I've had a good comb through everything I could find via *autoruns*. Nothing jumps out at me. Although these modern process-injection malware variants are very good at hiding themselves, this I know from painful experience.
I'm tempted to take the "nuke it from orbit" option, if only to satisfy my own paranoia :-) On 16 August 2011 15:51, Erik Goldoff <egold...@gmail.com> wrote: > you should check all your Load Points ... registry run keys, startup group, > autoexec.bat, task scheduler, etc... > > > > On Tue, Aug 16, 2011 at 10:26 AM, James Rankin <kz2...@googlemail.com>wrote: > >> Well, more weirdness. >> >> On a whim, I deleted all of the files out of the >> %windir%\serviceprofiles\LocalSystem\AppData directory - not that any looked >> out of the ordinary - and now when I restart the server, the message I was >> getting has stopped happening. I couldn't find any reference to the >> directory or any files in it in a Process Monitor boot log. I feel >> *slightly* better that the message has gone away - but not really much, >> because it seems like some kind of infection, or attempted infection, has >> crawled under the radar. >> >> I might take one of these systems out and run a full scan from an >> alternative OS as suggested, but I hate the nagging feeling that something >> has gotten away without being fully understood. I'm hoping my strategy of AV >> + whitelisting hasn't led to any compromise, but I'm still wondering whether >> I should initiate a full rebuild of the server farm. >> >> Anyway thanks for all the suggestions, >> >> On 16 August 2011 13:34, Crawford, Scott <crawfo...@evangel.edu> wrote: >> >>> sounds rootkit-ish. MS has a boot cd to run Security Essentials. >>> >>> >>> >>> Sent from my Palm Pre on the Now Network from Sprint >>> >>> ------------------------------ >>> On Aug 16, 2011 7:19 AM, James Rankin <kz2...@googlemail.com> wrote: >>> >>> Yes, but I don't have much faith in the AV software of choice (Trend). >>> According to it, everything is hunky-dory. MalwareBytes didn't detect >>> anything on a full scan either. I'm pulling up some Process Monitor logs now >>> to see if there are any needles in that haystack. >>> >>> On 16 August 2011 13:09, Erik Goldoff <egold...@gmail.com> wrote: >>> >>>> have you already checked your AV quarantine for the presence of these >>>> DLLs, or at least the detection/risk log to see if *that* is why they're >>>> gone before you can get to them ? >>>> >>>> >>>> On Tue, Aug 16, 2011 at 6:41 AM, James Rankin >>>> <kz2...@googlemail.com>wrote: >>>> >>>>> I've just got back from my holidays so I'm probably still not thinking >>>>> straight....but has anyone noticed dll files with random names that appear >>>>> in *c:\windows\serviceprofiles\localservice\appdata\local\temp *when a >>>>> 2008 R2 server boots up? By the time I get to checking for them, they are >>>>> gone. The reason I know they are there is because my whitelisting >>>>> application doesn't allow executable content to have its ownership >>>>> overwritten, and when the servers boot up, they are logging an event >>>>> regarding an attempted ownership overwrite >>>>> >>>>> *AppSense Application Manager intercepted the overwrite of the allowed >>>>> executable 'c:\windows\serviceprofiles\localservice\appdata\local\temp\ >>>>> *random_8_character_filename*.dll' on ''servername'. Ownership of this >>>>> file was changed to that of the user* >>>>> >>>>> I've never noticed this happening before, and the randomised filename >>>>> screams "malware" at me - but I have scanned the system with Trend and >>>>> MalwareBytes, and can find no trace of any infection. By the time I dig >>>>> into >>>>> the folder to check, there's nothing there. Does anyone have any idea why >>>>> these files would be appearing at boot time? My next step is to break out >>>>> a >>>>> bit of Process Monitor, but I'm just wondering if I am barking up a false >>>>> positive tree here. >>>>> >>>>> TIA, >>>>> >>>>> >>>>> >>>>> JRR >>>>> >>>>> -- >>>>> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put >>>>> into the machine wrong figures, will the right answers come out?' I am not >>>>> able rightly to apprehend the kind of confusion of ideas that could >>>>> provoke >>>>> such a question." >>>>> >>>>> ****** IMPORTANT INFORMATION/DISCLAIMER ***** >>>>> >>>>> This document should be read only by those persons to whom it is >>>>> addressed. If you have received this message it was obviously addressed to >>>>> you and therefore you can read it, even it we didn't mean to send it to >>>>> you. >>>>> However, if the contents of this email make no sense whatsoever then you >>>>> probably were not the intended recipient, or, alternatively, you are a >>>>> mindless cretin; either way, you should immediately kill yourself and >>>>> destroy your computer (not necessarily in that order). Once you have taken >>>>> this action, please contact us.. no, sorry, you can't use your computer, >>>>> because you just destroyed it, and possibly also committed suicide >>>>> afterwards, but I am starting to digress...... * >>>>> >>>>> *The originator of this email is not liable for the transmission of >>>>> the information contained in this communication. Or are they? Either way >>>>> it's a pretty dull legal query and frankly one I'm not going to dwell on. >>>>> But should you have nothing better