Strange Application popup

I have the following Application Pop Up in an event log on one of our
computers:
Event ID: 26
"Application popup: Government Computer : Your ISP will be notified"

Is this something that has popped up on the computer in question or is it
something that has popped up on a computer trying to log on to the computer?

What could trigger an event like that?

Dirk
Tue Dec 16 13:08:42 CST 2003


"ja" <nobody@nobody.com> schreef in bericht
news:%23YgRCNAxDHA.2116@TK2MSFTNGP11.phx.gbl...
> I have the following Application Pop Up in an event log on one of our
> computers:
> Event ID: 26
> "Application popup: Government Computer : Your ISP will be notified"
>
> Is this something that has popped up on the computer in question or is it
> something that has popped up on a computer trying to log on to the
computer?
>
> What could trigger an event like that?

No idea, read this:
http://mvps.org/winhelp2002/unwanted.htm

ja
Tue Dec 16 13:53:47 CST 2003

There is no spyware on the computer in question

"Dirk" <dirk@nomail.no> skrev i en meddelelse
news:NLIDb.3513$7U1.26903@amstwist00...
>
> "ja" <nobody@nobody.com> schreef in bericht
> news:%23YgRCNAxDHA.2116@TK2MSFTNGP11.phx.gbl...
> > I have the following Application Pop Up in an event log on one of our
> > computers:
> > Event ID: 26
> > "Application popup: Government Computer : Your ISP will be notified"
> >
> > Is this something that has popped up on the computer in question or is
it
> > something that has popped up on a computer trying to log on to the
> computer?
> >
> > What could trigger an event like that?
>
> No idea, read this:
> http://mvps.org/winhelp2002/unwanted.htm
>
>

Karl
Tue Dec 16 14:12:01 CST 2003

This sounds like Messenger popup spam received across the network. This
could indicate that you have no firewall or it is not blocking the necessary
ports [135 through 139 and 445 TCP and UDP]. Some personal firewall
software by default might not block the necessary ports. For more
information on how exactly it works / arrives:

http://www.mynetwatchman.com/kb/Security/Articles/PopupSpam/default.htm

No authentication is required, and this does not represent a hack or logon
attempt.

There are even free firewalls out there, including www.kerio.com and
www.sygate.com


"ja" <nobody@nobody.com> wrote in message
news:OBkKU5AxDHA.2712@TK2MSFTNGP11.phx.gbl...
> There is no spyware on the computer in question
>
> "Dirk" <dirk@nomail.no> skrev i en meddelelse
> news:NLIDb.3513$7U1.26903@amstwist00...
> >
> > "ja" <nobody@nobody.com> schreef in bericht
> > news:%23YgRCNAxDHA.2116@TK2MSFTNGP11.phx.gbl...
> > > I have the following Application Pop Up in an event log on one of our
> > > computers:
> > > Event ID: 26
> > > "Application popup: Government Computer : Your ISP will be notified"
> > >
> > > Is this something that has popped up on the computer in question or is
> it
> > > something that has popped up on a computer trying to log on to the
> > computer?
> > >
> > > What could trigger an event like that?
> >
> > No idea, read this:
> > http://mvps.org/winhelp2002/unwanted.htm
> >
> >
>
>

Karl
Tue Dec 16 14:20:55 CST 2003

PS that site also has a test to determine if you are vulnerable to Messenger
popup spam.

To block Messenger popup spam:

http://securityadmin.info/faq.asp#pop-ups


"Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message
news:%235BveDBxDHA.1908@TK2MSFTNGP10.phx.gbl...
> This sounds like Messenger popup spam received across the network. This
> could indicate that you have no firewall or it is not blocking the
necessary
> ports [135 through 139 and 445 TCP and UDP]. Some personal firewall
> software by default might not block the necessary ports. For more
> information on how exactly it works / arrives:
>
> http://www.mynetwatchman.com/kb/Security/Articles/PopupSpam/default.htm
>
> No authentication is required, and this does not represent a hack or logon
> attempt.
>
> There are even free firewalls out there, including www.kerio.com and
> www.sygate.com
>
>
> "ja" <nobody@nobody.com> wrote in message
> news:OBkKU5AxDHA.2712@TK2MSFTNGP11.phx.gbl...
> > There is no spyware on the computer in question
> >
> > "Dirk" <dirk@nomail.no> skrev i en meddelelse
> > news:NLIDb.3513$7U1.26903@amstwist00...
> > >
> > > "ja" <nobody@nobody.com> schreef in bericht
> > > news:%23YgRCNAxDHA.2116@TK2MSFTNGP11.phx.gbl...
> > > > I have the following Application Pop Up in an event log on one of
our
> > > > computers:
> > > > Event ID: 26
> > > > "Application popup: Government Computer : Your ISP will be
notified"
> > > >
> > > > Is this something that has popped up on the computer in question or
is
> > it
> > > > something that has popped up on a computer trying to log on to the
> > > computer?
> > > >
> > > > What could trigger an event like that?
> > >
> > > No idea, read this:
> > > http://mvps.org/winhelp2002/unwanted.htm
> > >
> > >
> >
> >
>
>

