25degc
asked on
Security Event 659 Logged every minute
On one of my 2 domain controllers, one of our 2 Exchange servers is causing the logging of Event 659 in the security event log. The description of the problem is that Security Enabled Universal Group Changed. The target account ID is a group (or user?) that doesn't exist in the Active Directory for that domain. The caller username is the Exchange Server name, followed by $
The event appears regularly every minute. I am concerned that there is a breach of security, and would like to know why this is happening, and what I can do to address it.
Any help much appreciated.
Thanks.
The event appears regularly every minute. I am concerned that there is a breach of security, and would like to know why this is happening, and what I can do to address it.
Any help much appreciated.
Thanks.
ASKER
Thanks, but I have already googled it. I can only find articles saying that this event is an audit of a universal group change, but nothing that would indicate why it is being logged at 1 minute intervals 24 hours a day, to a universal group name that I can't see exists!
What's the target account ID please ?
Also, are you noticing any other errors in the Application Log ?
Thanks
Si
Also, are you noticing any other errors in the Application Log ?
Thanks
Si
ASKER
The target account ID is UK\ITS. UK being the domain, and ITS being the universal group which doesn't exist.
There are no corresponding errors in the application event log - only some about an alert manager for AV, which we get on all servers.
Thanks,
Sarah
There are no corresponding errors in the application event log - only some about an alert manager for AV, which we get on all servers.
Thanks,
Sarah
Presume you are using McAfee then ?
What versions ? Also, if you are, have you got Groupshield or Webshield installed on the server as well ?
Thanks
Si
What versions ? Also, if you are, have you got Groupshield or Webshield installed on the server as well ?
Thanks
Si
ASKER
Yes it's McAfee, v 7.1. No don't have Groupshield or Webshield. I'm confused: my problem has nothing to do with AV though - these are security events that are logged at one minute intervals to do with changes to a universal group. AV doesn't come into it?
Hi Sarah,
You are correct, AV doesn't come into it, well initially.....
The version of McAfee you are using is outdated....the latest version is 8.0i which you can download from McAfee with your Grant Number.......what version of ePO are you using ?
I can't guarantee it's not malware related, that was why I was trying to find out what was going on.....
It could be a admin-privilege-escalation attack, where a piece of malware is trying to get Admin privileges, hence you are seeing these 659 errors as it could be trying to create a Security Group and something is stopping it.
That's why I think it might be malware......
Can you load hijackthis on to the server from http://www.hijackthis.de and install it on the server.
Run it, paste the results into the analyzer and paste a link to the results here please, I need to make sure it's clean before we move on to other possibilities.
If you had Groupshield or Webshield, then we could look in other places.
Thanks
Si
McAfee Technical Professional
(Contact Details in profile)
You are correct, AV doesn't come into it, well initially.....
The version of McAfee you are using is outdated....the latest version is 8.0i which you can download from McAfee with your Grant Number.......what version of ePO are you using ?
I can't guarantee it's not malware related, that was why I was trying to find out what was going on.....
It could be a admin-privilege-escalation
That's why I think it might be malware......
Can you load hijackthis on to the server from http://www.hijackthis.de and install it on the server.
Run it, paste the results into the analyzer and paste a link to the results here please, I need to make sure it's clean before we move on to other possibilities.
If you had Groupshield or Webshield, then we could look in other places.
Thanks
Si
McAfee Technical Professional
(Contact Details in profile)
ASKER
I ran this on the Domain Controller:
Logfile of HijackThis v1.99.1
Scan saved at 13:30:43, on 20/10/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon .exe
C:\WINNT\system32\services .exe
C:\WINNT\system32\lsass.ex e
C:\WINNT\system32\svchost. exe
C:\WINNT\System32\svchost. exe
C:\WINNT\system32\spoolsv. exe
C:\Program Files\Network Associates\Alert Manager\amgrsrvc.exe
c:\centenn.ial\audit\CAgen t32.exe
c:\centenn.ial\audit\xferw an.exe
C:\WINNT\system32\CIMntfy\ cimntfy.ex e
C:\WINNT\system32\Dfssvc.e xe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\svchost. exe
C:\compaq\hpdiags\hpdiags. exe
C:\WINNT\System32\ismserv. exe
C:\Program Files\Network Associates\Common Framework\FrameworkService .exe
C:\Program Files\Network Associates\VirusScan\VsTsk Mgr.exe
C:\WINNT\system32\ntfrs.ex e
C:\Program Files\OpenSSH\bin\cygrunsr v.exe
C:\WINNT\System32\snmp.exe
C:\Program Files\OpenSSH\usr\sbin\ssh d.exe
C:\WINNT\system32\lserver. exe
C:\WINNT\system32\CPQNiMgt \cpqnimgt. exe
C:\WINNT\system32\CpqRcmc. exe
C:\WINNT\system32\CPQMgmt\ CqMgServ\c qmgserv.ex e
C:\WINNT\system32\CPQMgmt\ CqMgStor\c qmgstor.ex e
C:\WINNT\system32\sysdown. exe
C:\WINNT\system32\CPQMgmt\ CqMgHost\c qmghost.ex e
C:\WINNT\system32\CPQMgmt\ cpqwmgmt.e xe
C:\WINNT\System32\svchost. exe
C:\WINNT\System32\svchost. exe
C:\WINNT\system32\winlogon .exe
C:\WINNT\system32\rdpclip. exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTA T.EXE
C:\WINNT\system32\cpqteam. exe
C:\WINNT\system32\ctfmon.e xe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\mmc.exe
C:\WINNT\system32\mmc.exe
C:\temp\HijackThis.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = res://shdoclc.dll/softAdmi n.htm
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = res://shdoclc.dll/softAdmi n.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEH elper.ocx
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTA T.EXE" /STANDALONE
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.e xe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox. dll
O17 - HKLM\System\CCS\Services\T cpip\Param eters: Domain = uk.aitgroupad.com
O17 - HKLM\Software\..\Telephony : DomainName = uk.aitgroupad.com
O17 - HKLM\System\CCS\Services\T cpip\..\{7 357AEE2-40 20-4415-85 12-CAF6B5D 4BFA6}: NameServer = 172.16.16.202,172.16.16.20 3
O17 - HKLM\System\CCS\Services\T cpip\..\{9 5152B04-77 DC-436E-8A 19-A7328F3 84E1B}: NameServer = 172.16.16.203
O17 - HKLM\System\CS1\Services\T cpip\Param eters: Domain = uk.aitgroupad.com
O17 - HKLM\System\CS1\Services\T cpip\..\{7 357AEE2-40 20-4415-85 12-CAF6B5D 4BFA6}: NameServer = 172.16.16.202,172.16.16.20 3
O20 - Winlogon Notify: dimsntfy - C:\WINNT\SYSTEM32\dimsntfy .dll
O23 - Service: McAfee Alert Manager (AlertManager) - McAfee Division of Network Associates, Inc. - C:\Program Files\Network Associates\Alert Manager\amgrsrvc.exe
O23 - Service: CentennialClientAgent - Centennial UK Ltd. - c:\centenn.ial\audit\CAgen t32.exe
O23 - Service: CentennialIPTransferAgent - Centennial UK Ltd. - c:\centenn.ial\audit\xferw an.exe
O23 - Service: HP Insight Event Notifier (CIMnotify) - Hewlett-Packard Company - C:\WINNT\system32\CIMntfy\ cimntfy.ex e
O23 - Service: HP Insight NIC Agent (CpqNicMgmt) - Hewlett-Packard Company - C:\WINNT\system32\CPQNiMgt \cpqnimgt. exe
O23 - Service: Compaq Remote Monitor Service (CpqRcmc) - Compaq - C:\WINNT\system32\CpqRcmc. exe
