[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Hidden services in Windows 2003?

Posted on 2011-05-02
9
Medium Priority
?
866 Views
Last Modified: 2012-05-11
I am still cleaning up after a malware outbreak among my servers.   I am seeing an event in the system log:
Event Type:      Information
Event Source:      Service Control Manager
Event Category:      None
Event ID:      7035
Date:            5/2/2011
Time:            2:58:31 PM
User:            xxxxx
Computer:      xxxx
Description:
The lmkmjaqmj service was successfully sent a start control.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Later a Stop control is sucessfully sent to the same nonsense named service.



"lmkmjaqmj" I cannot find anywhere in the list of services, anywhere in the file system or anywhere in the registry??  My malware and virus programs are not finding it.

Where can this service be that is being successfully started and stopped?



0
Comment
Question by:medtox
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 37

Expert Comment

by:Neil Russell
ID: 35508382
There is ONLY one wat clean up after a malware outbreak.....
Its called crash and burn!
Format and reinstall.
0
 
LVL 5

Accepted Solution

by:
jason987 earned 750 total points
ID: 35508414
Get autoruns:

http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

Look under services.  If it isn't there the virus/malware may be adding the service, starting it and then stopping and removing it.

What did you use to remove the outbreak?

Can you post a hijack this log?

http://free.antivirus.com/hijackthis/
0
 
LVL 5

Expert Comment

by:jason987
ID: 35508422
Also, what neilsr says is true especially amongst server equipment.  There is only one way to know for sure it is gone and that is to format and reinstall.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 37

Expert Comment

by:Neil Russell
ID: 35508539
If your network is built correctly and you have redundancy in place then no server should take you more than a few hours to rebuild (5 at a push). This is usually a lot less time than you waste hunting down virus cures and repairing the OS after cleaning up.

What is the role of the server in question?
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 35509008
The first thing I'd do is find that an executable named "lmkmjaqmj" and remove all the permissions from it so that nobody can execute the file....not even the system account.

Some malware will rename itself each time the server/workstation is restarted, so the best solution is to rebuild the server.

Just make sure you've added sufficient hardening to your new builds or you'll probably re-infecting yourself when your restore your data.

The fact that you've been infected with malware in the first place suggests a review of your existing patching procedures and protocols. Even a single missed patch can result in multiple compromised machines since very likely the patch would be missing on ALL workstations/servers.
0
 
LVL 11

Expert Comment

by:marek1712
ID: 35511403
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services

This key contains list of teh services. Just look at each of them and try to find anything suspicious.
0
 

Author Comment

by:medtox
ID: 35515224
Thanks for input all.  Rebuilding servers would have to be a final solution.  

I did download the sysinternals autorunsc and found nothing unusual in the results.

I can't find the malware executables by name in the reg, the file system, or the services - only in the Event Log listed.

I'm wondering about the verbage of the Event itself - does it mean that the service was successfully started or stopped?  Or only that the Start or Stop control was successfully sent?   Anyone know?

thanks,

0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 35515368
"Rebuilding servers would have to be a final solution. "

In the time you have spent so far you could have rebuilt the server!  You did not answer my question, What is the role of this server? What is installed on it?
0
 

Author Closing Comment

by:medtox
ID: 35689615
the only useful suggestion.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Suggested Courses

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question