Dirk
Tue Dec 16 14:33:32 CST 2003


"ja" <nobody@nobody.com> schreef in bericht
news:OBkKU5AxDHA.2712@TK2MSFTNGP11.phx.gbl...
> There is no spyware on the computer in question

I gave you a link and you are not able to read the right info.
Go back to this page http://mvps.org/winhelp2002/unwanted.htm go to the top
of the page and select in the drop-down menu the "How to deal with: Unwanted
Pop-Ups"

Thank you very much but you will not proceed to the next round to be able to
win the auto-micro-self unwrapping distance inserting neurons :-)

ja
Tue Dec 16 14:32:59 CST 2003

Messenger service is disabled on the computer, so it can't be that.

"Karl Levinson [x y] mvp" <levinson_k@despammed.com> skrev i en meddelelse
news:%235BveDBxDHA.1908@TK2MSFTNGP10.phx.gbl...
> This sounds like Messenger popup spam received across the network. This
> could indicate that you have no firewall or it is not blocking the
necessary
> ports [135 through 139 and 445 TCP and UDP]. Some personal firewall
> software by default might not block the necessary ports. For more
> information on how exactly it works / arrives:
>
> http://www.mynetwatchman.com/kb/Security/Articles/PopupSpam/default.htm
>
> No authentication is required, and this does not represent a hack or logon
> attempt.
>
> There are even free firewalls out there, including www.kerio.com and
> www.sygate.com
>
>
> "ja" <nobody@nobody.com> wrote in message
> news:OBkKU5AxDHA.2712@TK2MSFTNGP11.phx.gbl...
> > There is no spyware on the computer in question
> >
> > "Dirk" <dirk@nomail.no> skrev i en meddelelse
> > news:NLIDb.3513$7U1.26903@amstwist00...
> > >
> > > "ja" <nobody@nobody.com> schreef in bericht
> > > news:%23YgRCNAxDHA.2116@TK2MSFTNGP11.phx.gbl...
> > > > I have the following Application Pop Up in an event log on one of
our
> > > > computers:
> > > > Event ID: 26
> > > > "Application popup: Government Computer : Your ISP will be
notified"
> > > >
> > > > Is this something that has popped up on the computer in question or
is
> > it
> > > > something that has popped up on a computer trying to log on to the
> > > computer?
> > > >
> > > > What could trigger an event like that?
> > >
> > > No idea, read this:
> > > http://mvps.org/winhelp2002/unwanted.htm
> > >
> > >
> >
> >
>
>

Dirk
Tue Dec 16 14:48:29 CST 2003


"ja" <nobody@nobody.com> schreef in bericht
news:%23u97NPBxDHA.3408@tk2msftngp13.phx.gbl...
> Messenger service is disabled on the computer, so it can't be that.
>
Hijackthis http://www.spywareinfo.com/~merijn/ download it run and make a
log, post it.
If you are not comfortable read this http://mjc1.com/mirror/hjt/

ja
Tue Dec 16 15:32:06 CST 2003

TDS3 & NAV detects nothing on the box.

"Dirk" <dirk@nomail.no> skrev i en meddelelse
news:jdKDb.3538$7U1.27260@amstwist00...
>
> "ja" <nobody@nobody.com> schreef in bericht
> news:%23u97NPBxDHA.3408@tk2msftngp13.phx.gbl...
> > Messenger service is disabled on the computer, so it can't be that.
> >
> Hijackthis http://www.spywareinfo.com/~merijn/ download it run and make a
> log, post it.
> If you are not comfortable read this http://mjc1.com/mirror/hjt/
>
>

Dirk
Tue Dec 16 17:15:47 CST 2003


"ja" <nobody@nobody.com> schreef in bericht
news:OBZjQwBxDHA.2136@TK2MSFTNGP10.phx.gbl...
> TDS3 & NAV detects nothing on the box.

And the Hijackthis log?

