Check or Attack Name: Passfilt.DLL checksum

Passfilt.dll is referenced in the Lsa registry key, but the file found in %systemroot%\system32 had a checksum that did not match any known passfilt.dll files shipped by Microsoft. A file that is the correct size, but possesses the wrong checksum, could indicate an attacker is capturing passwords.

Determine if the passfilt.exe file is a Trojan horse or a program placed with malicious intent. If so, consider your system and its security compromised. If not, reinstall passfilt.

To install passfilt, follow these steps:

Passfilt.dll is shipped with Service Pack 3 for Windows NT 4.0 and later. To install passfilt.dll properly, use the information provided in the Microsoft Knowledge Base Article Q161990 listed below.

If the passfilt.dll installed on this system is a Trojan horse program:

1. Immediately remove the computer from the network.
2. Create a backup of the contents of the hard drive, or isolate the data on a non-networked storage device.
3. Perform a low-level format of all hard drives on the computer.
4. Reinstall the operating system.
5. Configure the computer with the original user names, groups, and applications.
6. Run Internet Scanner to determine vulnerabilities, and resolve detected vulnerabilities.
7. Before using the files on the backup, scan all files using an up-to-date antivirus program, and copy only the files you know to be authorized on that computer.
8. Reconnect the computer to the network.

Microsoft Knowledge Base Article Q161990 "How to Enable Strong Password Functionality in Windows NT" at http://support.microsoft.com/support/kb/articles/q161/9/90.asp or http://support.microsoft.com/support/ntserver/serviceware/10141574.asp.