Jump to content


WrtMon

Started By Susan G., Mar 04 2008 03:11 PM

8 replies to this topic

#1 Susan G.

    Member

  • 368 posts
  • Joined: October 21, 2004
  • 21 topics
  • Skin: IP.Board
  • Local time: 12:33 AM
  • Zodiac:Aquarius
  • Gender:Male
  • OS:Windows 7
  • Country:
Offline
  • :

Posted 04 March 2008 - 03:11 PM

I'm rather confused by what I found in researching WrtMon in my startup processes. Is this a threat or not? Should I uncheck it? One thing I found said that it's 64% dangerous. In msconfig/Startup, there is one WrtMon that is not checked so I must have unchecked that at one point, but there is another one that's checked.

On 2/3/08, I posted a HJT log (titled Trojan Horse Downloader.VB.AXO), and in looking at it now, I don't see WrtMon listed under C:\Windows\System32.

Suggestions?

Thanks.

#2 Broni Re: WrtMon

    Malware Annihilator

  • 24,876 posts
  • Joined: October 04, 2004
  • 1,858 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 09:33 PM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Offline
  • Time Online: 57d 2h 7m 34s

Posted 04 March 2008 - 11:33 PM

Search your computer for WrtMon.exe.
When you find it, post back where the file is located.
At the same time upload the file here: http://www.virustotal.com/ for analysis.
Posted Image Posted Image


#3 Susan G. Re: WrtMon

    Member

  • 368 posts
  • Joined: October 21, 2004
  • 21 topics
  • Skin: IP.Board
  • Local time: 12:33 AM
  • Zodiac:Aquarius
  • Gender:Male
  • OS:Windows 7
  • Country:
Offline
  • :

Posted 05 March 2008 - 01:40 PM

View PostBroni, on Mar 4 2008, 06:33 PM, said:

Search your computer for WrtMon.exe.
When you find it, post back where the file is located.
At the same time upload the file here: http://www.virustotal.com/ for analysis.
Hi, Broni -

I found it at C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3

Description: NsWrtMon Microsoft Base Class Application
File Version: 1.0.0.1
Created: 6/18/07 1:57 PM
Size: 20.0 KB

Also, you mentioned uploading the file to http://www.virustotal.com for analysis. At that website, when I clicked on Browse, after entering the string, it entered "3" a in the last part of the string. Is that what I need to send or the entire string?

Thanks for your assistance.

Susan

#4 Broni Re: WrtMon

    Malware Annihilator

  • 24,876 posts
  • Joined: October 04, 2004
  • 1,858 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 09:33 PM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Offline
  • Time Online: 57d 2h 7m 34s

Posted 06 March 2008 - 12:38 AM

Quote

Is that what I need to send or the entire string?
No, you need to upload WrtMon.exe, which is located in ..........\3 folder.

What brand, and model of printer do you have?
Posted Image Posted Image


#5 Susan G. Re: WrtMon

    Member

  • 368 posts
  • Joined: October 21, 2004
  • 21 topics
  • Skin: IP.Board
  • Local time: 12:33 AM
  • Zodiac:Aquarius
  • Gender:Male
  • OS:Windows 7
  • Country:
Offline
  • :

Posted 06 March 2008 - 03:08 PM

View PostBroni, on Mar 5 2008, 07:38 PM, said:

No, you need to upload WrtMon.exe, which is located in ..........\3 folder.

What brand, and model of printer do you have?
I have a Canon Pixma MP830 all-in-one printer.

#6 Susan G. Re: WrtMon

    Member

  • 368 posts
  • Joined: October 21, 2004
  • 21 topics
  • Skin: IP.Board
  • Local time: 12:33 AM
  • Zodiac:Aquarius
  • Gender:Male
  • OS:Windows 7
  • Country:
Offline
  • :

Posted 06 March 2008 - 03:43 PM

View PostBroni, on Mar 5 2008, 07:38 PM, said:

No, you need to upload WrtMon.exe, which is located in ..........\3 folder.
Below are the results from http://www.virustotal.com/.