Bill
Tue Dec 16 18:58:34 CST 2003

Haven't read the rest of the thread yet, but here's my take:

Look here:

http://www.eventid.net/display.asp?eventid=26&source=

This states that Messenger Service Net Send messages are recorded with this
eventid in the logs.

So--I think this is Messenger spam. Messenger spam is an indicator that a
machine isn't properly firewalled from the Internet. Fix this, and these
messages will go away. They appear on the screen as a popup grey
rectangular window with "Messenger Service" at the top.

They are generated by spammers for the usual reason--profit.


"ja" <nobody@nobody.com> wrote in message
news:OBkKU5AxDHA.2712@TK2MSFTNGP11.phx.gbl...
> There is no spyware on the computer in question
>
> "Dirk" <dirk@nomail.no> skrev i en meddelelse
> news:NLIDb.3513$7U1.26903@amstwist00...
> >
> > "ja" <nobody@nobody.com> schreef in bericht
> > news:%23YgRCNAxDHA.2116@TK2MSFTNGP11.phx.gbl...
> > > I have the following Application Pop Up in an event log on one of our
> > > computers:
> > > Event ID: 26
> > > "Application popup: Government Computer : Your ISP will be notified"
> > >
> > > Is this something that has popped up on the computer in question or is
> it
> > > something that has popped up on a computer trying to log on to the
> > computer?
> > >
> > > What could trigger an event like that?
> >
> > No idea, read this:
> > http://mvps.org/winhelp2002/unwanted.htm
> >
> >
>
>

Bill
Tue Dec 16 19:00:33 CST 2003

I would triple check that finding.

Was it disabled at the date of that log entry? What is the source of the
event?

If you test at the site Karl posted, what is your result?

What about testing internally on whatever network this machine is connected
to, using Net send?

"ja" <nobody@nobody.com> wrote in message
news:%23u97NPBxDHA.3408@tk2msftngp13.phx.gbl...
> Messenger service is disabled on the computer, so it can't be that.
>
> "Karl Levinson [x y] mvp" <levinson_k@despammed.com> skrev i en meddelelse
> news:%235BveDBxDHA.1908@TK2MSFTNGP10.phx.gbl...
> > This sounds like Messenger popup spam received across the network. This
> > could indicate that you have no firewall or it is not blocking the
> necessary
> > ports [135 through 139 and 445 TCP and UDP]. Some personal firewall
> > software by default might not block the necessary ports. For more
> > information on how exactly it works / arrives:
> >
> > http://www.mynetwatchman.com/kb/Security/Articles/PopupSpam/default.htm
> >
> > No authentication is required, and this does not represent a hack or
logon
> > attempt.
> >
> > There are even free firewalls out there, including www.kerio.com and
> > www.sygate.com
> >
> >
> > "ja" <nobody@nobody.com> wrote in message
> > news:OBkKU5AxDHA.2712@TK2MSFTNGP11.phx.gbl...
> > > There is no spyware on the computer in question
> > >
> > > "Dirk" <dirk@nomail.no> skrev i en meddelelse
> > > news:NLIDb.3513$7U1.26903@amstwist00...
> > > >
> > > > "ja" <nobody@nobody.com> schreef in bericht
> > > > news:%23YgRCNAxDHA.2116@TK2MSFTNGP11.phx.gbl...
> > > > > I have the following Application Pop Up in an event log on one of
> our
> > > > > computers:
> > > > > Event ID: 26
> > > > > "Application popup: Government Computer : Your ISP will be
> notified"
> > > > >
> > > > > Is this something that has popped up on the computer in question
or
> is
> > > it
> > > > > something that has popped up on a computer trying to log on to the
> > > > computer?
> > > > >
> > > > > What could trigger an event like that?
> > > >
> > > > No idea, read this:
> > > > http://mvps.org/winhelp2002/unwanted.htm
> > > >
> > > >
> > >
> > >
> >
> >
>
>

ja
Tue Dec 16 23:51:04 CST 2003

Hi Dirk

I never install anything on my boxes unless I know what it is, so Hijackthis
will not be installed.
Show me a CNET review of your software and maybe I will feel more
confortable.

"Dirk" <dirk@nomail.no> skrev i en meddelelse
news:onMDb.3573$7U1.27128@amstwist00...
>
> "ja" <nobody@nobody.com> schreef in bericht
> news:OBZjQwBxDHA.2136@TK2MSFTNGP10.phx.gbl...
> > TDS3 & NAV detects nothing on the box.
>
> And the Hijackthis log?
>
>

ja
Tue Dec 16 23:52:33 CST 2003

Yes it has been disabled and showed a negative on the site. The ports in
question are also blocked on the server.

