RE: Anyone seen this before?

From: george.wasgattat_private
Date: Wed Jul 03 2002 - 09:48:54 PDT

  • Next message: Sergey Latkin: "Re: Additional- Anyone seen this before?"

    Other places to look for startup programs:
    
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\User
    init
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    C:\Documents and Settings\<profiles*>\Start Menu\Programs\Startup
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
    \
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices\
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\
    C:\WINNT\win.ini
    
    
    -----Original Message-----
    From: Michael B. Morell [mailto:MMorellat_private]
    Sent: Wednesday, July 03, 2002 10:15 AM
    To: 'Sergey Latkin'
    Cc: incidentsat_private
    Subject: RE: Anyone seen this before?
    
    
    Thx.... But there is no folder located on that system named 'address',   I
    know where you are going with this but it's not the correct path.
    
    The icon is a generic program icon.
    
    HC asked - What do you mean by "linked"?  What does this mean,
    and what did you do (or what tool did you use) to
    verify or discover this?
    
    The answer to this is, in task manager, you can right click on any app
    running in the applications window, and choose "go to process".
    The process that I was brought to was explorer.exe.
    
    If i kill explorer.exe (which get's rid of my desktop as expected) the
    address app is also killed.  If I start explorer.exe up again, the app
    reappears.
    
    I was unable to find any shell= reference in the registry.  No programs that
    even remotely resemble what I am seeing exist on this machine.
    
    This machine is generally locked down both physically and electronically.
    You just can't walk up to the machine and log in.  So where ever it came
    from was not installed interactively and is hidden somewhere.
    
    
    -----Original Message-----
    From: Sergey Latkin [mailto:slatkinat_private]
    Sent: Tuesday, July 02, 2002 7:15 PM
    To: Michael B. Morell
    Cc: incidentsat_private
    Subject: Re: Anyone seen this before?
    
    
    Michael
    
    If you open folder named 'address' in explorer, the task mgr will show 
    exactly what you described. BTW, what icon was shown next to the app?
    
    Sergey
    
    On 2 July 2002 18:04, Michael  B. Morell wrote:
    > I found a odd application running on a 2k server box that I have not seen
    > before, or is at least not
    > obvious to me.
    >
    > In task mgr, The application 'address' (w/o quotes) is running and is
    > linked to the explorer.exe proc.
    >
    > <!--begin the obvious-->
    [snip the obvious :]]
    > <!--end the obvious-->
    >
    > If anyone has seen this before please let me know.  A search on google did
    > not provide
    > any solid leads.  I did follow thru on checking for known code
    > red/nimda/things that were
    > close but not really leads.
    >
    > I appreciate any insight from the list.
    >
    > Oh, and please don't bother to tell me to blow away the OS and start from
    > scratch.
    > While I appreciate the suggestion, i'm looking for leads, not the obvious.
    >
    > Thanks,
    >
    > Mike
    >
    > --------------------------------------------------------
    > \Your mission is to destroy users will to use bandwidth/
    > --------------------------------------------------------
    >
    >
    ---------------------------------------------------------------------------
    >- This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see: http://aris.securityfocus.com
    
    -- 
    Sergey Latkin
    Chief Technology Officer
    Pinnacle Health Group
    1-(800)-492-7771
    slatkinat_private
    http://www.phg.com
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jul 03 2002 - 10:03:33 PDT