WinXP sp 3 contains keylogger?

[Edna Boxe]

Since I've downloaded sp 3 Norton Internet Security says that
c:\\windows\system32\ctfmon.exe has a keylogger, is this a false positive?
If I remove sp 3 the keylogger also goes so I know it's nothing else.

Edna.

 

[R. McCarty]

Yes because NIS = Not Intelligent Software

Really gives a good sense of security when it indicts a Microsoft
Office component as a keylogger.

 

[PA Bear [MS MVP]]

What does Symantec Support have to say about it?

Frequently asked questions about Ctfmon.exe:
http://support.microsoft.com/kb/282599

 

[nass]

but this process can be infected R.McCarty with a virus or keyloggers?
Not because of the updates but it could be the updates revealed the
infection and the OP need to check further.
Like the Svchost.exe can be embedded with a Troj?

FileMon for Windows v7.04
http://technet.microsoft.com/en-us/sysinternals/bb896642.aspx
Have a look here for windows Sysinternals
http://technet.microsoft.com/en-us/sysinternals/default.aspx

Use this tool to see what taken the most usage of the CPU on your machine.
ShellExView v1.19 - Shell Extensions Manager
http://www.nirsoft.net/utils/shexview.html

To the OP please upload this file ( ctfmon.exe) to this link for scan:
http://www.virustotal.com

 

[MowGreen [MVP]]

NIS is NOT reliable. It's difficult to believe anything it reports.
IF ctfmon.exe was infected prior to the application of SP3, then NIS
*should have been reporting* it as infected then.

Since this issue occurred after applying SP3, then I'd be willing to bet
my house that it's a False Positive.

Frequently asked questions about Ctfmon.exe
http://support.microsoft.com/kb/282599

Was NIS actively monitoring the system during the download and
installation of SP3 ?
Have you checked Symantec's site to see if this has been reported to them ?


MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============

 

[MowGreen [MVP]]

Why wasn't NIS reporting ctfmon as being infected prior to the
application of SP3 ?

Malwares can prevent updates from being downloaded or installed.
IF the installation of Windows updates was needed by NIS in order for it
be able to detect ctfmon as infected, then NIS is NOT trustworthy.

MowGreen [MVP 2003-2008]
================
*-343-* FDNY
Never Forgotten
===============

 

[nass]

Since I've downloaded sp 3 Norton Internet Security says that
c:\\windows\system32\ctfmon.exe has a keylogger, is this a false positive?
If I remove sp 3 the keylogger also goes so I know it's nothing else.

Edna.

Check this and you can contact Norton for help:
Spyware.UltraKeylogge
http://www.symantec.com/security_response/writeup.jsp?docid=2006-021416-3341-99&tabid=2
Technical Issues Support
http://www.symantec.com/norton/support/selectproduct_ts.jsp
Also you can use other online virus scanners to get a clear idea on how
clean your system.

 

[nass]

Actually it happen with me this morning on a client machine updating from
AVG 7.0.5 to version 8.0.1 reported a Zip as a keylogger.
This Zip was there while AVG version 7.5 was installed and up2date..some new
definitions can give new flase positive or can discover viral infection that
wasn't spread at the time to get its grip on the system!
Does this ring the bill:
Spyware.UltraKeylogge
http://www.symantec.com/security_response/writeup.jsp?docid=2006-021416-3341-99&tabid=2
I agree with you that NIS can give false positive about some files/folders,
but again the security implementation in SP3 ??? more raised and can cause
confusion still to know what the rest of AVs will come up with

nass

Why wasn't NIS reporting ctfmon as being infected prior to the
application of SP3 ?

Malwares can prevent updates from being downloaded or installed.
IF the installation of Windows updates was needed by NIS in order for it
be able to detect ctfmon as infected, then NIS is NOT trustworthy.

MowGreen [MVP 2003-2008]
================
*-343-* FDNY
Never Forgotten
===============

but this process can be infected R.McCarty with a virus or keyloggers?
Not because of the updates but it could be the updates revealed the
infection and the OP need to check further.
Like the Svchost.exe can be embedded with a Troj?

FileMon for Windows v7.04
http://technet.microsoft.com/en-us/sysinternals/bb896642.aspx
Have a look here for windows Sysinternals
http://technet.microsoft.com/en-us/sysinternals/default.aspx

Use this tool to see what taken the most usage of the CPU on your machine.
ShellExView v1.19 - Shell Extensions Manager
http://www.nirsoft.net/utils/shexview.html

To the OP please upload this file ( ctfmon.exe) to this link for scan:
http://www.virustotal.com



:

 

[Edna Boxe]

From what I hear if the svchost is in the system 32 folder then it's ok,
anywhere else & it's definitely a virus, is this correct?

Edna.

 

[Edna Boxe]

File analyser says it's clean.

Everything is running as it should be there's no unusual processes or heavy
usage that I can see.

Edna.

 

[Edna Boxe]

That's what I'd like to know, usually Norton is 100% reliable for me that's
why I use it, seems strange that previous to the sp 3 it didn't detect this.

Edna.