"Bill Sanderson" <Bill_Sanderson@msn.com.plugh.org> skrev i en meddelelse
news:%237UtvkDxDHA.3416@tk2msftngp13.phx.gbl...
> I would triple check that finding.
>
> Was it disabled at the date of that log entry? What is the source of the
> event?
>
> If you test at the site Karl posted, what is your result?
>
> What about testing internally on whatever network this machine is
connected
> to, using Net send?
>
> "ja" <nobody@nobody.com> wrote in message
> news:%23u97NPBxDHA.3408@tk2msftngp13.phx.gbl...
> > Messenger service is disabled on the computer, so it can't be that.
> >
> > "Karl Levinson [x y] mvp" <levinson_k@despammed.com> skrev i en
meddelelse
> > news:%235BveDBxDHA.1908@TK2MSFTNGP10.phx.gbl...
> > > This sounds like Messenger popup spam received across the network.
This
> > > could indicate that you have no firewall or it is not blocking the
> > necessary
> > > ports [135 through 139 and 445 TCP and UDP]. Some personal firewall
> > > software by default might not block the necessary ports. For more
> > > information on how exactly it works / arrives:
> > >
> > >
http://www.mynetwatchman.com/kb/Security/Articles/PopupSpam/default.htm
> > >
> > > No authentication is required, and this does not represent a hack or
> logon
> > > attempt.
> > >
> > > There are even free firewalls out there, including www.kerio.com and
> > > www.sygate.com
> > >
> > >
> > > "ja" <nobody@nobody.com> wrote in message
> > > news:OBkKU5AxDHA.2712@TK2MSFTNGP11.phx.gbl...
> > > > There is no spyware on the computer in question
> > > >
> > > > "Dirk" <dirk@nomail.no> skrev i en meddelelse
> > > > news:NLIDb.3513$7U1.26903@amstwist00...
> > > > >
> > > > > "ja" <nobody@nobody.com> schreef in bericht
> > > > > news:%23YgRCNAxDHA.2116@TK2MSFTNGP11.phx.gbl...
> > > > > > I have the following Application Pop Up in an event log on one
of
> > our
> > > > > > computers:
> > > > > > Event ID: 26
> > > > > > "Application popup: Government Computer : Your ISP will be
> > notified"
> > > > > >
> > > > > > Is this something that has popped up on the computer in question
> or
> > is
> > > > it
> > > > > > something that has popped up on a computer trying to log on to
the
> > > > > computer?
> > > > > >
> > > > > > What could trigger an event like that?
> > > > >
> > > > > No idea, read this:
> > > > > http://mvps.org/winhelp2002/unwanted.htm
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

ja
Tue Dec 16 23:53:13 CST 2003

Messenger is disabled and port blocked

"Bill Sanderson" <Bill_Sanderson@msn.com.plugh.org> skrev i en meddelelse
news:e7AvojDxDHA.556@TK2MSFTNGP11.phx.gbl...
> Haven't read the rest of the thread yet, but here's my take:
>
> Look here:
>
> http://www.eventid.net/display.asp?eventid=26&source=
>
> This states that Messenger Service Net Send messages are recorded with
this
> eventid in the logs.
>
> So--I think this is Messenger spam. Messenger spam is an indicator that a
> machine isn't properly firewalled from the Internet. Fix this, and these
> messages will go away. They appear on the screen as a popup grey
> rectangular window with "Messenger Service" at the top.
>
> They are generated by spammers for the usual reason--profit.
>
>
> "ja" <nobody@nobody.com> wrote in message
> news:OBkKU5AxDHA.2712@TK2MSFTNGP11.phx.gbl...
> > There is no spyware on the computer in question
> >
> > "Dirk" <dirk@nomail.no> skrev i en meddelelse
> > news:NLIDb.3513$7U1.26903@amstwist00...
> > >
> > > "ja" <nobody@nobody.com> schreef in bericht
> > > news:%23YgRCNAxDHA.2116@TK2MSFTNGP11.phx.gbl...
> > > > I have the following Application Pop Up in an event log on one of
our
> > > > computers:
> > > > Event ID: 26
> > > > "Application popup: Government Computer : Your ISP will be
notified"
> > > >
> > > > Is this something that has popped up on the computer in question or
is
> > it
> > > > something that has popped up on a computer trying to log on to the
> > > computer?
> > > >
> > > > What could trigger an event like that?
> > >
> > > No idea, read this:
> > > http://mvps.org/winhelp2002/unwanted.htm
> > >
> > >
> >
> >
>
>