File WrtMon.exe received on 03.06.2008 16:33:13 (CET)
Current status: finished

Result: 0/32 (0.00%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.3.4.0 2008.03.06 -
AntiVir 7.6.0.73 2008.03.06 -
Authentium 4.93.8 2008.03.06 -
Avast 4.7.1098.0 2008.03.06 -
AVG 7.5.0.516 2008.03.06 -
BitDefender 7.2 2008.03.06 -
CAT-QuickHeal 9.50 2008.03.05 -
ClamAV None 2008.03.06 -
DrWeb 4.44.0.09170 2008.03.06 -
eSafe 7.0.15.0 2008.02.28 -
eTrust-Vet 31.3.5591 2008.03.06 -
Ewido 4.0 2008.03.06 -
FileAdvisor 1 2008.03.06 -
Fortinet 3.14.0.0 2008.03.06 -
F-Prot 4.4.2.54 2008.03.05 -
F-Secure 6.70.13260.0 2008.03.06 -
Ikarus T3.1.1.20 2008.03.06 -
Kaspersky 7.0.0.125 2008.03.06 -
McAfee 5245 2008.03.05 -
Microsoft 1.3301 2008.03.06 -
NOD32v2 2927 2008.03.06 -
Norman 5.80.02 2008.03.06 -
Panda 9.0.0.4 2008.03.06 -
Prevx1 V2 2008.03.06 -
Rising 20.34.32.00 2008.03.06 -
Sophos 4.27.0 2008.03.06 -
Sunbelt 3.0.930.0 2008.03.05 -
Symantec 10 2008.03.06 -
TheHacker 6.2.92.233 2008.03.04 -
VBA32 3.12.6.2 2008.03.05 -
VirusBuster 4.3.26:9 2008.03.06 -
Webwasher-Gateway 6.6.2 2008.03.06 -
Additional information
File size: 20480 bytes
MD5: 32f1a63c86d009d95994b543511d6e5c
SHA1: c5391f87dd9485574f7f75e21bec0592fa9d976e
PEiD: Armadillo v1.71

I also found another file in the same spot: WrtProc.exe and the results are:

File WrtProc.exe received on 03.06.2008 16:20:30 (CET)
Current status: finished

Result: 0/32 (0.00%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.3.4.0 2008.03.06 -
AntiVir 7.6.0.73 2008.03.06 -
Authentium 4.93.8 2008.03.06 -
Avast 4.7.1098.0 2008.03.06 -
AVG 7.5.0.516 2008.03.06 -
BitDefender 7.2 2008.03.06 -
CAT-QuickHeal 9.50 2008.03.05 -
ClamAV 0.92.1 2008.03.06 -
DrWeb 4.44.0.09170 2008.03.06 -
eSafe 7.0.15.0 2008.02.28 -
eTrust-Vet 31.3.5591 2008.03.06 -
Ewido 4.0 2008.03.06 -
FileAdvisor 1 2008.03.06 -
Fortinet 3.14.0.0 2008.03.06 -
F-Prot 4.4.2.54 2008.03.05 -
F-Secure 6.70.13260.0 2008.03.06 -
Ikarus T3.1.1.20 2008.03.06 -
Kaspersky 7.0.0.125 2008.03.06 -
McAfee 5245 2008.03.05 -
Microsoft 1.3301 2008.03.06 -
NOD32v2 2927 2008.03.06 -
Norman 5.80.02 2008.03.06 -
Panda 9.0.0.4 2008.03.06 -
Prevx1 V2 2008.03.06 -
Rising 20.34.32.00 2008.03.06 -
Sophos 4.27.0 2008.03.06 -
Sunbelt 3.0.930.0 2008.03.05 -
Symantec 10 2008.03.06 -
TheHacker 6.2.92.233 2008.03.04 -
VBA32 3.12.6.2 2008.03.05 -
VirusBuster 4.3.26:9 2008.03.06 -
Webwasher-Gateway 6.6.2 2008.03.06 -
Additional information
File size: 24576 bytes
MD5: 7d435741bf8a3049dafdf7be0cc319be
SHA1: 539ef7413740de2f57cd8ac63498ea332f5081a4
PEiD: Armadillo v1.71

So, I think the question remains as to whether I uncheck this at Startup or not. What do you recommend?

Thanks, Broni.

#7 Broni Re: WrtMon

    Malware Annihilator

  • 24,876 posts
  • Joined: October 04, 2004
  • 1,858 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 09:33 PM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Offline
  • Time Online: 57d 2h 7m 34s

Posted 06 March 2008 - 11:30 PM

You're safe. Most likely, as I suspected, these are your printer files.
Posted Image Posted Image


#8 Susan G. Re: WrtMon

    Member

  • 368 posts
  • Joined: October 21, 2004
  • 21 topics
  • Skin: IP.Board
  • Local time: 12:33 AM
  • Zodiac:Aquarius
  • Gender:Male
  • OS:Windows 7
  • Country:
Offline
  • :

Posted 07 March 2008 - 12:52 PM

View PostBroni, on Mar 6 2008, 06:30 PM, said:

You're safe. Most likely, as I suspected, these are your printer files.
Hi, Broni -

Thanks so much ... I really appreciate it.

Susan

#9 Broni Re: WrtMon

    Malware Annihilator

  • 24,876 posts
  • Joined: October 04, 2004
  • 1,858 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 09:33 PM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Offline
  • Time Online: 57d 2h 7m 34s

Posted 07 March 2008 - 03:30 PM

You're welcome http://www.smartestc...tyle_emoticons/default/biggrin.gif
Posted Image Posted Image


Back to Virus, Spyware and Malware Removal · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users


This topic has been visited by 2 user(s)

  1. Smartest Computing
  2. > Security
  3. > Virus, Spyware and Malware Removal
  4. SmartestComputing rules