regsvr.exe and q387.exe
- From: "N Cook" <diverse@xxxxxxxxx>
- Date: Fri, 30 Dec 2005 08:59:44 -0000
Very little about this set of rogue diallers / trojans / virii or whatever
it would seem on the net
so if any use placed here.
Had regsvr.exe (not regsvc.exe) activating every 20 seconds , reading ports
, and creating ever growing files comreads.dbg and comused.dbg
First 2 lines of comreads reading (edited)
Port opened, internal buffer = 0x007... to 0x00..
Overlapped Read -- 24 bytes 0x007... to 0x007... :
Disabled those but could not track down where q387.exe was hiding.
In Task Manager the name would blip up on Processes and disappear again
every 10 seconds or so,
the cursor dipping at same times and in other appls.
Every now and then CMD.EXE (as upper case) would do the same in TM .
I updated spybot search & destroy but it told me congratulations for
having no immediate threats.
Found and disabled CMD.EXE and after that (coincidence ?) q387.exe has
disappeared, apparently, since.
That is distinct from cmd.exe (lower case) files which I left in place.
Perhaps q387.exe has been converted so it can hide itself.
previous net references to it have precise locations
eg
hidden in \countrydial.exe
or as
.... \Local Settings\Temp\q387.exe
....\WINDOWS\q387.exe
Anyone know what q387 was doing ?
Now nice flatlining in Task Manager / CPU Usage and no wraithing q387 in
Processes, for the moment
.
- Follow-Ups:
- Re: regsvr.exe and q387.exe
- From: David H. Lipman
- Re: regsvr.exe and q387.exe
- Prev by Date: Re: How do i get rid of EETU.exe and all of it's registry entries
- Next by Date: Re: How do i get rid of EETU.exe and all of it's registry entries
- Previous by thread: W32/Trojan.ATA
- Next by thread: Re: regsvr.exe and q387.exe
- Index(es):
Relevant Pages
|
