir%\serviceprofiles\LocalSystem\AppData directory - not that any looked > out of the ordinary - and now when I restart the server, the message I was > getting has stopped happening. I couldn't find any reference to the > directory or any files in it in a Process Monitor boot log. I feel > *slightly* better that the message has gone away - but not really much, > because it seems like some kind of infection, or attempted infection, has > crawled under the radar. > > I might take one of these systems out and run a full scan from an > alternative OS as suggested, but I hate the nagging feeling that something > has gotten away without being fully understood. I'm hoping my strategy of AV > + whitelisting hasn't led to any compromise, but I'm still wondering whether > I should initiate a full rebuild of the server farm. > > Anyway thanks for all the suggestions, > > On 16 August 2011 13:34, Crawford, Scott <crawfo...@evangel.edu> wrote: > >> sounds rootkit-ish. MS has a boot cd to run Security Essentials. >> >> >> >> Sent from my Palm Pre on the Now Network from Sprint >> >> ------------------------------ >> On Aug 16, 2011 7:19 AM, James Rankin <kz2...@googlemail.com> wrote: >> >> Yes, but I don't have much faith in the AV software of choice (Trend). >> According to it, everything is hunky-dory. MalwareBytes didn't detect >> anything on a full scan either. I'm pulling up some Process Monitor logs now >> to see if there are any needles in that haystack. >> >> On 16 August 2011 13:09, Erik Goldoff <egold...@gmail.com> wrote: >> >>> have you already checked your AV quarantine for the presence of these >>> DLLs, or at least the detection/risk log to see if *that* is why they're >>> gone before you can get to them ? >>> >>> >>> On Tue, Aug 16, 2011 at 6:41 AM, James Rankin >>> <kz2...@googlemail.com>wrote: >>> >>>> I've just got back from my holidays so I'm probably still not thinking >>>> straight....but has anyone noticed dll files with random names that appear >>>> in *c:\windows\serviceprofiles\localservice\appdata\local\temp *when a >>>> 2008 R2 server boots up? By the time I get to checking for them, they are >>>> gone. The reason I know they are there is because my whitelisting >>>> application doesn't allow executable content to have its ownership >>>> overwritten, and when the servers boot up, they are logging an event >>>> regarding an attempted ownership overwrite >>>> >>>> *AppSense Application Manager intercepted the overwrite of the allowed >>>> executable 'c:\windows\serviceprofiles\localservice\appdata\local\temp\ >>>> *random_8_character_filename*.dll' on ''servername'. Ownership of this >>>> file was changed to that of the user* >>>> >>>> I've never noticed this happening before, and the randomised filename >>>> screams "malware" at me - but I have scanned the system with Trend and >>>> MalwareBytes, and can find no trace of any infection. By the time I dig >>>> into >>>> the folder to check, there's nothing there. Does anyone have any idea why >>>> these files would be appearing at boot time? My next step is to break out a >>>> bit of Process Monitor, but I'm just wondering if I am barking up a false >>>> positive tree here. >>>> >>>> TIA, >>>> >>>> >>>> >>>> JRR >>>> >>>> -- >>>> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put >>>> into the machine wrong figures, will the right answers come out?' I am not >>>> able rightly to apprehend the kind of confusion of ideas that could provoke >>>> such a question." >>>> >>>> ****** IMPORTANT INFORMATION/DISCLAIMER ***** >>>> >>>> This document should be read only by those persons to whom it is >>>> addressed. If you have received this message it was obviously addressed to >>>> you and therefore you can read it, even it we didn't mean to send it to >>>> you. >>>> However, if the contents of this email make no sense whatsoever then you >>>> probably were not the intended recipient, or, alternatively, you are a >>>> mindless cretin; either way, you should immediately kill yourself and >>>> destroy your computer (not necessarily in that order). Once you have taken >>>> this action, please contact us.. no, sorry, you can't use your computer, >>>> because you just destroyed it, and possibly also committed suicide >>>> afterwards, but I am starting to digress...... * >>>> >>>> *The originator of this email is not liable for the transmission of the >>>> information contained in this communication. Or are they? Either way it's a >>>> pretty dull legal query and frankly one I'm not going to dwell on. But >>>> should you have nothing better to do, please feel free to ruminate on it, >>>> and please pass on any concrete conclusions should you find them. However, >>>> if you pass them on via email, be sure to include a disclaimer regarding >>>> liability for transmission. >>>> * >>>> >>>> *In the event that the originator did not send this email to you, then >>>> please return it to us and attach a scanned-in picture of your mother's >>>> brother's wife wearing nothing but a kangaroo suit, and we will immediately >>>> refund you exactly half of what you paid for the can of Whiskas you bought >>>> when you went to Pets** **At Home yesterday. * >>>> >>>> *We take no responsibility for non-receipt of this email because we are >>>> running Exchange 5.5 and everyone knows how glitchy that can be. In the >>>> event that you do get this message then please note that we take no >>>> responsibility for that either. Nor will we accept any liability, tacit or >>>> implied, for any damage you may or may not incur as a result of receiving, >>>> or not, as the case may be, from time to time, notwithstanding all >>>> liabilities implied or otherwise, ummm, hell, where was I...umm, no matter >>>> what happens, it is NOT, and NEVER WILL BE, OUR FAULT! * >>>> >>>> *The comments and opinions expressed herein are my own and NOT those of >>>> my employer, who, if he knew I was sending emails and surfing the seamier >>>> side of the Internet, would cut off my manhood and feed it to me for >>>> afternoon tea. * >>>> >>>> >>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>>> >>>> --- >>>> To manage subscriptions click here: >>>> http://lyris.sunbelt-software.com/read/my_forums/ >>>> or send an email to listmana...