Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: Do I have a malware attack

  1. #1
    krishan Guest

    Default Do I have a malware attack

    Hello
    I did a scan with rootkit revealer after switch off ZA Por and KAV. I am concerned about last entry
    HKLM\SECURITY\Policy\Secrets\SAC*
    10/10/2005 17:35
    0 bytes
    Key name contains embedded nulls (*)
    HKLM\SECURITY\Policy\Secrets\SAI*
    10/10/2005 17:35
    0 bytes
    Key name contains embedded nulls (*)
    HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed
    15/05/2007 08:15
    80 bytes
    Data mismatch between Windows API and raw hive data.

    regards
    krishan

    Operating System:Windows XP Pro
    Product Name:ZoneAlarm Pro
    Software Version:6.5

  2. #2
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,288

    Default Re: Do I have a malware attack

    Hi!It looks normal, they are part of the windows XP installation...Just google them and you will see... for example:http://forum.sysinternals.com/forum_...=8748&PN=1Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  3. #3
    krishan Guest

    Default Re: Do I have a malware attack

    The first 2 are, but the last one can be something else.I not whenever ad-watch real time monitor is on and I click IE or microsoft outlook it says registry mod detected on cftmon.exe
    which is related to API, so has something hijacked ctfmon.exe?
    krishan

  4. #4
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,288

    Default Re: Do I have a malware attack

    Nope, looks also normal to me... :8}Which rootkit revealer are you using?It would be good you post your question into their forum.So, you can get a more detailed answer....Cheers,Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  5. #5
    krishan Guest

    Default Re: Do I have a malware attack

    fax
    I did that with rootkit revealer
    below I am pasting after using hijackthis from trend-micro
    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 10:58:59, on 15/05/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: NormalRunning processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Packard Bell Data Secure\PBDataSecure.exe
    C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\HP\KBD\KBD.EXE
    C:\WINDOWS\system32\ctfmon.exe
    c:\windows\system\hpsysdrv.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    J:\download\HiJackThis_v2.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...amp;pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...amp;pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...amp;pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...amp;pf=desktop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...amp;pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...amp;pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...amp;pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...amp;pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...amp;pf=desktop
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...amp;pf=desktop
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TY...amp;pf=desktop
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
    O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Packard Bell Data Secure] C:\Program Files\Packard Bell Data Secure\PBDataSecure.exe
    O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
    O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://download.windowsupdate.com
    O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://wwemail.support.hp.com/fd2/objects/SysQuery.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
    O23 - Service: Intel(R) Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: JJTTYML - Sysinternals - www.sysinternals.com - C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\JJTTYML.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe--
    End of file - 8710 bytes

    do u see anything??
    krishan

  6. #6
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,288

    Default Re: Do I have a malware attack

    Nope, looks clean... and if it was a rootkit you would not be able to see it with HijackThis Log :8}Do you known this CLOAKER.EXE.. I can't seeanything elseFax

    Message Edited by fax on 05-15-2007 03:19 AM

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  7. #7
    krishan Guest

    Default Re: Do I have a malware attack

    I dont really no anything about clocker.exe from HP, I will contact them about it, my only real conern was something inside ctfmon.exe
    krishan

  8. #8
    krishan Guest

    Default Re: Do I have a malware attack

    I also did a scan with blacklight and it did not alert me of anything, so maybe I am clean!!!
    krishan

  9. #9
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,288

    Default Re: Do I have a malware attack

    Hi!most probably you are perfectly clean.Rootkit scanners may find entries in your system but it does not mean that these entries aremalware :8}Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  10. #10
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,288

    Default Re: Do I have a malware attack

    If you do not get a feedback from HP, just upload that exe to www.virustotal.com and see if it is clean or not...Note that, if the file is locked you will not be able to upload or you will be uploading a 0byte file.Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

Page 1 of 3 123 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •