Link to home
Create AccountLog in
Avatar of lunamoonfaze
lunamoonfazeFlag for United States of America

asked on

Windows Task Manager User tab

Checked the user tab on task manager and see microsoft in the "User" column and disconnected in the "Status" column. Anyone know what's going on?
Avatar of Scott Anderson
Scott Anderson
Flag of United States of America image

That tab shows you who is connected to the server via RDP/Terminal Services.  Or in your case: who _was_ connected and has a Terminal Services session in a "Disconnected" state.  Try and right-click on it to see if you can Remote Control the session and see what was going on.
Avatar of lunamoonfaze

ASKER

Dropped in and found nothing good. Files found on desktop: dm.exe, ku.mmp, firefox setup 2.0.0.14.exe, smtp.csv and last but certainly not least: gammadyne mailer.
Hmmm... Just guessing - you don't have a user in your domain or on the server that's named "Microsoft", do you?  You may want to review user accounts and security on your server - it may have been hacked.  Don't know if you have a structured server security compromise gameplan, but I would consider the server compromised and get it off the network as quickly as possible and start assessing the rest of your network to make sure they haven't done anything to the rest of your servers/clients.  It's most likely they were just interested in getting/building a spambox for their purposes, but you never know...  Good Luck with this...

dm.exe    - Take a google on this, it's a known backdoor trojan
gammadyne mailer - possible whomever it was was trying to drop a mailer program on your server to make it a spam box.
ASKER CERTIFIED SOLUTION
Avatar of r-k
r-k

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
This a file server that is in use during regular business hours. My local LAN specialist is scheduled to come out next weekend. I will follow your checklist then. Thanks for the details.
RootkitRevealer log:

HKLM\SECURITY\Policy\Secrets\gthrsvc:{505DD11A-F6DE-4559-8EA2-7B27A5457A08}*      11/2/2006 2:07 PM      0 bytes      Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAC*      10/31/2006 4:00 PM      0 bytes      Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI*      10/31/2006 4:00 PM      0 bytes      Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{148f1a14-53f3-4074-a573-e1ccd344e1d0}*      10/31/2006 3:21 PM      0 bytes      Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{3D14228D-FBE1-11D0-995D-00C04FD919C1}*      11/2/2006 1:55 PM      0 bytes      Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\ActEmailFile\      6/5/2007 5:13 PM      19 bytes      Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Classes\ActEmailFile\DefaultIcon\      6/5/2007 5:13 PM      39 bytes      Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Classes\ActEmailFile\shell\open\      6/5/2007 5:13 PM      21 bytes      Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability\LastAliveUptime      6/28/2008 1:07 PM      4 bytes      Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability\LastAliveStamp      6/28/2008 1:07 PM      16 bytes      Data mismatch between Windows API and raw hive data.
C:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_9ef0d2ac01c8d9520000000d.EML      6/28/2008 1:10 PM      4.39 KB      Hidden from Windows API.
C:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_9ef0d2ac01c8d9520000000d.EML:PROPERTIES      6/28/2008 1:10 PM      2.02 KB      Hidden from Windows API.
C:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_9ef0d2ac01c8d9520000000d.EML:PROPERTIES-LIVE      6/28/2008 1:10 PM      6.02 KB      Hidden from Windows API.

rootkitrevealer-log.txt
Avatar of r-k
r-k

You definitely don't have a rootkit. Anything interesting shown by Autoruns?
Thanks again. Your suggestions were exactly what I was looking for to know.