|
|
|
|
Full Version: Malicious Popup Message, No Result From Nav
 Recently we had somestrange experience, a big popup message. Take a look at the attachement. NAV(Corporate Server with latest update of today) could not find anything in full system scan. I took a look at running processes, nothing special was there. Any one as the same experience?!
spyware
 http://www.lavasoftusa.com/software/adaware/ scan scan scan and i would also suggest ditching IE if you havent already http://ftp.mozilla.org/pub/mozilla.org/moz...5-installer.exe sorted?
And here is fist section of HijackThis's report and the full report is attached too.
QUOTE StartupList report, 2/2/2005, 4:28:55 AM
StartupList version: 1.52 Started from : \\**********\ProdInst\Windows\Utility\Networking\HijackThis.EXE Detected: Windows 2000 SP4 (WinNT 5.00.2195) Detected: Internet Explorer v5.00 SP4 (5.00.2920.0000) * Using default options * Including empty and uninteresting sections * Showing rarely important sections ================================================== Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\System32\termsrv.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\msdtc.exe C:\Program Files\Dell\OpenManage\dataeng\bin\dcevt32.exe C:\Program Files\Dell\OpenManage\dataeng\bin\dcstor32.exe C:\Program Files\SAV\DefWatch.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\cba\pds.exe C:\WINNT\System32\llssrv.exe C:\Program Files\SAV\Rtvscan.exe C:\Program Files\Dell\OpenManage\oma\bin\omsad32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Dell\OpenManage\iws\bin\win32\omaws32.exe C:\WINNT\System32\svchost.exe C:\Program Files\VMware\VMware Workstation\vmware-authd.exe C:\WINNT\system32\vmnat.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\Program Files\RealVNC\VNC4\WinVNC4.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\Dfssvc.exe C:\WINNT\System32\dns.exe C:\WINNT\system32\inetsrv\inetinfo.exe C:\WINNT\system32\vmnetdhcp.exe C:\WINNT\System32\svchost.exe C:\Program Files\Microsoft ISA Server\mspadmin.exe C:\Program Files\Microsoft ISA Server\wspsrv.exe C:\Program Files\Microsoft ISA Server\w3proxy.exe C:\Program Files\Microsoft ISA Server\W3Prefch.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\Atiptaxx.exe C:\PROGRA~1\SAV\vptray.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\rdpclip.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\mmc.exe C:\WINNT\system32\mmc.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\rdpclip.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\taskmgr.exe C:\WINNT\System32\mdm.exe \********\ProdInst\Windows\Utility\Networking\HijackThis.exe --------------------------------------------------
is it your server or something?
you have like termservices running and a vnc server too? or is that the vnc client.exe QUOTE(relax @ Feb 2 2005, 02:30 PM) is it your server or something? you have like termservices running and a vnc server too? or is that the vnc client.exe  Yup it is a server. Has a firewall(Microsoft ISA Server) has both Terminal Service and VNC server, that just terminal service is available, unfortunately  (.(This is not my server, I'm here to find the threat)The system is already scanned with LavaSoft's SpyRemover,too. Result: Nothing special!
hmmm could there be a possibility of a rookkit or something? there are a few scanners but from what i have read its not hard to beat these scanners.
see this thread http://www.governmentsecurity.org/forum/in...topic=13258&hl=
This is the snapshot of popup message.
aw mate, kill the messenger service
its just people spaming using net send command. http://support.microsoft.com/default.aspx?...B;EN-US;168893& if the server owner left that service on id suggest maybe telling him he really needs to look into the security of his server. EDIT: http://www.itc.virginia.edu/desktop/docs/messagepopup/
I hope the problem be so. But the server is protected using ISA Server firewall.
QUOTE(relax @ Feb 2 2005, 02:47 PM) aw mate, kill the messenger service its just people spaming using net send command. http://support.microsoft.com/default.aspx?...B;EN-US;168893& if the server owner left that service on id suggest maybe telling him he really needs to look into the security of his server. EDIT: http://www.itc.virginia.edu/desktop/docs/messagepopup/ QUOTE(radien @ Feb 2 2005, 11:29 AM) I hope the problem be so. But the server is protected using ISA Server firewall. It is doing a really good job isnt it   Yup. But afterall I think there is some defected systems on the network and not on this Server itself.QUOTE(relax @ Feb 2 2005, 03:00 PM) QUOTE(radien @ Feb 2 2005, 11:29 AM) I hope the problem be so. But the server is protected using ISA Server firewall. It is doing a really good job isnt it
Anyway, I'm looking for any virus or such threat, with such popup message. But in welknown online virus databases I could not find such theat report.
like i said it is just windows messenger service (it even tells you that on the top of your popup), follow the link i posted and disable the service and you will be sorted.
QUOTE(relax @ Feb 2 2005, 03:15 PM) like i said it is just windows messenger service (it even tells you that on the top of your popup), follow the link i posted and disable the service and you will be sorted. You'r right.But, That's not all of the story. And I should find the source of that message, may be a machine that is infected on the LAN or what ever.
"net stop messanger"
QUOTE(Sblader5 @ Feb 2 2005, 04:47 PM) "net stop messanger" Net stop Messenger 
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
|
|
