[Dshield] Anyone seen

Jon R. Kibler Jon.Kibler at aset.com
Wed Feb 25 21:21:58 GMT 2004


Daugherty Bryan wrote:
<SNIP!>
> After inspection of the pc's involved I found sndman.exe running in task
> manager (located in C:\windows\system32), multiple registry entries 
> starting the process, and an entry in C:\windows\prefetch.  I can stop the 
> process, remove the registry entries and the prefetch entry and the outbound 
> traffic halts and the ARP broadcasts stop.
> 
> The problem is that this is occurring on fully patched pc's with the most
> current antivirus updates.  My antivirus scans don't detect a thing.
> 
> I have sent this to my Anti-virus company and have not heard back.  I have
> never seen this pattern of traffic from pc's.
> 
<SNIP!>

Not a windows expert, but have you tried running an independent scan, such as
using Panda Software's ActiveScan? 

BTW, a Google search on sndman.exe sees to indicate that it is hacker-installed
spyware -- maybe a keystroke logger. Most of the pages are in languages other 
than English and I am not sure how accurate the translations are.

Do you have a copy of the program that someone in this group could analyze?

Jon
-- 
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



More information about the list mailing list