Dirk
Wed Dec 17 05:47:15 CST 2003


"ja" <nobody@nobody.com> schreef in bericht
news:uzdIbHGxDHA.2396@TK2MSFTNGP09.phx.gbl...
> Hi Dirk
>
> I never install anything on my boxes unless I know what it is, so
Hijackthis
> will not be installed.
> Show me a CNET review of your software and maybe I will feel more
> confortable.

http://download.com.com/3000-2144-10227352.html

Karl
Wed Dec 17 06:35:45 CST 2003

Well, in that case, something generated an application pop-up, and if it
wasn't messenger, I would have to next suspect it's a piece of software
installed on the computer. Try looking in task manager for any processes
you can't identify. Searching the hard drives for any files that have
changed in the past one to three days and looking for suspicious ones might
be helpful, as might using the free SIM from www.gfi.com, and possibly
filemon and process explorer free from www.sysinternals.com, fport or vision
from www.foundstone.com/knowledge, etc. There might be some more details
and other ideas here:

http://securityadmin.info/faq.asp#hacked


"ja" <nobody@nobody.com> wrote in message
news:#DAlRIGxDHA.1680@TK2MSFTNGP12.phx.gbl...
> Messenger is disabled and port blocked
>
> "Bill Sanderson" <Bill_Sanderson@msn.com.plugh.org> skrev i en meddelelse
> news:e7AvojDxDHA.556@TK2MSFTNGP11.phx.gbl...
> > Haven't read the rest of the thread yet, but here's my take:
> >
> > Look here:
> >
> > http://www.eventid.net/display.asp?eventid=26&source=
> >
> > This states that Messenger Service Net Send messages are recorded with
> this
> > eventid in the logs.
> >
> > So--I think this is Messenger spam. Messenger spam is an indicator that
a
> > machine isn't properly firewalled from the Internet. Fix this, and
these
> > messages will go away. They appear on the screen as a popup grey
> > rectangular window with "Messenger Service" at the top.
> >
> > They are generated by spammers for the usual reason--profit.
> >
> >
> > "ja" <nobody@nobody.com> wrote in message
> > news:OBkKU5AxDHA.2712@TK2MSFTNGP11.phx.gbl...
> > > There is no spyware on the computer in question
> > >
> > > "Dirk" <dirk@nomail.no> skrev i en meddelelse
> > > news:NLIDb.3513$7U1.26903@amstwist00...
> > > >
> > > > "ja" <nobody@nobody.com> schreef in bericht
> > > > news:%23YgRCNAxDHA.2116@TK2MSFTNGP11.phx.gbl...
> > > > > I have the following Application Pop Up in an event log on one of
> our
> > > > > computers:
> > > > > Event ID: 26
> > > > > "Application popup: Government Computer : Your ISP will be
> notified"
> > > > >
> > > > > Is this something that has popped up on the computer in question
or
> is
> > > it
> > > > > something that has popped up on a computer trying to log on to the
> > > > computer?
> > > > >
> > > > > What could trigger an event like that?
> > > >
> > > > No idea, read this:
> > > > http://mvps.org/winhelp2002/unwanted.htm
> > > >
> > > >
> > >
> > >
> >
> >
>
>

ja
Wed Dec 17 16:09:33 CST 2003

Term Server & VNC is supposed to run on he box and is protected by firewall.
Only specific IPs are allowed to connect. The only thing I find puzzling is:
Hosts: 203.161.127.141 www.dcsresearch.com
What would make an entry like that in the box' host file?

Logfile of HijackThis v1.97.7
Scan saved at 3:17:06 PM, on 12/17/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Dell\OpenManage\OMSA\bin\dcevt32.exe
C:\Program Files\Dell\OpenManage\OMSA\bin\dcstor32.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Dell\OpenManage\Array Manager\mr2kserv.exe
C:\PROGRA~1\MICROS~3\MSSQL\binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Dell\OpenManage\RAC\MN\racsrvc.exe
C:\Program Files\Dell\OpenManage\RAC\VNC\RACWinVNC.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Dell\OpenManage\iws\bin\win32\omaws32.exe
C:\WINNT\System32\tcpsvcs.exe
C:\Program Files\Dell\OpenManage\Array Manager\VxSvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\True North Software\IA eMailServer\MailServer.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
\?\C:\IISDebugTools\_IISCHAgent.exe
C:\PROGRA~1\MICROS~3\MSSQL\binn\sqlagent.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
C:\PROGRA~1\Dell\OPENMA~1\oldiags\vendor\pcdoctor\bin\diagorb.exe
C:\WINNT\system32\logon.scr
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\BacsTray.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\WINZIP\winzip32.exe
I:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext =
https://127.0.0.1:1311/
O1 - Hosts: 203.161.127.141 www.dcsresearch.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL
Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program
Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: ITA644 - file://C:\Program Files\Dell\OpenManage\IT
Assistant\UserInterfaceComponents\ITA644.CAB
O16 - DPF: {9F1C11AA-197B-4942-u6gf-47jhg89BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37869.1038194444
O16 - DPF: {C2FCEF52-ACE9-11D3-Bjhf-001jhgA9B6AE} (Symantec RuFSI Registry
Information Class) -
http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {ED990224-80E6-11D3-9780-00105ytg47BB} (RACView Control) -
file://C:\Program Files\Dell\OpenManage\Drac\client\Web\WebRacView.cab

