Re: Event 26. Your computer may be infected.

Thanks for the response.

I can recognize the alert as being a message that *might* come from the DC
expectedly, but I can't find any evidence that says it *did* come from
there.

The DC is our server-side antivirus control system. Realistically, I can see
the message originating there if the server had really been impacted by a
virus and/or if some traffic pattern looked like it might be a virus. I can
see the traffic pattern issue because the receiving server is running backup
exec to some very old and very slow boxes so it does "kerchunk" away at
slowly backing them up - that's not caused such a message in the past
though.

My biggest concern is that I can't find any evidence to show where the
message and even originated form. Its pure speculation that it could have
originated from the antivirus system - and the antivirus system has never
sent such an alert before hence why I wonder.

Here's what I do know so far:

1) I can't seem to find any info anywhere that shows an event ID 26 with
that description is a valid event from any software. I have a call into the
antivirus vendor to see if they have any input.

2) I do not see any evidence that the receiving server was actually infected
with anything. It appears clean as a whistle. Nothing logged within the
antivirus system for it either.

3) I do not see any evidence on the DC that shows that it did or did not
actually send the message.

4) The message and event lead me to believe that its a message originating
from a Microsoft product. I say this becuase the
form/format/verbage/style/etc all appear right on target with a typical
Microsoft product alert. I understand that this might just be speculation,
but it seems reasonable. I can't find in the KB or anywhere that this is an
event and message that can exist. I do find event ID 26's in the KB, but
none with even similar event descriptions.

Is there any way to track down the message/event origination
application/machine for sure?


"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:%23m02uBl7GHA.1560@xxxxxxxxxxxxxxxxxxxxxxx
I think you may be examining the wrong machine.
The message is claimed to be sent from/by the DC.
The MRP member is just the recipient of the message.
There are two alternatives here. The DC is actually
sending the message, in which case it may have been
compromised (unless you can recognize the as an alert
something you have installed would send); or some other
machine may be originating the message so that it appears
as if it comes from the DC.
There is some defined need that you have so the you have
the messenger service running? It is pretty easy to cause
a machine to receive a message if it is running. However
you need to verify that it is not originating from something
that is on the DC.
"Bunert" <rizenbone@xxxxxxxxx> wrote in message
news:e1Ujhhg7GHA.4304@xxxxxxxxxxxxxxxxxxxxxxx
I have a W2k3 domain controller and a W2k member server.

Both have been running fine for weeks, months, years.

There have been no changes to either machine in the last few days.

All of a sudden today, I am getting a messenger application pop-up from
the domain controller that says:

Message from DC to Server at XX:XX:XX AM on XX/XX/2006.

Your computer may be infected by a virus and may be attacking other
computers on the network.

Please check your antivirus pattern and your software.

It logs even ID 26 with the same description on the W2k member server -
nothing is logged on the W2k3 controller.

I've scanned the W2k member with the latest antivirus and it comes up
clean. I've reviewed services, run registry entries, startup, etc and
nothing is there out of the ordinary. This server has not changed, been
rebooted, had anything done to it in the last week. HAve not received
these messages in the 3 years its been in place. This server sits there
and provides access to an MRP app. No changes have happened on the MRP
app.

I can't find any info on an event id 26 with the description above
anywhere. I'm not seeing any abnormal traffic to or from that server.

It does run Backup Exec overnight, but its run that to the same target
servers for 3 years. Otherwise this box has no other function.

Anyone with any ideas or things to look at? It's looking fine, but I got
about 10 of those popups in 2 hours this morning. Then they have since
stopped (so far). The times of the events do not correlate with anything
running at that time.






.

Relevant Pages

  • Re: Event 26. Your computer may be infected.
    ... I have Trend Micro CSM Security for SMB 3.0 on the server and I am in the ... I can recognize the alert as being a message that *might* come from the DC ... The DC is our server-side antivirus control system. ... The message and event lead me to believe that its a message originating ...
    (microsoft.public.win2000.security)
  • Re: im being held in memory
    ... How can I harden my computer or server to secure it from hackers? ... Use firewall software and hardware and antivirus software that is ... Follow the instructions for hardening Windows and IIS at ... Install all service packs and security fixes from Microsoft and otherwise ...
    (microsoft.public.security)
  • Re: Question about software that will send a return receipt.
    ... so when you send these people evidence via email ... in court they say well we never got said evidence, ... send a flag to a server saying it was opened/accessed, ... lawyer testifies in court there was no "service via email" and you ...
    (alt.2600)
  • Re: New Server Secure Enough?
    ... > I'm going to run one of my machines as an IIS web server, ... where to get a firewall and antivirus program are all below: ... You can also use the NETSTAT -A command that comes with Windows to look at ...
    (microsoft.public.inetserver.iis.security)
  • Re: Can not Send Email from a Bellsouth Account
    ... Trend Micro antivirus is among the top three troublemakers for Windows Mail. ... At times I get the error message that my SMTP Server has not responded in 60 ...
    (microsoft.public.windows.vista.mail)