to do, please feel free to ruminate on >>>>> it, and please pass on any concrete conclusions should you find them. >>>>> However, if you pass them on via email, be sure to include a disclaimer >>>>> regarding liability for transmission. >>>>> * >>>>> >>>>> *In the event that the originator did not send this email to you, then >>>>> please return it to us and attach a scanned-in picture of your mother's >>>>> brother's wife wearing nothing but a kangaroo suit, and we will >>>>> immediately >>>>> refund you exactly half of what you paid for the can of Whiskas you bought >>>>> when you went to Pets** **At Home yesterday. * >>>>> >>>>> *We take no responsibility for non-receipt of this email because we >>>>> are running Exchange 5.5 and everyone knows how glitchy that can be. In >>>>> the >>>>> event that you do get this message then please note that we take no >>>>> responsibility for that either. Nor will we accept any liability, tacit or >>>>> implied, for any damage you may or may not incur as a result of receiving, >>>>> or not, as the case may be, from time to time, notwithstanding all >>>>> liabilities implied or otherwise, ummm, hell, where was I...umm, no matter >>>>> what happens, it is NOT, and NEVER WILL BE, OUR FAULT! * >>>>> >>>>> *The comments and opinions expressed herein are my own and NOT those >>>>> of my employer, who, if he knew I was sending emails and surfing the >>>>> seamier >>>>> side of the Internet, would cut off my manhood and feed it to me for >>>>> afternoon tea. * >>>>> >>>>> >>>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>>>> >>>>> --- >>>>> To manage subscriptions click here: >>>>> http://lyris.sunbelt-software.com/read/my_forums/ >>>>> or send an email to listmana...@lyris.sunbeltsoftware.com >>>>> with the body: unsubscribe ntsysadmin >>>>> >>>> >>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>>> >>>> --- >>>> To manage subscriptions click here: >>>> http://lyris.sunbelt-software.com/read/my_forums/ >>>> or send an email to listmana...@lyris.sunbeltsoftware.com >>>> with the body: unsubscribe ntsysadmin >>>> >>> >>> >>> >>> -- >>> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into >>> the machine wrong figures, will the right answers come out?' I am not able >>> rightly to apprehend the kind of confusion of ideas that could provoke such >>> a question." >>> >>> ****** IMPORTANT INFORMATION/DISCLAIMER ***** >>> >>> This document should be read only by those persons to whom it is >>> addressed. If you have received this message it was obviously addressed to >>> you and therefore you can read it, even it we didn't mean to send it to you. >>> However, if the contents of this email make no sense whatsoever then you >>> probably were not the intended recipient, or, alternatively, you are a >>> mindless cretin; either way, you should immediately kill yourself and >>> destroy your computer (not necessarily in that order). Once you have taken >>> this action, please contact us.. no, sorry, you can't use your computer, >>> because you just destroyed it, and possibly also committed suicide >>> afterwards, but I am starting to digress...... * >>> >>> *The originator of this email is not liable for the transmission of the >>> information contained in this communication. Or are they? Either way it's a >>> pretty dull legal query and frankly one I'm not going to dwell on. But >>> should you have nothing better to do, please feel free to ruminate on it, >>> and please pass on any concrete conclusions should you find them. However, >>> if you pass them on via email, be sure to include a disclaimer regarding >>> liability for transmission. >>> * >>> >>> *In the event that the originator did not send this email to you, then >>> please return it to us and attach a scanned-in picture of your mother's >>> brother's wife wearing nothing but a kangaroo suit, and we will immediately >>> refund you exactly half of what you paid for the can of Whiskas you bought >>> when you went to Pets** **At Home yesterday. * >>> >>> *We take no responsibility for non-receipt of this email because we are >>> running Exchange 5.5 and everyone knows how glitchy that can be. In the >>> event that you do get this message then please note that we take no >>> responsibility for that either. Nor will we accept any liability, tacit or >>> implied, for any damage you may or may not incur as a result of receiving, >>> or not, as the case may be, from time to time, notwithstanding all >>> liabilities implied or otherwise, ummm, hell, where was I...umm, no matter >>> what happens, it is NOT, and NEVER WILL BE, OUR FAULT! * >>> >>> *The comments and opinions expressed herein are my own and NOT those of >>> my employer, who, if he knew I was sending emails and surfing the seamier >>> side of the Internet, would cut off my manhood and feed it to me for >>> afternoon tea. * >>> >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>> --- >>> To manage subscriptions click here: >>> http://lyris.sunbelt-software.com/read/my_forums/ >>> or send an email to listmana...@lyris.sunbeltsoftware.com >>> with the body: unsubscribe ntsysadmin >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>> --- >>> To manage subscriptions click here: >>> http://lyris.sunbelt-software.com/read/my_forums/ >>> or send an email to listmana...