O23 - Service: HP Insight Web Agent (CpqWebMgmt) - HP Corporation - C:\WINNT\system32\CPQMgmt\ cpqwmgmt.e xe
O23 - Service: HP Insight Foundation Agent (CqMgHost) - Hewlett-Packard Company - C:\WINNT\system32\CPQMgmt\ CqMgHost\c qmghost.ex e
O23 - Service: HP Insight Server Agents (CqMgServ) - Hewlett-Packard Company - C:\WINNT\system32\CPQMgmt\ CqMgServ\c qmgserv.ex e
O23 - Service: HP Insight Storage Agents (CqMgStor) - Hewlett-Packard Company - C:\WINNT\system32\CPQMgmt\ CqMgStor\c qmgstor.ex e
O23 - Service: HP Insight Diagnostics (hpdiags) - Unknown owner - C:\compaq\hpdiags\hpdiags. exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService .exe" /ServiceStart (file missing)
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTsk Mgr.exe
O23 - Service: OpenSSH Server (OpenSSHd) - Unknown owner - C:\Program Files\OpenSSH\bin\cygrunsr v.exe
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINNT\system32\sysdown. exe
And on the Exchange server:
Logfile of HijackThis v1.99.1
Scan saved at 13:35:12, on 20/10/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\Program Files\Network Associates\Alert Manager\amgrsrvc.exe
C:\Program Files\Compaq\Cpqacuxe\Bin\ hpacubin.e xe
c:\centenn.ial\audit\CAgen t32.exe
c:\centenn.ial\audit\xferw an.exe
C:\Compaq\vcagent\vcagent. exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\inetsr v\inetinfo .exe
C:\Program Files\Network Associates\Common Framework\FrameworkService .exe
C:\Program Files\Network Associates\VirusScan\Mcshi eld.exe
C:\Program Files\Network Associates\VirusScan\VsTsk Mgr.exe
C:\WINDOWS\System32\snmp.e xe
C:\compaq\survey\Surveyor. EXE
C:\WINDOWS\system32\CPQNiM gt\cpqnimg t.exe
C:\WINDOWS\system32\CpqRcm c.exe
C:\WINDOWS\system32\CPQMgm t\CqMgServ \cqmgserv. exe
C:\WINDOWS\system32\CPQMgm t\CqMgStor \cqmgstor. exe
C:\Program Files\Exchsrvr\bin\exmgmt. exe
C:\PROGRA~1\VERITAS\NETBAC ~1\bin\BPJ AVA-msvc.E XE
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\ mssearch.e xe
C:\WINDOWS\system32\sysdow n.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Exchsrvr\bin\store.e xe
C:\Program Files\Exchsrvr\bin\emsmta. exe
C:\WINDOWS\system32\CPQMgm t\CqMgHost \cqmghost. exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\CIMntf y\cimntfy. exe
c:\windows\system32\inetsr v\w3wp.exe
C:\WINDOWS\system32\dllhos t.exe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\rdpcli p.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTA T.EXE
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\cmd.ex e
C:\WINDOWS\system32\dllhos t.exe
C:\DOCUME~1\EXCHAN~1\LOCAL S~1\Temp\1 \Temporary Directory 1 for hijackthis_199.zip\HijackT his.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = res://shdoclc.dll/softAdmi n.htm
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = res://shdoclc.dll/softAdmi n.htm
R1 - HKCU\Software\Microsoft\In ternet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTA T.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon .exe
O17 - HKLM\System\CCS\Services\T cpip\Param eters: Domain = uk.aitgroupad.com
O17 - HKLM\Software\..\Telephony : DomainName = uk.aitgroupad.com
O17 - HKLM\System\CCS\Services\T cpip\..\{4 015D96B-BA 56-4B34-AA BC-AD587EE 9B1F6}: Domain = uk.aitgroupad.com
O17 - HKLM\System\CCS\Services\T cpip\..\{4 015D96B-BA 56-4B34-AA BC-AD587EE 9B1F6}: NameServer = 172.16.16.202,172.16.16.20 3,192.168. 100.202
O17 - HKLM\System\CCS\Services\T cpip\..\{7 FF560AC-2B D9-4019-B8 9D-FA7E39F 37133}: NameServer = 172.16.16.202,172.16.16.20 3
