Need help with ProcessGuard log

Discussion in 'ProcessGuard' started by Pieter_Arntz, Aug 2, 2005.

Thread Status:
Not open for further replies.
  1. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
    Not being a longtime user myself, I am looking at the log of someone who was/is infected by a rootkit.

    This is the piece of the log that I think is "bad"

    [EXECUTION] Commandline - [ cmd ]
    Tue 02 - 20:23:31 [EXECUTION] "c:\windows\system32\ftp.exe" was allowed to run
    [EXECUTION] Started by "c:\windows\system32\cmd.exe" [3320]
    [EXECUTION] Commandline - [ ftp.exe -n -s:msw.dll ]
    Tue 02 - 20:24:05 [EXECUTION] "c:\windows\system32\msua.exe" was allowed to run
    [EXECUTION] Started by "Unknown Process" [3320]
    [EXECUTION] Commandline - [ msua.exe ]
    Tue 02 - 20:24:05 [EXECUTION] "c:\windows\system32\mwupdate32.exe" was allowed to run
    [EXECUTION] Started by "c:\windows\system32\msua.exe" [3420]
    [EXECUTION] Commandline - [ c:\windows\system32\mwupdate32.exe 1804 "c:\windows\system32\msua.exe" ]

    I know I have to delete:
    c:\windows\system32\mwupdate32.exe
    c:\windows\system32\msua.exe

    I am a bit less sure about:
    c:\windows\system32\ftp.exe

    And is it correct to assume that msw.dll will be in the same directory as ftp.exe ? (because of the Commandline - [ ftp.exe -n -s:msw.dll ])

    TIA,

    Pieter
     
  2. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    FTP is a standard part of Windows though it can be (ab)used by malware. In this case the -s parameter specifies a text file with a list of commands to follow - so while msw.dll is doubtless part of the malware, it may also contain some useful information.
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
    Thanks. I'll try and get a copy of msw.dll then.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.