Hidden services in Windows 2003?
I am still cleaning up after a malware outbreak among my servers. I am seeing an event in the system log:
Event Type: Information
Event Source: Service Control Manager
Event Category: None
Event ID: 7035
Date: 5/2/2011
Time: 2:58:31 PM
User: xxxxx
Computer: xxxx
Description:
The lmkmjaqmj service was successfully sent a start control.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Later a Stop control is sucessfully sent to the same nonsense named service.
"lmkmjaqmj" I cannot find anywhere in the list of services, anywhere in the file system or anywhere in the registry?? My malware and virus programs are not finding it.
Where can this service be that is being successfully started and stopped?
Event Type: Information
Event Source: Service Control Manager
Event Category: None
Event ID: 7035
Date: 5/2/2011
Time: 2:58:31 PM
User: xxxxx
Computer: xxxx
Description:
The lmkmjaqmj service was successfully sent a start control.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Later a Stop control is sucessfully sent to the same nonsense named service.
"lmkmjaqmj" I cannot find anywhere in the list of services, anywhere in the file system or anywhere in the registry?? My malware and virus programs are not finding it.
Where can this service be that is being successfully started and stopped?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Also, what neilsr says is true especially amongst server equipment. There is only one way to know for sure it is gone and that is to format and reinstall.
If your network is built correctly and you have redundancy in place then no server should take you more than a few hours to rebuild (5 at a push). This is usually a lot less time than you waste hunting down virus cures and repairing the OS after cleaning up.
What is the role of the server in question?
What is the role of the server in question?
The first thing I'd do is find that an executable named "lmkmjaqmj" and remove all the permissions from it so that nobody can execute the file....not even the system account.
Some malware will rename itself each time the server/workstation is restarted, so the best solution is to rebuild the server.
Just make sure you've added sufficient hardening to your new builds or you'll probably re-infecting yourself when your restore your data.
The fact that you've been infected with malware in the first place suggests a review of your existing patching procedures and protocols. Even a single missed patch can result in multiple compromised machines since very likely the patch would be missing on ALL workstations/servers.
Some malware will rename itself each time the server/workstation is restarted, so the best solution is to rebuild the server.
Just make sure you've added sufficient hardening to your new builds or you'll probably re-infecting yourself when your restore your data.
The fact that you've been infected with malware in the first place suggests a review of your existing patching procedures and protocols. Even a single missed patch can result in multiple compromised machines since very likely the patch would be missing on ALL workstations/servers.
HKEY_LOCAL_MACHINE\SYSTEM\
This key contains list of teh services. Just look at each of them and try to find anything suspicious.
This key contains list of teh services. Just look at each of them and try to find anything suspicious.
ASKER
Thanks for input all. Rebuilding servers would have to be a final solution.
I did download the sysinternals autorunsc and found nothing unusual in the results.
I can't find the malware executables by name in the reg, the file system, or the services - only in the Event Log listed.
I'm wondering about the verbage of the Event itself - does it mean that the service was successfully started or stopped? Or only that the Start or Stop control was successfully sent? Anyone know?
thanks,
I did download the sysinternals autorunsc and found nothing unusual in the results.
I can't find the malware executables by name in the reg, the file system, or the services - only in the Event Log listed.
I'm wondering about the verbage of the Event itself - does it mean that the service was successfully started or stopped? Or only that the Start or Stop control was successfully sent? Anyone know?
thanks,
"Rebuilding servers would have to be a final solution. "
In the time you have spent so far you could have rebuilt the server! You did not answer my question, What is the role of this server? What is installed on it?
In the time you have spent so far you could have rebuilt the server! You did not answer my question, What is the role of this server? What is installed on it?
ASKER
the only useful suggestion.
Its called crash and burn!
Format and reinstall.