Event 26. Your computer may be infected.

  • Thread starter Thread starter Bunert
  • Start date Start date
B

Bunert

I have a W2k3 domain controller and a W2k member server.

Both have been running fine for weeks, months, years.

There have been no changes to either machine in the last few days.

All of a sudden today, I am getting a messenger application pop-up from the
domain controller that says:

Message from DC to Server at XX:XX:XX AM on XX/XX/2006.

Your computer may be infected by a virus and may be attacking other
computers on the network.

Please check your antivirus pattern and your software.

It logs even ID 26 with the same description on the W2k member server -
nothing is logged on the W2k3 controller.

I've scanned the W2k member with the latest antivirus and it comes up clean.
I've reviewed services, run registry entries, startup, etc and nothing is
there out of the ordinary. This server has not changed, been rebooted, had
anything done to it in the last week. HAve not received these messages in
the 3 years its been in place. This server sits there and provides access to
an MRP app. No changes have happened on the MRP app.

I can't find any info on an event id 26 with the description above anywhere.
I'm not seeing any abnormal traffic to or from that server.

It does run Backup Exec overnight, but its run that to the same target
servers for 3 years. Otherwise this box has no other function.

Anyone with any ideas or things to look at? It's looking fine, but I got
about 10 of those popups in 2 hours this morning. Then they have since
stopped (so far). The times of the events do not correlate with anything
running at that time.
 
I think you may be examining the wrong machine.
The message is claimed to be sent from/by the DC.
The MRP member is just the recipient of the message.
There are two alternatives here. The DC is actually
sending the message, in which case it may have been
compromised (unless you can recognize the as an alert
something you have installed would send); or some other
machine may be originating the message so that it appears
as if it comes from the DC.
There is some defined need that you have so the you have
the messenger service running? It is pretty easy to cause
a machine to receive a message if it is running. However
you need to verify that it is not originating from something
that is on the DC.
 
Thanks for the response.

I can recognize the alert as being a message that *might* come from the DC
expectedly, but I can't find any evidence that says it *did* come from
there.

The DC is our server-side antivirus control system. Realistically, I can see
the message originating there if the server had really been impacted by a
virus and/or if some traffic pattern looked like it might be a virus. I can
see the traffic pattern issue because the receiving server is running backup
exec to some very old and very slow boxes so it does "kerchunk" away at
slowly backing them up - that's not caused such a message in the past
though.

My biggest concern is that I can't find any evidence to show where the
message and even originated form. Its pure speculation that it could have
originated from the antivirus system - and the antivirus system has never
sent such an alert before hence why I wonder.

Here's what I do know so far:

1) I can't seem to find any info anywhere that shows an event ID 26 with
that description is a valid event from any software. I have a call into the
antivirus vendor to see if they have any input.

2) I do not see any evidence that the receiving server was actually infected
with anything. It appears clean as a whistle. Nothing logged within the
antivirus system for it either.

3) I do not see any evidence on the DC that shows that it did or did not
actually send the message.

4) The message and event lead me to believe that its a message originating
from a Microsoft product. I say this becuase the
form/format/verbage/style/etc all appear right on target with a typical
Microsoft product alert. I understand that this might just be speculation,
but it seems reasonable. I can't find in the KB or anywhere that this is an
event and message that can exist. I do find event ID 26's in the KB, but
none with even similar event descriptions.

Is there any way to track down the message/event origination
application/machine for sure?
 
Bunert,

Did you find the cause of the message yet? I just had a client fax the same
message to me. It claims to come from the server to the controller's
desktop.

I have Trend Micro CSM Security for SMB 3.0 on the server and I am in the
process of removing SAVCE 9 from the workstations and installing Trend CSM.

All of Trend's alerts I have checked so far are all quite clear that they
came from the Trend product.

Gregg Hill
 
Thanks for the info.

I had not tracked it down yet but that certainly appears to be the same
issue.

I received a string of alerts that one time but not since. Repeated scans
with multiple products all ran clean.

I don't know that I found the source computer. I will have to check Trend's
logs to correspond with the date and times of the alerts. Thanks for passing
on the info.
 
Back
Top