Need help with ProcessGuard log

Discussion in 'ProcessGuard' started by Pieter_Arntz, Aug 2, 2005.

Thread Status:
Not open for further replies.
  1. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Not being a longtime user myself, I am looking at the log of someone who was/is infected by a rootkit.

    This is the piece of the log that I think is "bad"

    [EXECUTION] Commandline - [ cmd ]
    Tue 02 - 20:23:31 [EXECUTION] "c:\windows\system32\ftp.exe" was allowed to run
    [EXECUTION] Started by "c:\windows\system32\cmd.exe" [3320]
    [EXECUTION] Commandline - [ ftp.exe -n -s:msw.dll ]
    Tue 02 - 20:24:05 [EXECUTION] "c:\windows\system32\msua.exe" was allowed to run
    [EXECUTION] Started by "Unknown Process" [3320]
    [EXECUTION] Commandline - [ msua.exe ]
    Tue 02 - 20:24:05 [EXECUTION] "c:\windows\system32\mwupdate32.exe" was allowed to run
    [EXECUTION] Started by "c:\windows\system32\msua.exe" [3420]
    [EXECUTION] Commandline - [ c:\windows\system32\mwupdate32.exe 1804 "c:\windows\system32\msua.exe" ]

    I know I have to delete:
    c:\windows\system32\mwupdate32.exe
    c:\windows\system32\msua.exe

    I am a bit less sure about:
    c:\windows\system32\ftp.exe

    And is it correct to assume that msw.dll will be in the same directory as ftp.exe ? (because of the Commandline - [ ftp.exe -n -s:msw.dll ])

    TIA,

    Pieter
     
  2. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    FTP is a standard part of Windows though it can be (ab)used by malware. In this case the -s parameter specifies a text file with a list of commands to follow - so while msw.dll is doubtless part of the malware, it may also contain some useful information.
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Thanks. I'll try and get a copy of msw.dll then.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.