We have a many computers that exhibit the same type of issue. That being explorer.exe is causing many 344 HIPS signature triggers by writing to the registry to start some other program. Most of the target programs are in the user's profile. Some have been in the recycle bin.
I have executed Getsusp via ePO on about a dozen similar computers. Getsusp has never returned any suspicious files when explorer.exe was the threat process. Why is it that whatever is injected into explorer.exe is not being uncovered by Getsusp?
Here is another example:
Status MD5 Location File Name Attribute Company Description Product Version File Version File Size Creation Date Modification Date Type UNKNOWN a443740fcd14bf86b18f373b07b87e3b C:\Documents and Settings\FR016403\fr0164031 winlogon.exe A 1.00 1.00 339,968 12/13/2010 15:36 11/21/2010 13:11 Process
This file was at least identified as unknown which is better than the occurrence in the original post. This is malware as identified by HIPS signature 344 event triggers.The difference is that the threat process in this case is svchost.exe. The registry value data identified the file above.
Threat Source Process Name: C:\WINDOWS\system32\svchost.exe Threat Source URL: file:///C:\WINDOWS\system32\svchost.exe New Data 43003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400 740069006e00670073005c00460052003000310036003400300033005c0066007200300031003600 34003000330031005c00770069006e006c006f0067006f006e002e006500780065000000 Registry Value(s) \REGISTRY\CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\NVIDIA MEDIA CENTER LIBRARY
It seems that Getsusp has difficulty evaluating what is running in Explorer.exe and does slightly better with svchost.exe yet still did not list it as suspicious. As a result I do not yet have a sample of this malware and will need to have local support capture it.
We've replicated the issue with xacou.exe. When GetSusp runs under the permissions of the SYSTEM account (while deployed via ePO), it is having issues reading entries under HKCU key. GetSusp when run using a local or domain user account does not have this issue.
Thanks for reporting. The investigation is ongoing.
Will you be able to post a new build as a present for Christmas that addresses some of these outstanding issues?
We're ready with the next build that incorporates most of the requested features & fixes. It's our New Year present and will be sending you a copy shortly
Thank you. I look forward to toasting the new release and giving it a workout.
Having just renewed my McAfee contract on January 2nd I was suprised to come home from work today January 3rd and see that my computer was beseiged by bankerfoxA. I followed the steps suggested and downlowded GetSusp 3.0 to a flash drive on my laptop and then restarted in safemode. I was successfull in running the GetSusp, but it did not detect any malicious or infected files. I called customer support thinking that surely they'd assist, as they have a banner running "Free 30 Days of support". However after waiting on hold for 20+ minutes I was told I'd have to fork over another $90 to speak to a virus specialist. I then followed some other threads and installed malwarebytes for FREE, which eradicated the problem in under 8 minutes. Can't wait to get a refund for my subscription from McAfee.