Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

What have I been hit by?

Status
Not open for further replies.
MikeWilliams

MikeWilliams

Programmer
Apr 9, 2002
4
GB
Hi All,

I am running XP SP2 with NAV 2003 and ZoneAlarm

Last night I experienced a sudden flurry of disk activity after which ZoneAlarm asked if FTP.exe could acces the internet. I said no (twice). ZoneAlarm's log showed the FTP was trying to access my ISP's DNS server (presumably to look up an address)

I then started to look into what had happened. I first did a search for ftp.exe and found it in the expected places, but I also found a new file in XP's prefetch area created at the time of the incident.

Looking into the Prefetch area the programs loaded (in order) are :-
[ol]
[li]CMD.EXE[/li]
[li]FIND.EXE[/li]
[li]GSAR.EXE[/li]
[li]SED.EXE[/li]
[li]PING.EXE[/li]
[li]ATTRIB.EXE[/li]
[li]FTP.EXE[/li]
[/ol]

I Can't find any trace of GSAR.EXE or SED.EXE on my PC, but they must have been there and executed for prefetch files to have been created.

A web search reveals :-
GSAR is a Global Search And Replace tool.
SED is a Stream EDitor

With this and the above new files in the prefetch area I conclude that some dos/cmd process ie a trojan was attempting to find and modify some files then ftp the results back somewhere.

I downloaded the latest AV definitions from Symantec and run a full scan, but did find anything.

Can anyone throw any light on what I have been hit by?
 
Sort by date Sort by votes
Thanks eyec, I dread to think what would have sent out if ZA haddn't done it's job.

I am concerned because it looks like GSAR and SED are capable of modifying files, I am wondering which files were targeted.
 
Upvote 0 Downvote
If you look in the gsar.pf and sed.pf files with notepad or a hex editor, you should find the path to where they used to be, or should have been. That's a starting point anyway.

gsar.exe: I thought it looked familar, it is a unxutil. At least in its unmodified form anyway.
sed.exe: Either another unxutil (which I'm guessing so), or it is a part of Ezula, a nasty little spyware program.

But, if you don't find them on your system after looking in the .pf file and running say notepad from the command line, then I guess you are good to go. :)

----------------------------
"Security is like an onion" - Unknown
 
Upvote 0 Downvote
As far as checking/eliminating processes the easy first step is to use something like hijackthis or bazooka and get a list of what is running and go from there on fixing/removing.

As an example for you, here is a thread which includes removing sed stuff.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
 
Upvote 0 Downvote
Thanks All,

TechieMicheal, I have already delete the .pf files so that I could track if the programs were re-run, so far not which is good.

diogenese10, I have already checked with Task Manager and at the time there were no strange programs in memory, all the usual start up locations and all is clear.

Regards
Mike
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

2ffat
  • Locked
  • News
MalwareBytes may have been hacked
Replies
0
Views
100
2ffat
2ffat
shivajiboss
  • Locked
  • Question
I am getting a problem while opening up my windows
Replies
1
Views
157
2ffat
2ffat
Mike Lewis
  • Locked
  • Question
MsMpEng.EXE in MSE: necessary? desirable?
Replies
3
Views
168
Mike Lewis
Mike Lewis
2ffat
  • Locked
  • News
Audacity is Spyware?
Replies
2
Views
145
2ffat
2ffat
ChrisOfOz
  • Locked
  • Question
Lenovo startup problem please any ideas? 2
Replies
10
Views
339
Yoko Littner
Yoko Littner

Part and Inventory Search

Sponsor

Back
Top