ipcscan_gui.exe

[Guest]

I program called ipcscan_gui.exe is located at c:\winnt\system32\dwrcs uploads. The type of file is application. The description says IpcScan Microsoft. It was created Sunday, October 19, 2003. I did not create the file. The program starts up in the middle of the night. It looks like it scans IP addresses. What is it? Can I get rid of it? How do I get rid of it?

 

[Drew Cooper [MSFT]]

Sounds like your machine is a zombie. The entire "dwrcs uploads" directory
seems suspicious to me. I'd recommend running antivirus and spyware
scanners on your machine and disinfect your machine. As a Microsoft
employee I don't think I can recommend any specific 3rd party software or a
further course of action, but maybe someone else on the newsgroup can.

--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

I program called ipcscan_gui.exe is located at c:\winnt\system32\dwrcs

uploads. The type of file is application. The description says IpcScan
Microsoft. It was created Sunday, October 19, 2003. I did not create the
file. The program starts up in the middle of the night. It looks like it
scans IP addresses. What is it? Can I get rid of it? How do I get rid of it?

 

[Matt Scarborough]

On Mon, 24 Nov 2003 15:58:33 -0800, Drew Cooper [MSFT] wrote

Sounds like your machine is a zombie. The entire "dwrcs uploads" directory
seems suspicious to me. I'd recommend running antivirus and spyware
scanners on your machine and disinfect your machine. As a Microsoft
employee I don't think I can recommend any specific 3rd party software or a
further course of action, but maybe someone else on the newsgroup can.

Agreed. DWRCS_Uploads is often used by the DameWare Mini Remote Control server.
If this is the case, and that has also been installed without permission, see
"The DameWare Mini Remote Control suddenly appears on my computer and I have not
installed it. Where does it come from and how do I remove it?" at
http://www.dameware.com/support/kb/article.asp?ID=DW100005
By default the Application Event Log will have details on installation of and
connections to the DWMRC Server.

FWIW, IpcScan.exe and IpcScan_GUI.exe are "NT weak accounts scanners" (from the
documentation accompanying a file similar to that described by the OP) that
attempt to connect to remote ADMIN$ and IPC$ using a configurable dictionary.

Posting late to the thread...

Matt Scarborough 2003-12-01

 

[Buz [MSFT]]

Remacc.Dwremote
http://securityresponse.symantec.com/avcenter/venc/data/remacc.dwremote.html

If you do have Dameware installed this could be a normal directory though.

Buz Brodin
MCSE NT4 / Win2K
Microsoft Enterprise Domain Support

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.

On Mon, 24 Nov 2003 15:58:33 -0800, Drew Cooper [MSFT] wrote

Sounds like your machine is a zombie. The entire "dwrcs uploads" directory
seems suspicious to me. I'd recommend running antivirus and spyware
scanners on your machine and disinfect your machine. As a Microsoft
employee I don't think I can recommend any specific 3rd party software or a
further course of action, but maybe someone else on the newsgroup can.

rights.


Agreed. DWRCS_Uploads is often used by the DameWare Mini Remote Control server.
If this is the case, and that has also been installed without permission, see
"The DameWare Mini Remote Control suddenly appears on my computer and I have not
installed it. Where does it come from and how do I remove it?" at
http://www.dameware.com/support/kb/article.asp?ID=DW100005
By default the Application Event Log will have details on installation of and
connections to the DWMRC Server.

FWIW, IpcScan.exe and IpcScan_GUI.exe are "NT weak accounts scanners" (from the
documentation accompanying a file similar to that described by the OP) that
attempt to connect to remote ADMIN$ and IPC$ using a configurable dictionary.

Posting late to the thread...

Matt Scarborough 2003-12-01

uploads. The type of file is application. The description says IpcScan
Microsoft. It was created Sunday, October 19, 2003. I did not create the
file. The program starts up in the middle of the night. It looks like it
scans IP addresses. What is it? Can I get rid of it? How do I get rid of

it?