O17 - HKLM\System\CCS\Services\T cpip\..\{C E1C536D-33 64-459B-B7 0F-2F1B274 D7E6E}: NameServer = 172.16.16.202,172.16.16.20 3,192.168. 100.202
O17 - HKLM\System\CS1\Services\T cpip\Param eters: Domain = uk.aitgroupad.com
O17 - HKLM\System\CS1\Services\T cpip\Param eters: SearchList = uk.aitgroupad.com,aitgroup ad.com,usa .aitgroupa d.com,ait. co.uk
O17 - HKLM\System\CCS\Services\T cpip\Param eters: SearchList = uk.aitgroupad.com,aitgroup ad.com,usa .aitgroupa d.com,ait. co.uk
O18 - Protocol: hpapp - {24F45006-5BD9-41B7-9BD9-5 F8921C8EBD 1} - C:\Program Files\Compaq\Cpqacuxe\Bin\ hpapp.dll
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsnt fy.dll
O23 - Service: McAfee Alert Manager (AlertManager) - McAfee Division of Network Associates, Inc. - C:\Program Files\Network Associates\Alert Manager\amgrsrvc.exe
O23 - Service: Array Configuration Utility - Hewlett-Packard Company - C:\Program Files\Compaq\Cpqacuxe\Bin\ hpacubin.e xe
O23 - Service: CentennialClientAgent - Centennial UK Ltd. - c:\centenn.ial\audit\CAgen t32.exe
O23 - Service: CentennialIPTransferAgent - Centennial UK Ltd. - c:\centenn.ial\audit\xferw an.exe
O23 - Service: HP Insight Event Notifier (CIMnotify) - Hewlett-Packard Company - C:\WINDOWS\system32\CIMntf y\cimntfy. exe
O23 - Service: HP Insight NIC Agent (CpqNicMgmt) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQNiM gt\cpqnimg t.exe
O23 - Service: Compaq Remote Monitor Service (CpqRcmc) - Compaq - C:\WINDOWS\system32\CpqRcm c.exe
O23 - Service: Version Control Agent (cpqvcagent) - Hewlett-Packard Company - C:\Compaq\vcagent\vcagent. exe
O23 - Service: HP Insight Foundation Agents (CqMgHost) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQMgm t\CqMgHost \cqmghost. exe
O23 - Service: HP Insight Server Agents (CqMgServ) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQMgm t\CqMgServ \cqmgserv. exe
O23 - Service: HP Insight Storage Agents (CqMgStor) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQMgm t\CqMgStor \cqmgstor. exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService .exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshi eld.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTsk Mgr.exe
O23 - Service: NetBackup Client Service (NetBackup INET Daemon) - VERITAS Software Corporation - C:\PROGRA~1\VERITAS\NETBAC ~1\bin\bpi netd.exe
O23 - Service: Surveyor - Hewlett-Packard Development Group, L.P. - C:\compaq\survey\Surveyor. EXE
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINDOWS\system32\sysdow n.exe
Thanks for your help...
Sarah
Logfile of HijackThis v1.99.1
Scan saved at 13:30:43, on 20/10/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\WINNT\System32\svchost.
C:\WINNT\system32\spoolsv.
C:\Program Files\Network Associates\Alert Manager\amgrsrvc.exe
c:\centenn.ial\audit\CAgen
c:\centenn.ial\audit\xferw
C:\WINNT\system32\CIMntfy\
C:\WINNT\system32\Dfssvc.e
C:\WINNT\System32\dns.exe
C:\WINNT\System32\svchost.
C:\compaq\hpdiags\hpdiags.
C:\WINNT\System32\ismserv.
C:\Program Files\Network Associates\Common Framework\FrameworkService
C:\Program Files\Network Associates\VirusScan\VsTsk
C:\WINNT\system32\ntfrs.ex
C:\Program Files\OpenSSH\bin\cygrunsr
C:\WINNT\System32\snmp.exe
C:\Program Files\OpenSSH\usr\sbin\ssh
C:\WINNT\system32\lserver.
C:\WINNT\system32\CPQNiMgt
C:\WINNT\system32\CpqRcmc.
C:\WINNT\system32\CPQMgmt\
C:\WINNT\system32\CPQMgmt\
C:\WINNT\system32\sysdown.
