I've just got back from my holidays so I'm probably still not thinking
straightbut has anyone noticed dll files with random names that appear
in *c:\windows\serviceprofiles\localservice\appdata\local\temp *when a 2008
R2 server boots up? By the time I get to checking for them, they are gone.
Lifespan Organization
Email:ezi...@lifespan.org
Cell:401-639-3505
From: James Rankin [mailto:kz2...@googlemail.com]
Sent: Tuesday, August 16, 2011 6:41 AM
To: NT System Admin Issues
Subject: Weird dll files on boot
I've just got back from my holidays so I'm probably still not thinking
have you already checked your AV quarantine for the presence of these DLLs,
or at least the detection/risk log to see if *that* is why they're gone
before you can get to them ?
On Tue, Aug 16, 2011 at 6:41 AM, James Rankin kz2...@googlemail.com wrote:
I've just got back from my holidays so I'm
Yes, but I don't have much faith in the AV software of choice (Trend).
According to it, everything is hunky-dory. MalwareBytes didn't detect
anything on a full scan either. I'm pulling up some Process Monitor logs now
to see if there are any needles in that haystack.
On 16 August 2011 13:09, Erik
to be clear, I don't mean run a scan now, but to check the logs and
quarantines for activity from On Access/AutoProtect type protection that
could have happened when no one was monitoring the server.
On Tue, Aug 16, 2011 at 8:18 AM, James Rankin kz2...@googlemail.com wrote:
Yes, but I don't
Yeah, that's what I've checked in the Trend AV server web console. There
isn't a single entry of note for the entire last week, which is the
timeframe I've noticed this appearing in.
Sorry if I wasn't clear about that.
On 16 August 2011 13:23, Erik Goldoff egold...@gmail.com wrote:
to be
sounds rootkit-ish. MS has a boot cd to run Security Essentials.
Sent from my Palm Pre on the Now Network from Sprint
On Aug 16, 2011 7:19 AM, James Rankin kz2...@googlemail.com wrote:
Yes, but I don't have much faith in the AV software of choice (Trend).
Well, more weirdness.
On a whim, I deleted all of the files out of the
%windir%\serviceprofiles\LocalSystem\AppData directory - not that any looked
out of the ordinary - and now when I restart the server, the message I was
getting has stopped happening. I couldn't find any reference to the
you should check all your Load Points ... registry run keys, startup group,
autoexec.bat, task scheduler, etc...
On Tue, Aug 16, 2011 at 10:26 AM, James Rankin kz2...@googlemail.comwrote:
Well, more weirdness.
On a whim, I deleted all of the files out of the
I've had a good comb through everything I could find via *autoruns*. Nothing
jumps out at me. Although these modern process-injection malware variants
are very good at hiding themselves, this I know from painful experience.
I'm tempted to take the nuke it from orbit option, if only to satisfy my
...@lifespan.org
Cell:401-639-3505
From: Erik Goldoff [mailto:egold...@gmail.com]
Sent: Tuesday, August 16, 2011 10:51 AM
To: NT System Admin Issues
Subject: Re: Weird dll files on boot
you should check all your Load Points ... registry run keys, startup
group, autoexec.bat, task scheduler, etc
Email:ezi...@lifespan.org
Cell:401-639-3505
[image: CISSP_logo]
** **
*From:* Erik Goldoff [mailto:egold...@gmail.com]
*Sent:* Tuesday, August 16, 2011 10:51 AM
*To:* NT System Admin Issues
*Subject:* Re: Weird dll files on boot
** **
you should check all your
12 matches
Mail list logo