"Dirk" <dirk@nomail.no> skrev i en meddelelse
news:SnXDb.3603$7U1.29625@amstwist00...
>
> "ja" <nobody@nobody.com> schreef in bericht
> news:uzdIbHGxDHA.2396@TK2MSFTNGP09.phx.gbl...
> > Hi Dirk
> >
> > I never install anything on my boxes unless I know what it is, so
> Hijackthis
> > will not be installed.
> > Show me a CNET review of your software and maybe I will feel more
> > confortable.
>
> http://download.com.com/3000-2144-10227352.html
>
>

Mike
Wed Dec 17 17:11:04 CST 2003

ja,
The cause is unknown ..... just have HijackThis "fix" that one entry.
[more info]
http://www.google.com/search?num=20&hl=en&lr=&ie=UTF-8&oe=UTF-8&safe=off&sa=G&q=%22dcsresearch.%2Bcom%22
____________________________________________________________
Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 12-15-03]
Please post replies to this Newsgroup, email address is invalid
--

"ja" <nobody@nobody.com> wrote in message
news:unly3pOxDHA.2448@TK2MSFTNGP12.phx.gbl...
> Term Server & VNC is supposed to run on he box and is protected by
firewall.
> Only specific IPs are allowed to connect. The only thing I find puzzling
is:
> Hosts: 203.161.127.141 www.dcsresearch.com
> What would make an entry like that in the box' host file?
>
> Logfile of HijackThis v1.97.7
> Scan saved at 3:17:06 PM, on 12/17/2003
> Platform: Windows 2000 SP4 (WinNT 5.00.2195)
> MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
>
> Running processes:
> C:\WINNT\System32\smss.exe
> C:\WINNT\system32\winlogon.exe
> C:\WINNT\system32\services.exe
> C:\WINNT\system32\lsass.exe
> C:\WINNT\System32\termsrv.exe
> C:\WINNT\system32\svchost.exe
> C:\WINNT\System32\msdtc.exe
> C:\Program Files\Dell\OpenManage\OMSA\bin\dcevt32.exe
> C:\Program Files\Dell\OpenManage\OMSA\bin\dcstor32.exe
> C:\Program Files\NavNT\defwatch.exe
> C:\WINNT\System32\svchost.exe
> C:\WINNT\System32\llssrv.exe
> C:\Program Files\Dell\OpenManage\Array Manager\mr2kserv.exe
> C:\PROGRA~1\MICROS~3\MSSQL\binn\sqlservr.exe
> C:\Program Files\NavNT\rtvscan.exe
> C:\Program Files\Dell\OpenManage\RAC\MN\racsrvc.exe
> C:\Program Files\Dell\OpenManage\RAC\VNC\RACWinVNC.exe
> C:\WINNT\system32\MSTask.exe
> C:\Program Files\Dell\OpenManage\iws\bin\win32\omaws32.exe
> C:\WINNT\System32\tcpsvcs.exe
> C:\Program Files\Dell\OpenManage\Array Manager\VxSvc.exe
> C:\WINNT\System32\WBEM\WinMgmt.exe
> C:\WINNT\system32\svchost.exe
> C:\Program Files\True North Software\IA eMailServer\MailServer.exe
> C:\WINNT\System32\dns.exe
> C:\WINNT\System32\inetsrv\inetinfo.exe
> C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
> \?\C:\IISDebugTools\_IISCHAgent.exe
> C:\PROGRA~1\MICROS~3\MSSQL\binn\sqlagent.exe
> C:\WINNT\System32\svchost.exe
> C:\WINNT\system32\MsgSys.EXE
> C:\WINNT\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
> C:\PROGRA~1\Dell\OPENMA~1\oldiags\vendor\pcdoctor\bin\diagorb.exe
> C:\WINNT\system32\logon.scr
> C:\WINNT\system32\winlogon.exe
> C:\WINNT\system32\rdpclip.exe
> C:\WINNT\Explorer.EXE
> C:\WINNT\system32\BacsTray.exe
> C:\Program Files\NavNT\vptray.exe
> C:\WINNT\system32\internat.exe
> C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
> C:\Program Files\Internet Explorer\IEXPLORE.EXE
> C:\Program Files\WinZip\WZQKPICK.EXE
> C:\WINNT\system32\wuauclt.exe
> C:\PROGRA~1\WINZIP\winzip32.exe
> I:\hijackthis\HijackThis.exe
>
> R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext =
> https://127.0.0.1:1311/
> O1 - Hosts: 203.161.127.141 www.dcsresearch.com
> O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
> C:\WINNT\System32\msdxm.ocx
> O4 - HKLM\..\Run: [bacstray] BacsTray.exe
> O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
> O4 - HKCU\..\Run: [internat.exe] internat.exe
> O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL
> Server\80\Tools\Binn\sqlmangr.exe
> O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program
> Files\WinZip\WZQKPICK.EXE