@lyris.sunbeltsoftware.com >>> with the body: unsubscribe ntsysadmin >>> >> >> >> >> -- >> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into >> the machine wrong figures, will the right answers come out?' I am not able >> rightly to apprehend the kind of confusion of ideas that could provoke such >> a question." >> >> ****** IMPORTANT INFORMATION/DISCLAIMER ***** >> >> This document should be read only by those persons to whom it is >> addressed. If you have received this message it was obviously addressed to >> you and therefore you can read it, even it we didn't mean to send it to you. >> However, if the contents of this email make no sense whatsoever then you >> probably were not the intended recipient, or, alternatively, you are a >> mindless cretin; either way, you should immediately kill yourself and >> destroy your computer (not necessarily in that order). Once you have taken >> this action, please contact us.. no, sorry, you can't use your computer, >> because you just destroyed it, and possibly also committed suicide >> afterwards, but I am starting to digress...... * >> >> *The originator of this email is not liable for the transmission of the >> information contained in this communication. Or are they? Either way it's a >> pretty dull legal query and frankly one I'm not going to dwell on. But >> should you have nothing better to do, please feel free to ruminate on it, >> and please pass on any concrete conclusions should you find them. However, >> if you pass them on via email, be sure to include a disclaimer regarding >> liability for transmission. >> * >> >> *In the event that the originator did not send this email to you, then >> please return it to us and attach a scanned-in picture of your mother's >> brother's wife wearing nothing but a kangaroo suit, and we will immediately >> refund you exactly half of what you paid for the can of Whiskas you bought >> when you went to Pets** **At Home yesterday. * >> >> *We take no responsibility for non-receipt of this email because we are >> running Exchange 5.5 and everyone knows how glitchy that can be. In the >> event that you do get this message then please note that we take no >> responsibility for that either. Nor will we accept any liability, tacit or >> implied, for any damage you may or may not incur as a result of receiving, >> or not, as the case may be, from time to time, notwithstanding all >> liabilities implied or otherwise, ummm, hell, where was I...umm, no matter >> what happens, it is NOT, and NEVER WILL BE, OUR FAULT! * >> >> *The comments and opinions expressed herein are my own and NOT those of >> my employer, who, if he knew I was sending emails and surfing the seamier >> side of the Internet, would cut off my manhood and feed it to me for >> afternoon tea. * >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to listmana...@lyris.sunbeltsoftware.com >> with the body: unsubscribe ntsysadmin >> > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ****** IMPORTANT INFORMATION/DISCLAIMER ***** This document should be read only by those persons to whom it is addressed. If you have received this message it was obviously addressed to you and therefore you can read it, even it we didn't mean to send it to you. However, if the contents of this email make no sense whatsoever then you probably were not the intended recipient, or, alternatively, you are a mindless cretin; either way, you should immediately kill yourself and destroy your computer (not necessarily in that order). Once you have taken this action, please contact us.. no, sorry, you can't use your computer, because you just destroyed it, and possibly also committed suicide afterwards, but I am starting to digress...... * * The originator of this email is not liable for the transmission of the information contained in this communication. Or are they? Either way it's a pretty dull legal query and frankly one I'm not going to dwell on. But should you have nothing better to do, please feel free to ruminate on it, and please pass on any concrete conclusions should you find them. However, if you pass them on via email, be sure to include a disclaimer regarding liability for transmission. * * In the event that the originator did not send this email to you, then please return it to us and attach a scanned-in picture of your mother's brother's wife wearing nothing but a kangaroo suit, and we will immediately refund you exactly half of what you paid for the can of Whiskas you bought when you went to Pets** ** At Home yesterday. * * We take no responsibility for non-receipt of this email because we are running Exchange 5.5 and everyone knows how glitchy that can be. In the event that you do get this message then please note that we take no responsibility for that either. Nor will we accept any liability, tacit or implied, for any damage you may or may not incur as a result of receiving, or not, as the case may be, from time to time, notwithstanding all liabilities implied or otherwise, ummm, hell, where was I...umm, no matter what happens, it is NOT, and NEVER WILL BE, OUR FAULT! * * The comments and opinions expressed herein are my own and NOT those of my employer, who, if he knew I was sending emails and surfing the seamier side of the Internet, would cut off my manhood and feed it to me for afternoon tea. * ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