C:\WINNT\system32\CPQMgmt\
C:\WINNT\system32\CPQMgmt\
C:\WINNT\System32\svchost.
C:\WINNT\System32\svchost.
C:\WINNT\system32\winlogon
C:\WINNT\system32\rdpclip.
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTA
C:\WINNT\system32\cpqteam.
C:\WINNT\system32\ctfmon.e
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\mmc.exe
C:\WINNT\system32\mmc.exe
C:\temp\HijackThis.exe
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTA
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.e
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS1\Services\T
O20 - Winlogon Notify: dimsntfy - C:\WINNT\SYSTEM32\dimsntfy
O23 - Service: McAfee Alert Manager (AlertManager) - McAfee Division of Network Associates, Inc. - C:\Program Files\Network Associates\Alert Manager\amgrsrvc.exe
O23 - Service: CentennialClientAgent - Centennial UK Ltd. - c:\centenn.ial\audit\CAgen
O23 - Service: CentennialIPTransferAgent - Centennial UK Ltd. - c:\centenn.ial\audit\xferw
O23 - Service: HP Insight Event Notifier (CIMnotify) - Hewlett-Packard Company - C:\WINNT\system32\CIMntfy\
O23 - Service: HP Insight NIC Agent (CpqNicMgmt) - Hewlett-Packard Company - C:\WINNT\system32\CPQNiMgt
O23 - Service: Compaq Remote Monitor Service (CpqRcmc) - Compaq - C:\WINNT\system32\CpqRcmc.
O23 - Service: HP Insight Web Agent (CpqWebMgmt) - HP Corporation - C:\WINNT\system32\CPQMgmt\
O23 - Service: HP Insight Foundation Agent (CqMgHost) - Hewlett-Packard Company - C:\WINNT\system32\CPQMgmt\
O23 - Service: HP Insight Server Agents (CqMgServ) - Hewlett-Packard Company - C:\WINNT\system32\CPQMgmt\
O23 - Service: HP Insight Storage Agents (CqMgStor) - Hewlett-Packard Company - C:\WINNT\system32\CPQMgmt\
O23 - Service: HP Insight Diagnostics (hpdiags) - Unknown owner - C:\compaq\hpdiags\hpdiags.
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTsk
O23 - Service: OpenSSH Server (OpenSSHd) - Unknown owner - C:\Program Files\OpenSSH\bin\cygrunsr
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINNT\system32\sysdown.
And on the Exchange server:
Logfile of HijackThis v1.99.1
Scan saved at 13:35:12, on 20/10/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\Program Files\Network Associates\Alert Manager\amgrsrvc.exe
C:\Program Files\Compaq\Cpqacuxe\Bin\
c:\centenn.ial\audit\CAgen
c:\centenn.ial\audit\xferw
C:\Compaq\vcagent\vcagent.
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\inetsr
C:\Program Files\Network Associates\Common Framework\FrameworkService
C:\Program Files\Network Associates\VirusScan\Mcshi
C:\Program Files\Network Associates\VirusScan\VsTsk
C:\WINDOWS\System32\snmp.e
C:\compaq\survey\Surveyor.
C:\WINDOWS\system32\CPQNiM
C:\WINDOWS\system32\CpqRcm
C:\WINDOWS\system32\CPQMgm
C:\WINDOWS\system32\CPQMgm
C:\Program Files\Exchsrvr\bin\exmgmt.
C:\PROGRA~1\VERITAS\NETBAC
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\
C:\WINDOWS\system32\sysdow
C:\WINDOWS\System32\svchos
C:\Program Files\Exchsrvr\bin\store.e
C:\Program Files\Exchsrvr\bin\emsmta.
