MikeWilliams
Programmer
Hi All,
I am running XP SP2 with NAV 2003 and ZoneAlarm
Last night I experienced a sudden flurry of disk activity after which ZoneAlarm asked if FTP.exe could acces the internet. I said no (twice). ZoneAlarm's log showed the FTP was trying to access my ISP's DNS server (presumably to look up an address)
I then started to look into what had happened. I first did a search for ftp.exe and found it in the expected places, but I also found a new file in XP's prefetch area created at the time of the incident.
Looking into the Prefetch area the programs loaded (in order) are :-
[ol]
[li]CMD.EXE[/li]
[li]FIND.EXE[/li]
[li]GSAR.EXE[/li]
[li]SED.EXE[/li]
[li]PING.EXE[/li]
[li]ATTRIB.EXE[/li]
[li]FTP.EXE[/li]
[/ol]
I Can't find any trace of GSAR.EXE or SED.EXE on my PC, but they must have been there and executed for prefetch files to have been created.
A web search reveals :-
GSAR is a Global Search And Replace tool.
SED is a Stream EDitor
With this and the above new files in the prefetch area I conclude that some dos/cmd process ie a trojan was attempting to find and modify some files then ftp the results back somewhere.
I downloaded the latest AV definitions from Symantec and run a full scan, but did find anything.
Can anyone throw any light on what I have been hit by?
I am running XP SP2 with NAV 2003 and ZoneAlarm
Last night I experienced a sudden flurry of disk activity after which ZoneAlarm asked if FTP.exe could acces the internet. I said no (twice). ZoneAlarm's log showed the FTP was trying to access my ISP's DNS server (presumably to look up an address)
I then started to look into what had happened. I first did a search for ftp.exe and found it in the expected places, but I also found a new file in XP's prefetch area created at the time of the incident.
Looking into the Prefetch area the programs loaded (in order) are :-
[ol]
[li]CMD.EXE[/li]
[li]FIND.EXE[/li]
[li]GSAR.EXE[/li]
[li]SED.EXE[/li]
[li]PING.EXE[/li]
[li]ATTRIB.EXE[/li]
[li]FTP.EXE[/li]
[/ol]
I Can't find any trace of GSAR.EXE or SED.EXE on my PC, but they must have been there and executed for prefetch files to have been created.
A web search reveals :-
GSAR is a Global Search And Replace tool.
SED is a Stream EDitor
With this and the above new files in the prefetch area I conclude that some dos/cmd process ie a trojan was attempting to find and modify some files then ftp the results back somewhere.
I downloaded the latest AV definitions from Symantec and run a full scan, but did find anything.
Can anyone throw any light on what I have been hit by?