Hidden services in Windows 2003?

Posted on 2011-05-02
Last Modified: 2012-05-11
I am still cleaning up after a malware outbreak among my servers.   I am seeing an event in the system log:
Event Type:      Information
Event Source:      Service Control Manager
Event Category:      None
Event ID:      7035
Date:            5/2/2011
Time:            2:58:31 PM
User:            xxxxx
Computer:      xxxx
The lmkmjaqmj service was successfully sent a start control.

For more information, see Help and Support Center at

Later a Stop control is sucessfully sent to the same nonsense named service.

"lmkmjaqmj" I cannot find anywhere in the list of services, anywhere in the file system or anywhere in the registry??  My malware and virus programs are not finding it.

Where can this service be that is being successfully started and stopped?

Question by:medtox
    LVL 37

    Expert Comment

    There is ONLY one wat clean up after a malware outbreak.....
    Its called crash and burn!
    Format and reinstall.
    LVL 5

    Accepted Solution

    Get autoruns:

    Look under services.  If it isn't there the virus/malware may be adding the service, starting it and then stopping and removing it.

    What did you use to remove the outbreak?

    Can you post a hijack this log?
    LVL 5

    Expert Comment

    Also, what neilsr says is true especially amongst server equipment.  There is only one way to know for sure it is gone and that is to format and reinstall.
    LVL 37

    Expert Comment

    If your network is built correctly and you have redundancy in place then no server should take you more than a few hours to rebuild (5 at a push). This is usually a lot less time than you waste hunting down virus cures and repairing the OS after cleaning up.

    What is the role of the server in question?
    LVL 26

    Expert Comment

    by:Leon Fester
    The first thing I'd do is find that an executable named "lmkmjaqmj" and remove all the permissions from it so that nobody can execute the file....not even the system account.

    Some malware will rename itself each time the server/workstation is restarted, so the best solution is to rebuild the server.

    Just make sure you've added sufficient hardening to your new builds or you'll probably re-infecting yourself when your restore your data.

    The fact that you've been infected with malware in the first place suggests a review of your existing patching procedures and protocols. Even a single missed patch can result in multiple compromised machines since very likely the patch would be missing on ALL workstations/servers.
    LVL 11

    Expert Comment


    This key contains list of teh services. Just look at each of them and try to find anything suspicious.

    Author Comment

    Thanks for input all.  Rebuilding servers would have to be a final solution.  

    I did download the sysinternals autorunsc and found nothing unusual in the results.

    I can't find the malware executables by name in the reg, the file system, or the services - only in the Event Log listed.

    I'm wondering about the verbage of the Event itself - does it mean that the service was successfully started or stopped?  Or only that the Start or Stop control was successfully sent?   Anyone know?


    LVL 37

    Expert Comment

    "Rebuilding servers would have to be a final solution. "

    In the time you have spent so far you could have rebuilt the server!  You did not answer my question, What is the role of this server? What is installed on it?

    Author Closing Comment

    the only useful suggestion.

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Join & Write a Comment

    Many admins will agree: WSUS is is a nice invention but using it on the client side when updating a newly installed computer is still time consuming as you have to do several reboots and furthermore, the procedure of installing updates, rebooting an…
    Learn about cloud computing and its benefits for small business owners.
    In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
    Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now