Not being a longtime user myself, I am looking at the log of someone who was/is infected by a rootkit.

This is the piece of the log that I think is "bad"

[EXECUTION] Commandline - [ cmd ]
Tue 02 - 20:23:31 [EXECUTION] "c:\windows\system32\ftp.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\cmd.exe" [3320]
[EXECUTION] Commandline - [ ftp.exe -n -s:msw.dll ]
Tue 02 - 20:24:05 [EXECUTION] "c:\windows\system32\msua.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3320]
[EXECUTION] Commandline - [ msua.exe ]
Tue 02 - 20:24:05 [EXECUTION] "c:\windows\system32\mwupdate32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\msua.exe" [3420]
[EXECUTION] Commandline - [ c:\windows\system32\mwupdate32.exe 1804 "c:\windows\system32\msua.exe" ]

I know I have to delete:
c:\windows\system32\mwupdate32.exe
c:\windows\system32\msua.exe

I am a bit less sure about:
c:\windows\system32\ftp.exe

And is it correct to assume that msw.dll will be in the same directory as ftp.exe ? (because of the Commandline - [ ftp.exe -n -s:msw.dll ])

TIA,

Pieter

FTP is a standard part of Windows though it can be (ab)used by malware. In this case the -s parameter specifies a text file with a list of commands to follow - so while msw.dll is doubtless part of the malware, it may also contain some useful information.

Thanks. I'll try and get a copy of msw.dll then.

Regards,

Pieter