@lyris.sunbeltsoftware.com >>>> with the body: unsubscribe ntsysadmin >>>> >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>> --- >>> To manage subscriptions click here: >>> http://lyris.sunbelt-software.com/read/my_forums/ >>> or send an email to listmana...@lyris.sunbeltsoftware.com >>> with the body: unsubscribe ntsysadmin >>> >> >> >> >> -- >> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into >> the machine wrong figures, will the right answers come out?' I am not able >> rightly to apprehend the kind of confusion of ideas that could provoke such >> a question." >> >> ****** IMPORTANT INFORMATION/DISCLAIMER ***** >> >> This document should be read only by those persons to whom it is >> addressed. If you have received this message it was obviously addressed to >> you and therefore you can read it, even it we didn't mean to send it to you. >> However, if the contents of this email make no sense whatsoever then you >> probably were not the intended recipient, or, alternatively, you are a >> mindless cretin; either way, you should immediately kill yourself and >> destroy your computer (not necessarily in that order). Once you have taken >> this action, please contact us.. no, sorry, you can't use your computer, >> because you just destroyed it, and possibly also committed suicide >> afterwards, but I am starting to digress...... * >> >> *The originator of this email is not liable for the transmission of the >> information contained in this communication. Or are they? Either way it's a >> pretty dull legal query and frankly one I'm not going to dwell on. But >> should you have nothing better to do, please feel free to ruminate on it, >> and please pass on any concrete conclusions should you find them. However, >> if you pass them on via email, be sure to include a disclaimer regarding >> liability for transmission. >> * >> >> *In the event that the originator did not send this email to you, then >> please return it to us and attach a scanned-in picture of your mother's >> brother's wife wearing nothing but a kangaroo suit, and we will immediately >> refund you exactly half of what you paid for the can of Whiskas you bought >> when you went to Pets** **At Home yesterday. * >> >> *We take no responsibility for non-receipt of this email because we are >> running Exchange 5.5 and everyone knows how glitchy that can be. In the >> event that you do get this message then please note that we take no >> responsibility for that either. Nor will we accept any liability, tacit or >> implied, for any damage you may or may not incur as a result of receiving, >> or not, as the case may be, from time to time, notwithstanding all >> liabilities implied or otherwise, ummm, hell, where was I...umm, no matter >> what happens, it is NOT, and NEVER WILL BE, OUR FAULT! * >> >> *The comments and opinions expressed herein are my own and NOT those of >> my employer, who, if he knew I was sending emails and surfing the seamier >> side of the Internet, would cut off my manhood and feed it to me for >> afternoon tea. * >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to listmana...@lyris.sunbeltsoftware.com >> with the body: unsubscribe ntsysadmin >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to listmana...@lyris.sunbeltsoftware.com >> with the body: unsubscribe ntsysadmin >> > > > > -- > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into > the machine wrong figures, will the right answers come out?' I am not able > rightly to apprehend the kind of confusion of ideas that could provoke such > a question." > > ****** IMPORTANT INFORMATION/DISCLAIMER ***** > > This document should be read only by those persons to whom it is addressed. > If you have received this message it was obviously addressed to you and > therefore you can read it, even it we didn't mean to send it to you. > However, if the contents of this email make no sense whatsoever then you > probably were not the intended recipient, or, alternatively, you are a > mindless cretin; either way, you should immediately kill yourself and > destroy your computer (not necessarily in that order). Once you have taken > this action, please contact us.. no, sorry, you can't use your computer, > because you just destroyed it, and possibly also committed suicide > afterwards, but I am starting to digress...... * > > *The originator of this email is not liable for the transmission of the > information contained in this communication. Or are they? Either way it's a > pretty dull legal query and frankly one I'm not going to dwell on. But > should you have nothing better to do, please feel free to ruminate on it, > and please pass on any concrete conclusions should you find them. However, > if you pass them on via email, be sure to include a disclaimer regarding > liability for transmission. > * > > *In the event that the originator did not send this email to you, then > please return it to us and attach a scanned-in picture of your mother's > brother's wife wearing nothing but a kangaroo suit, and we will immediately > refund you exactly half of what you paid for the can of Whiskas you bought > when you went to Pets** **At Home yesterday. * > > *We take no responsibility for non-receipt of this email because we are > running Exchange 5.5 and everyone knows how glitchy that can be. In the > event that you do get this message then please note that we take no > responsibility for that either. Nor will we accept any liability, tacit or > implied, for any damage you may or may not incur as a result of receiving, > or not, as the case may be, from time to time, notwithstanding all > liabilities implied or otherwise, ummm, hell, where was I...umm, no matter > what happens, it is NOT, and NEVER WILL BE, OUR FAULT! * > > *The comments and opinions expressed herein are my own and NOT those of my > employer, who, if he knew I was sending emails and surfing the seamier side > of the Internet, would cut off my manhood and feed it to me for afternoon > tea. * > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin