[SecConnex]

I've been able to use DirQuery by AD successfully in the past.

Now, I am a bit stumped.

This is showing up in the process list: "\\.\globalroot\Device\svchost.exe\svchost.exe"

When I attempt to do DirQuery, the result is this:

Running from: C:\Documents and Settings\Jeff\Desktop\DirQuery.exe

Log file at : C:\Documents and Settings\Jeff\Desktop\DirQuery.txt

The driver that owns the link:

\\.\globalroot\Device\svchost.exe

is located at:

́́́́́́́́́́́́́́́́́́́Ȑ́́́́́́́̂̂̂̂̂̂̂̂̂̂̂̂̂̂̂̂̂̂̂̂̂̂̂̂Ȑ̂̂̂̂̂̂̂̂Ġ̂Ԅ܆ईଊഌ༎ ᄐጒᔔ᜖ᤘᬚᴜ἞℠⌢┤✦⤨⬪⴬⼮㄰㌲㔴㜶㤸㬺㴼㼾䅀䍂䕄䝆䥈䭊䵌低児卒啔坖奘孚嵜彞䅠䍂䕄䝆䥈䭊䵌低児卒啔坖奘筚Ⳏ粑ⴄ粑⵱粑⵸粑f

and the device link is:

Ề%Ȉ



Was the location and device link encrypted, or was this an invalid read?

When I punch that information in to a translator, it reads it as Chinese text, with the only noticeable words in it are "Death Qijizangbi" as if that is the name of the developer of the infection currently testing (AV Pro 2010).

[a_d_13]

Hello,

DirQuery is a tool that was written mostly for testing purposes. It's not very reliable, has very little error checking, and doesn't work at all on Windows 7. In short - that's a bug. I will take a look at the code if I have some time this weekend, and try to fix it.

Thanks,
--AD

[SecConnex]

No problem. I was not sure about it, really, so good thing I posted this topic. ;)

[EP_X0FF]

[offtopic]DragonMaster Jay, can you please share this new TDL alike malware? :)[/offtopic]

[SecConnex]

Antivirus Pro 2010.

Showed up beginning here: http://www.geekpolice.net/virus-spyware ... htm#162400

also a post after that, I used DirQuery.

Edit: I might be able to collect the sample of it from the user.