2 Replies Latest reply on Dec 21, 2010 4:33 PM by mjmurra

    FMR - Store actual found service/run key/trigger of files

      Here is a sample run from my environment:

       

      Status MD5 Location File Name Attribute Company Description Product Version File Version File Size Creation Date Modification Date Type
      UNKNOWN e7e69007f740ea11539facfd281e7dec C:\WINDOWS\System32\Drivers cmapmmr.sys A C-Map C-Map USB Multimedia reader  driver 1.0.0.1 1.0.0.1 18,772 11/21/2008 16:18 05/13/2005 11:16 Service
      UNKNOWN f4dc32e71ba997c894b5ec388fd10c97 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3 LMAAG2DA.DLL A Lexmark International,  Inc. PCL Printer Driver User  Interface 8.2.2 8.2.2 321,536 01/01/1980 00:00 12/19/2002 01:55 Module
      UNKNOWN 45dcde98b823663c0101c4776ad8dcda C:\WINDOWS\System32\spool\DRIVERS\W32X86\3 LMAAG2DD.DLL A Lexmark International,  Inc. Lexmark PCL Printer  Driver 8.2.2 8.2.2 379,392 01/01/1980 00:00 12/19/2002 01:55 Module
      UNKNOWN 0fd6301287e3fa17d57fbd756f24e677 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3 LMAAG2DL.DLL A Lexmark International,  Inc. PCL Printer Driver Language  DLL 8.2.2 8.2.2 723,968 01/01/1980 00:00 12/19/2002 01:55 Module
      UNKNOWN ed8a4d2aa2e0648015fe80ca7dd27974 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3 LMAAG2DU.DLL A Lexmark International,  Inc. PCL Printer Driver User  Interface 8.2.2 8.2.2 172,032 01/01/1980 00:00 12/19/2002 01:55 Module
      UNKNOWN 3f9a3232e5f942874488981f3242c989 C:\Program  Files\UPHClean uphclean.exe A Microsoft Corporation User Profile Hive Cleanup  Service 1.6.30.0 1.6.30.0 241,725 04/27/2005 14:59 04/27/2005 14:59 Process
      UNKNOWN 7e024cd0041cf4211fb1c0183744d548 C:\Program Files\Nokia\Nokia PC  Suite 6 PcSync2.exe A Time Information Services  Ltd. PC Sync 2.00 2.00 (608) 1,294,336 11/07/2007 17:35 11/07/2007 17:35 Run-Key

       

      Under "Type", I have seen the following results:

      Run-Key, Service, Process, Module, Scheduled-Task (and I assume there are others too). I am often interested in which service or Run-Key the suspicious file is linked to (can help with malicious software or determining a file as clean).

       

       

      Is it possible to log in files.xml or getsusp.log (but perhaps not display in IE) how the file is linked as an autorun or similar?