You might even want to try downloading a Viper Rescue and try running it from a safe boot or get a USB OS and boot from there and try scanning the drives. I think the safe boot mode would be easiest.
Jon On Tue, Aug 16, 2011 at 1:16 PM, Ziots, Edward <ezi...@lifespan.org> wrote: > Also check your scheduled tasks, and use the Microsofts Malicious > Software Removal tool along with ICesword and Rootkitrevealer and TDSSkiller > by Kapersky and Fsecure Blacklight. **** > > ** ** > > Z**** > > ** ** > > Edward E. Ziots**** > > CISSP, Network +, Security +**** > > Security Engineer**** > > Lifespan Organization**** > > Email:ezi...@lifespan.org**** > > Cell:401-639-3505**** > > [image: CISSP_logo]**** > > ** ** > > *From:* Erik Goldoff [mailto:egold...@gmail.com] > *Sent:* Tuesday, August 16, 2011 10:51 AM > > *To:* NT System Admin Issues > *Subject:* Re: Weird dll files on boot**** > > ** ** > > you should check all your Load Points ... registry run keys, startup group, > autoexec.bat, task scheduler, etc...**** > > > > **** > > On Tue, Aug 16, 2011 at 10:26 AM, James Rankin <kz2...@googlemail.com> > wrote:**** > > Well, more weirdness. > > On a whim, I deleted all of the files out of the > %windir%\serviceprofiles\LocalSystem\AppData directory - not that any looked > out of the ordinary - and now when I restart the server, the message I was > getting has stopped happening. I couldn't find any reference to the > directory or any files in it in a Process Monitor boot log. I feel > *slightly* better that the message has gone away - but not really much, > because it seems like some kind of infection, or attempted infection, has > crawled under the radar. > > I might take one of these systems out and run a full scan from an > alternative OS as suggested, but I hate the nagging feeling that something > has gotten away without being fully understood. I'm hoping my strategy of AV > + whitelisting hasn't led to any compromise, but I'm still wondering whether > I should initiate a full rebuild of the server farm. > > Anyway thanks for all the suggestions,**** > > On 16 August 2011 13:34, Crawford, Scott <crawfo...@evangel.edu> wrote:*** > * > > sounds rootkit-ish. MS has a boot cd to run Security Essentials. > > > **** > > Sent from my Palm Pre on the Now Network from Sprint**** > > ** ** > ------------------------------ > > On Aug 16, 2011 7:19 AM, James Rankin <kz2...@googlemail.com> wrote: > > Yes, but I don't have much faith in the AV software of choice (Trend). > According to it, everything is hunky-dory. MalwareBytes didn't detect > anything on a full scan either. I'm pulling up some Process Monitor logs now > to see if there are any needles in that haystack.**** > > On 16 August 2011 13:09, Erik Goldoff <egold...@gmail.com> wrote:**** > > have you already checked your AV quarantine for the presence of these DLLs, > or at least the detection/risk log to see if *that* is why they're gone > before you can get to them ? > > **** > > On Tue, Aug 16, 2011 at 6:41 AM, James Rankin <kz2...@googlemail.com> > wrote:**** > > I've just got back from my holidays so I'm probably still not thinking > straight....but has anyone noticed dll files with random names that appear > in *c:\windows\serviceprofiles\localservice\appdata\local\temp *when a > 2008 R2 server boots up? By the time I get to checking for them, they are > gone. The reason I know they are there is because my whitelisting > application doesn't allow executable content to have its ownership > overwritten, and when the servers boot up, they are logging an event > regarding an attempted ownership overwrite > > *AppSense Application Manager intercepted the overwrite of the allowed > executable 'c:\windows\serviceprofiles\localservice\appdata\local\temp\* > random_8_character_filename*.dll' on ''servername'. Ownership of this file > was changed to that of the user* > > I've never noticed this happening before, and the randomised filename > screams "malware" at me - but I have scanned the system with Trend and > MalwareBytes, and can find no trace of any infection. By the time I dig into > the folder to check, there's nothing there. Does anyone have any idea why > these files would be appearing at boot time? My next step is to break out a > bit of Process Monitor, but I'm just wondering if I am barking up a false > positive tree here. > > TIA, > > > > JRR > > -- > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into > the machine wrong figures, will the right answers come out?' I am not able > rightly to apprehend the kind of confusion of ideas that could provoke such > a question." > > ****** IMPORTANT INFORMATION/DISCLAIMER ***** > > This document should be read only by those persons to whom it is addressed. > If you have received this message it was obviously addressed to you and > therefore you can read it, even it we didn't mean to send it to you. > However, if the contents of this email make no sense whatsoever then you > probably were not the intended recipient, or, alternatively, you are a > mindless cretin; either way, you should immediately kill yourself and > destroy your computer (not necessarily in that order). Once you have taken > this action, please contact us.. no, sorry, you can't use your computer, > because you just destroyed it, and possibly also committed suicide > afterwards, but I am starting to digress...... ***** > > *The originator of this email is not liable for the transmission of the > information contained in this communication. Or are they? Either way it's a > pretty dull legal query and frankly one I'm not going to dwell on. But > should you have nothing better to do, please feel free to ruminate on it, > and please pass on any concrete conclusions should you find them. However, > if you pass them on via email, be sure to include a disclaimer regarding > liability for transmission.