Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Much Confusion With This File.


  • Please log in to reply
3 replies to this topic

#1 SaxonManFinland

SaxonManFinland

  • Members
  • 159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:British was living on Russian Boarder in Finland
  • Local time:03:20 AM

Posted 01 August 2006 - 09:29 AM

In tryin to help someone else I ran SpyDoctor on my PC........39 infections, which I am amazed at running so many AV / ASW / AT detectors or scanners.

Ran a HJT and found an entry under running Processes I do not recognise. Checked the web.CONFUSING !!

Here is extract from HJT dodgy entry in Bold.

Logfile of HijackThis v1.99.1
Scan saved at 12:17:16, on 01/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe

Cannot see anything else strange (in my limited knowledge)

Still doesn't explain why Spy Doctor finds so many Trojans that no other method detects or Prevents.

Thanks

Stuart

BC AdBot (Login to Remove)

 


m

#2 jgweed

jgweed

  • Staff Emeritus
  • 28,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:09:20 PM

Posted 01 August 2006 - 10:39 AM

\WINDOWS\system32\wdfmgr.exe appears to be associated with Windows Media Player 10 and above:

http://www.liutilities.com/products/wintas...library/wdfmgr/

http://process.networktechs.com/wdfmgr.exe.php

If it were associated with the Agobot worm, it would add the following entries, according to Sophos (Sophos):

"The following registry entries are created to run wdfmgr.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MS_Update Check
wdfmgr.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
MS_Update Check
wdfmgr.exe "

Hope this helps,
Regards,
John

Edited by jgweed, 01 August 2006 - 10:45 AM.

Whereof one cannot speak, thereof one should be silent.

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,574 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:20 PM

Posted 01 August 2006 - 12:23 PM

wdfmgr.exe is a legitimate Windows System File/process belonging to Windows User Mode Driver Framework service and appears in Windows Task Manager after you install Windows Media Player 10 and above. This service supports synchronization of content with hardware players such as an MP3 device. The Startup type setting for this process is Automatic.

Per Microsoft Article ID: 892552, If you do not have a hardware player, you can set the Windows User Mode Driver Framework service Startup type setting either to Disabled or to Manual.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 SaxonManFinland

SaxonManFinland
  • Topic Starter

  • Members
  • 159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:British was living on Russian Boarder in Finland
  • Local time:03:20 AM

Posted 01 August 2006 - 01:09 PM

Thanks John

No trace of the added files you mention, BUT spent a few hours checking registry setting pointed at by Spy Doctor, and true enough there are some old nasty things in there, not shown by anything else other than Spy Doctor.

Ewido had just cleared some old stuff from my original submission to Bleeping Computer 2 years ago, it found old Zip Files, I suspect Spy Doctor has found similiar but for sure it also found these old scanners, Retro64, Rbot.UR, Fast Dialler, Fast Video Player and a Host File Redirect.

Nothing looks strange in HJT so I guess it is outside HJT territory.

Now going to plod through Reg Edit and kill off the keys I have copied from Spy Doctor. Slow Labourious, and they certainly try their best to make you buy their product, but at $29 It may be worth it.

Thanks also Quiet Man

Thanks again. Stand by for a real cry for help :thumbsup:

Edited by SaxonManFinland, 01 August 2006 - 01:10 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users