> O9 - Extra button: Related (HKLM)
> O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
> O16 - DPF: ITA644 - file://C:\Program Files\Dell\OpenManage\IT
> Assistant\UserInterfaceComponents\ITA644.CAB
> O16 - DPF: {9F1C11AA-197B-4942-u6gf-47jhg89BB47F} (Update Class) -
>
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37869.1038194444
> O16 - DPF: {C2FCEF52-ACE9-11D3-Bjhf-001jhgA9B6AE} (Symantec RuFSI Registry
> Information Class) -
> http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
> O16 - DPF: {ED990224-80E6-11D3-9780-00105ytg47BB} (RACView Control) -
> file://C:\Program Files\Dell\OpenManage\Drac\client\Web\WebRacView.cab
>
> "Dirk" <dirk@nomail.no> skrev i en meddelelse
> news:SnXDb.3603$7U1.29625@amstwist00...
> >
> > "ja" <nobody@nobody.com> schreef in bericht
> > news:uzdIbHGxDHA.2396@TK2MSFTNGP09.phx.gbl...
> > > Hi Dirk
> > >
> > > I never install anything on my boxes unless I know what it is, so
> > Hijackthis
> > > will not be installed.
> > > Show me a CNET review of your software and maybe I will feel more
> > > confortable.
> >
> > http://download.com.com/3000-2144-10227352.html
> >
> >
>
>

Bill
Wed Dec 17 20:46:10 CST 2003

Hmm - I just did a net send on a Windows 2000 server with Messenger service
running (port IS blocked by ISA firewall from the outside!)
----------------------------------------------------------------------------
--------------
Application popup: Messenger Service : Message from FGC to FGC on 12/17/2003
9:36:42 PM
spurious message

----------------------------------------------------------------------------
---------------

(FGC is the machinename of the server)



Is your original post really a straight cut and paste from the log?

If so, it doesn't look like a Messenger Service message, and I don't know
what it is! I'm leaning towards some form of intentional alert intended to
warn someone off--whether legitimate or not, I wouldn't care to guess. The
more significant question, of course, is how it gets into your log.





"ja" <nobody@nobody.com> wrote in message
news:%23DAlRIGxDHA.1680@TK2MSFTNGP12.phx.gbl...
> Messenger is disabled and port blocked
>
> "Bill Sanderson" <Bill_Sanderson@msn.com.plugh.org> skrev i en meddelelse
> news:e7AvojDxDHA.556@TK2MSFTNGP11.phx.gbl...
> > Haven't read the rest of the thread yet, but here's my take:
> >
> > Look here:
> >
> > http://www.eventid.net/display.asp?eventid=26&source=
> >
> > This states that Messenger Service Net Send messages are recorded with
> this
> > eventid in the logs.
> >
> > So--I think this is Messenger spam. Messenger spam is an indicator that
a
> > machine isn't properly firewalled from the Internet. Fix this, and
these
> > messages will go away. They appear on the screen as a popup grey
> > rectangular window with "Messenger Service" at the top.
> >
> > They are generated by spammers for the usual reason--profit.
> >
> >
> > "ja" <nobody@nobody.com> wrote in message
> > news:OBkKU5AxDHA.2712@TK2MSFTNGP11.phx.gbl...
> > > There is no spyware on the computer in question
> > >
> > > "Dirk" <dirk@nomail.no> skrev i en meddelelse
> > > news:NLIDb.3513$7U1.26903@amstwist00...
> > > >
> > > > "ja" <nobody@nobody.com> schreef in bericht
> > > > news:%23YgRCNAxDHA.2116@TK2MSFTNGP11.phx.gbl...
> > > > > I have the following Application Pop Up in an event log on one of
> our
> > > > > computers:
> > > > > Event ID: 26
> > > > > "Application popup: Government Computer : Your ISP will be
> notified"
> > > > >
> > > > > Is this something that has popped up on the computer in question
or
> is
> > > it
> > > > > something that has popped up on a computer trying to log on to the
> > > > computer?
> > > > >
> > > > > What could trigger an event like that?
> > > >
> > > > No idea, read this:
> > > > http://mvps.org/winhelp2002/unwanted.htm
> > > >
> > > >
> > >
> > >
> >
> >
>
>