***** > > *In the event that the originator did not send this email to you, then > please return it to us and attach a scanned-in picture of your mother's > brother's wife wearing nothing but a kangaroo suit, and we will immediately > refund you exactly half of what you paid for the can of Whiskas you bought > when you went to Pets At Home yesterday. ***** > > *We take no responsibility for non-receipt of this email because we are > running Exchange 5.5 and everyone knows how glitchy that can be. In the > event that you do get this message then please note that we take no > responsibility for that either. Nor will we accept any liability, tacit or > implied, for any damage you may or may not incur as a result of receiving, > or not, as the case may be, from time to time, notwithstanding all > liabilities implied or otherwise, ummm, hell, where was I...umm, no matter > what happens, it is NOT, and NEVER WILL BE, OUR FAULT! ***** > > *The comments and opinions expressed herein are my own and NOT those of my > employer, who, if he knew I was sending emails and surfing the seamier side > of the Internet, would cut off my manhood and feed it to me for afternoon > tea. ***** > > ** ** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin**** > > ** ** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin**** > > > > > -- > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into > the machine wrong figures, will the right answers come out?' I am not able > rightly to apprehend the kind of confusion of ideas that could provoke such > a question." > > ****** IMPORTANT INFORMATION/DISCLAIMER ***** > > This document should be read only by those persons to whom it is addressed. > If you have received this message it was obviously addressed to you and > therefore you can read it, even it we didn't mean to send it to you. > However, if the contents of this email make no sense whatsoever then you > probably were not the intended recipient, or, alternatively, you are a > mindless cretin; either way, you should immediately kill yourself and > destroy your computer (not necessarily in that order). Once you have taken > this action, please contact us.. no, sorry, you can't use your computer, > because you just destroyed it, and possibly also committed suicide > afterwards, but I am starting to digress...... ***** > > *The originator of this email is not liable for the transmission of the > information contained in this communication. Or are they? Either way it's a > pretty dull legal query and frankly one I'm not going to dwell on. But > should you have nothing better to do, please feel free to ruminate on it, > and please pass on any concrete conclusions should you find them. However, > if you pass them on via email, be sure to include a disclaimer regarding > liability for transmission.***** > > *In the event that the originator did not send this email to you, then > please return it to us and attach a scanned-in picture of your mother's > brother's wife wearing nothing but a kangaroo suit, and we will immediately > refund you exactly half of what you paid for the can of Whiskas you bought > when you went to Pets At Home yesterday. ***** > > *We take no responsibility for non-receipt of this email because we are > running Exchange 5.5 and everyone knows how glitchy that can be. In the > event that you do get this message then please note that we take no > responsibility for that either. Nor will we accept any liability, tacit or > implied, for any damage you may or may not incur as a result of receiving, > or not, as the case may be, from time to time, notwithstanding all > liabilities implied or otherwise, ummm, hell, where was I...umm, no matter > what happens, it is NOT, and NEVER WILL BE, OUR FAULT! ***** > > *The comments and opinions expressed herein are my own and NOT those of my > employer, who, if he knew I was sending emails and surfing the seamier side > of the Internet, would cut off my manhood and feed it to me for afternoon > tea. ***** > > ** ** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin**** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin**** > > > > > -- > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into > the machine wrong figures, will the right answers come out?' I am not able > rightly to apprehend the kind of confusion of ideas that could provoke such > a question." > > ****** IMPORTANT INFORMATION/DISCLAIMER ***** > > This document should be read only by those persons to whom it is addressed. > If you have received this message it was obviously addressed to you and > therefore you can read it, even it we didn't mean to send it to you. > However, if the contents of this email make no sense whatsoever then you > probably were not the intended recipient, or, alternatively, you are a > mindless cretin; either way, you should immediately kill yourself and > destroy your computer (not necessarily in that order). Once you have taken > this action, please contact us.. no, sorry, you can't use your computer, > because you just destroyed it, and possibly also committed suicide > afterwards, but I am starting to digress...... ***** > > *The originator of this email is not liable for the transmission of the > information contained in this communication. Or are they? Either way it's a > pretty dull legal query and frankly one I'm not going to dwell on. But > should you have nothing better to do, please feel free to ruminate on it, > and please pass on any concrete conclusions should you find them. However, > if you pass them on via email, be sure to include a disclaimer regarding > liability for transmission.***** > > *In the event that the originator did not send this email to you, then > please return it to us and attach a scanned-in picture of your mother's > brother's wife wearing nothing but a kangaroo suit, and we will immediately > refund you exactly half of what you paid for the can of Whiskas you bought > when you went to Pets At Home yesterday. ***** > > *We take no responsibility for non-receipt of this email because we are > running Exchange 5.5 and everyone knows how glitchy that can be. In the > event that you do get this message then please note that we take no > responsibility for that either. Nor will we accept any liability, tacit or > implied, for any damage you may or may not incur as a result of receiving, > or not, as the case may be, from time to time, notwithstanding all > liabilities implied or otherwise, ummm, hell, where was I...umm, no matter > what happens, it is NOT, and NEVER WILL BE, OUR FAULT! ***** > > *The comments and opinions expressed herein are my own and NOT those of my > employer, who, if he knew I was sending emails and surfing the seamier side > of the Internet, would cut off my manhood and feed it to me for afternoon > tea. ***** > > ** ** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin**** > > ** ** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin**** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
<<image001.jpg>>