C:\WINDOWS\system32\CPQMgm
C:\WINDOWS\System32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\CIMntf
c:\windows\system32\inetsr
C:\WINDOWS\system32\dllhos
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\rdpcli
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTA
C:\WINDOWS\system32\ctfmon
C:\WINDOWS\system32\cmd.ex
C:\WINDOWS\system32\dllhos
C:\DOCUME~1\EXCHAN~1\LOCAL
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTA
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CCS\Services\T
O18 - Protocol: hpapp - {24F45006-5BD9-41B7-9BD9-5
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsnt
O23 - Service: McAfee Alert Manager (AlertManager) - McAfee Division of Network Associates, Inc. - C:\Program Files\Network Associates\Alert Manager\amgrsrvc.exe
O23 - Service: Array Configuration Utility - Hewlett-Packard Company - C:\Program Files\Compaq\Cpqacuxe\Bin\
O23 - Service: CentennialClientAgent - Centennial UK Ltd. - c:\centenn.ial\audit\CAgen
O23 - Service: CentennialIPTransferAgent - Centennial UK Ltd. - c:\centenn.ial\audit\xferw
O23 - Service: HP Insight Event Notifier (CIMnotify) - Hewlett-Packard Company - C:\WINDOWS\system32\CIMntf
O23 - Service: HP Insight NIC Agent (CpqNicMgmt) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQNiM
O23 - Service: Compaq Remote Monitor Service (CpqRcmc) - Compaq - C:\WINDOWS\system32\CpqRcm
O23 - Service: Version Control Agent (cpqvcagent) - Hewlett-Packard Company - C:\Compaq\vcagent\vcagent.
O23 - Service: HP Insight Foundation Agents (CqMgHost) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQMgm
O23 - Service: HP Insight Server Agents (CqMgServ) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQMgm
O23 - Service: HP Insight Storage Agents (CqMgStor) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQMgm
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshi
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTsk
O23 - Service: NetBackup Client Service (NetBackup INET Daemon) - VERITAS Software Corporation - C:\PROGRA~1\VERITAS\NETBAC
O23 - Service: Surveyor - Hewlett-Packard Development Group, L.P. - C:\compaq\survey\Surveyor.
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINDOWS\system32\sysdow
Thanks for your help...
Sarah
Hi Sarah,
Thanks for the logs, I've had a look at them.....
It seems you are running VNC and Exchange Server on the same machine.
What port is VNC set to ?
I've come across this before :
Weird thing that I noticed. I was trying to push VNC to a server running
Exchange 2000 and for some odd reason the VNC service wouldn't keep running.
I looked at the event logs and saw that the error said that something else
was bound to port 5900 already. I looked into it further and saw that the
process was emsmta.exe. This is the first time that I've seen this so I
thought that I'd put it out in case any of you run into it, too.
I just stopped and started the Exchange services and the MTA chose a new
port. How odd.
Don't know if that's related to it, but it might be......it's worth checking.....
Also, it's saying that you don't have the latest Service Pack for Exchange installed, hence mad.exe is still running
Here's the link to the results once I ran them through the analyser.....I presume you are www.ait.co.uk ?
http://www.hijackthis.de/logfiles/0f1e519acb42eb6cee89347a20b8327e.html
Here's the results for the Domain Controller
There doesn't seem to be a virus scanner on the Domain Controller....any reason why not ?
Also, you've got Alert Manager deployed where you don't need it.......do you have someone who looks after your McAfee install ? It's not up to date......if you have someone who looks after it, get them to look at it again.
The Domain controller looks clean apart from the AV.
Can you try removing VNC from the Exchange Server and see if we still get this problem.
What OS and Service Pack is the Exchange Server running on ?
Thanks
Si
McAfee Technical Professional
(Contact Details in profile)
Thanks for the logs, I've had a look at them.....
It seems you are running VNC and Exchange Server on the same machine.
What port is VNC set to ?
I've come across this before :
Weird thing that I noticed. I was trying to push VNC to a server running
Exchange 2000 and for some odd reason the VNC service wouldn't keep running.
I looked at the event logs and saw that the error said that something else
was bound to port 5900 already. I looked into it further and saw that the
process was emsmta.exe. This is the first time that I've seen this so I
thought that I'd put it out in case any of you run into it, too.
I just stopped and started the Exchange services and the MTA chose a new
port. How odd.
Don't know if that's related to it, but it might be......it's worth checking.....