ja
Wed Dec 17 23:46:59 CST 2003

Hi Bill

Yes it is a just as it appears in the Log.

My initial thought was that it may be a warning message that I have put
somewhere and forgotten about it. (I like to scare hackers) But I can't find
it anywhere. I have looked in local policies to see if there was a policy
responding with the message in question, but no luck.

I have earlier given myself a scare ;o)


"Bill Sanderson" <Bill_Sanderson@msn.com.plugh.org> wrote in message
news:%23L1yZERxDHA.2092@TK2MSFTNGP09.phx.gbl...
> Hmm - I just did a net send on a Windows 2000 server with Messenger
service
> running (port IS blocked by ISA firewall from the outside!)
> --------------------------------------------------------------------------
--
> --------------
> Application popup: Messenger Service : Message from FGC to FGC on
12/17/2003
> 9:36:42 PM
> spurious message
>
> --------------------------------------------------------------------------
--
> ---------------
>
> (FGC is the machinename of the server)
>
>
>
> Is your original post really a straight cut and paste from the log?
>
> If so, it doesn't look like a Messenger Service message, and I don't know
> what it is! I'm leaning towards some form of intentional alert intended
to
> warn someone off--whether legitimate or not, I wouldn't care to guess.
The
> more significant question, of course, is how it gets into your log.
>
>
>
>
>
> "ja" <nobody@nobody.com> wrote in message
> news:%23DAlRIGxDHA.1680@TK2MSFTNGP12.phx.gbl...
> > Messenger is disabled and port blocked
> >
> > "Bill Sanderson" <Bill_Sanderson@msn.com.plugh.org> skrev i en
meddelelse
> > news:e7AvojDxDHA.556@TK2MSFTNGP11.phx.gbl...
> > > Haven't read the rest of the thread yet, but here's my take:
> > >
> > > Look here:
> > >
> > > http://www.eventid.net/display.asp?eventid=26&source=
> > >
> > > This states that Messenger Service Net Send messages are recorded with
> > this
> > > eventid in the logs.
> > >
> > > So--I think this is Messenger spam. Messenger spam is an indicator
that
> a
> > > machine isn't properly firewalled from the Internet. Fix this, and
> these
> > > messages will go away. They appear on the screen as a popup grey
> > > rectangular window with "Messenger Service" at the top.
> > >
> > > They are generated by spammers for the usual reason--profit.
> > >
> > >
> > > "ja" <nobody@nobody.com> wrote in message
> > > news:OBkKU5AxDHA.2712@TK2MSFTNGP11.phx.gbl...
> > > > There is no spyware on the computer in question
> > > >
> > > > "Dirk" <dirk@nomail.no> skrev i en meddelelse
> > > > news:NLIDb.3513$7U1.26903@amstwist00...
> > > > >
> > > > > "ja" <nobody@nobody.com> schreef in bericht
> > > > > news:%23YgRCNAxDHA.2116@TK2MSFTNGP11.phx.gbl...
> > > > > > I have the following Application Pop Up in an event log on one
of
> > our
> > > > > > computers:
> > > > > > Event ID: 26
> > > > > > "Application popup: Government Computer : Your ISP will be
> > notified"
> > > > > >
> > > > > > Is this something that has popped up on the computer in question
> or
> > is
> > > > it
> > > > > > something that has popped up on a computer trying to log on to
the
> > > > > computer?
> > > > > >
> > > > > > What could trigger an event like that?
> > > > >
> > > > > No idea, read this:
> > > > > http://mvps.org/winhelp2002/unwanted.htm
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>