Also, it's saying that you don't have the latest Service Pack for Exchange installed, hence mad.exe is still running
Here's the link to the results once I ran them through the analyser.....I presume you are www.ait.co.uk ?
http://www.hijackthis.de/logfiles/0f1e519acb42eb6cee89347a20b8327e.html
Here's the results for the Domain Controller
There doesn't seem to be a virus scanner on the Domain Controller....any reason why not ?
Also, you've got Alert Manager deployed where you don't need it.......do you have someone who looks after your McAfee install ? It's not up to date......if you have someone who looks after it, get them to look at it again.
The Domain controller looks clean apart from the AV.
Can you try removing VNC from the Exchange Server and see if we still get this problem.
What OS and Service Pack is the Exchange Server running on ?
Thanks
Si
McAfee Technical Professional
(Contact Details in profile)
ASKER
Thanks. I'm well aware that some things are out of date. All down to lack of resource here! However, I will check some of these things out, and especially the VNC on the Exchange server. AV is running on the DC, so that's weird, and all DATs are current.
Hi Sarah,
I've just finished checking out
The process Compaq Remote Monitor Service belongs to the software Compaq CpqRcmc by Compaq (www.compaq.com).
Description: CpqRcmc.exe is located in the folder C:\Windows\System32. The file size on Windows XP is 98576 bytes.
The program is not visible. The file is not a Windows core file. The file is located in the Windows folder, but it is not a Windows core file. Therefore the technical security rating is 49% dangerous.
Important: Some malware camouflage themselves as CpqRcmc.exe, particularly if they are located in c:\windows or c:\windows\system32 folder. Thus check the CpqRcmc.exe process on your pc whether it is pest.
I'm assuming that you've probably scanned with McAfee, what do you use for Spyware ?
It might be worth just running a quick scan with Spy Sweeper from Webroot.
You can download an eval (fully functioning) copy from http://www.it-security-experts.co.uk/downloads.asp
Install it on the Exchange Server, update it, and run it and see what it finds...if anything.....
You might want to set it running before you leave for the weekend, it might take an hour or so.
Cheers
Si
I've just finished checking out
The process Compaq Remote Monitor Service belongs to the software Compaq CpqRcmc by Compaq (www.compaq.com).
Description: CpqRcmc.exe is located in the folder C:\Windows\System32. The file size on Windows XP is 98576 bytes.
The program is not visible. The file is not a Windows core file. The file is located in the Windows folder, but it is not a Windows core file. Therefore the technical security rating is 49% dangerous.
Important: Some malware camouflage themselves as CpqRcmc.exe, particularly if they are located in c:\windows or c:\windows\system32 folder. Thus check the CpqRcmc.exe process on your pc whether it is pest.
I'm assuming that you've probably scanned with McAfee, what do you use for Spyware ?
It might be worth just running a quick scan with Spy Sweeper from Webroot.
You can download an eval (fully functioning) copy from http://www.it-security-experts.co.uk/downloads.asp
Install it on the Exchange Server, update it, and run it and see what it finds...if anything.....
You might want to set it running before you leave for the weekend, it might take an hour or so.
Cheers
Si
With this event ID, and others like it that are very vague, typically they are the result or part of a few event ID's, you may need to turn up the auditing to see what is occurring directly before and after these events.
-rich
-rich
ASKER
Doesn't look like I'll get to the bottom of this. Whilst I was off last week we had a lengthy powercut resulting in downtime for most systems. Since then the event hasn't been logged at all. If only all problems could be resolved so simply!
Thanks for all your help!
Thanks for all your help!
No problems, god if life was as easy as that, we'd all be out of a job
Take it easy
cheers
Si
Take it easy
cheers
Si
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I will leave the following recommendation for this question in the Cleanup Zone:
PAQ - Points Refunded
Any objections should be posted here in the next 4 days. After that time, the question will be closed.
AnthonyP9618
Experts Exchange Cleanup Volunteer
I will leave the following recommendation for this question in the Cleanup Zone:
PAQ - Points Refunded
Any objections should be posted here in the next 4 days. After that time, the question will be closed.
AnthonyP9618
Experts Exchange Cleanup Volunteer
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I would google for the exact description.