Why wasn't NIS reporting ctfmon as being infected prior to the application
of SP3 ?

Malwares can prevent updates from being downloaded or installed.
IF the installation of Windows updates was needed by NIS in order for it
be able to detect ctfmon as infected, then NIS is NOT trustworthy.

MowGreen [MVP 2003-2008]
================
*-343-* FDNY
Never Forgotten
===============

but this process can be infected R.McCarty with a virus or keyloggers?
Not because of the updates but it could be the updates revealed the
infection and the OP need to check further.
Like the Svchost.exe can be embedded with a Troj?

FileMon for Windows v7.04
http://technet.microsoft.com/en-us/sysinternals/bb896642.aspx
Have a look here for windows Sysinternals
http://technet.microsoft.com/en-us/sysinternals/default.aspx

Use this tool to see what taken the most usage of the CPU on your
machine.
ShellExView v1.19 - Shell Extensions Manager
http://www.nirsoft.net/utils/shexview.html To the OP please upload this
file ( ctfmon.exe) to this link for scan:
http://www.virustotal.com



:

 

[Edna Boxe]

Check this and you can contact Norton for help:
Spyware.UltraKeylogger
http://www.symantec.com/security_response/writeup.jsp?docid=2006-021416-3341-99&tabid=2
Technical Issues Support
http://www.symantec.com/norton/support/selectproduct_ts.jsp
Also you can use other online virus scanners to get a clear idea on how
clean your system.

Checked & there's nothing in the start-up files so system is clean, I'll now
contact Norton for help.

Edna.

 

[Edna Boxe]

No as it tells you to disable AV software otherwise it can cause conflicts,
as yet I've not contacted Norton but will do so.

Edna.

NIS is NOT reliable. It's difficult to believe anything it reports.
IF ctfmon.exe was infected prior to the application of SP3, then NIS
*should have been reporting* it as infected then.

Since this issue occurred after applying SP3, then I'd be willing to bet
my house that it's a False Positive.

Frequently asked questions about Ctfmon.exe
http://support.microsoft.com/kb/282599

Was NIS actively monitoring the system during the download and
installation of SP3 ?
Have you checked Symantec's site to see if this has been reported to them
?


MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============

Since I've downloaded sp 3 Norton Internet Security says that
c:\\windows\system32\ctfmon.exe has a keylogger, is this a false
positive? If I remove sp 3 the keylogger also goes so I know it's nothing
else.

Edna.

 

[nass]

Yes, but you can have 6 instances of svchost.exe running in the task
manager? did you searched for it (Ctfmon.exe)?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run = how many
entries there for the ctfmon.exe here?

The svchost.exe is a security process and can be used by many running
services, also you can experiencing a memory leak.
Process located here:
C:\WINDOWS\system32\svchost.exe size: 14336

Use this tool to see what taken the most usage of the CPU on your machine.
ShellExView v1.19 - Shell Extensions Manager
http://www.nirsoft.net/utils/shexview.html

Go through these cleaning steps:
1... Click start >> Control Panel >> Double Click Network and Internet
Connections >> Double click Internet Options, on the IE Properties window
you will see these Options:
General | Security | Privacy | Content | Connections | Programs
| Advanced .

Click on General Tab (1st Tab on the left) and you will see a Button called
[ Clear History ..] click on it to clear your History caches, then click on
[Delete Files..] to delete Internet Files created over the time, click on [
Delete Cookies...] to delete your cookies left by visiting websites.
Then click on Advanced tab and scroll down to under the Browsing Option:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) uncheck this box.

= Then try to Disable the Add-Ons on your Browser somehow installed on your
browser, On how to disable the Add-ons follow this:
Click on Programs Tab and then click the Manage Add-Ons Button there Disable
the None/Not Verified Plug-ins/Add-ons ( you need to Renable them one-by-one
later and see which is the culprit .
How to manage Add-Ons:
http://support.microsoft.com/kb/883256

Scan for malware from here:
SuperAntispyware - Free
http://www.superantispyware.com/superantispywarefreevspro.html
http://onecare.live.com/site/en-gb/default.htm?s_cid=sah
http://onecare.live.com/standard/en-gb/default.htm

RootkitRevealer v1.71
By Bryce Cogswell and Mark Russinovich
http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx

Run a scan from here on-line:
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Download Avast Cleaner (off-line scanner) from here:
http://www.avast.com/eng/avast-virus-cleaner.html

Lots of tools to download and disinfect your machine (off-line scanner):
http://www.bitdefender.co.uk/site/Downloads/browseFreeRemovalTool/

How to speed your PC:
http://www.blackviper.com/WinXP/supertweaks.htm

Run disk clean up and then run this command:
sfc /scannow

How To: troubleshoot svchost.exe:
http://blogs.technet.com/askperf/ar...started-with-svchost-exe-troubleshooting.aspx


Download the Hijackthis and send the report to one of
many
forums for analysis and troubleshooting:
When all else fails, HijackThis v2.0.2
(http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php) is
the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. Post
your log to:
http://aumha.net/viewforum.php?f=30,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7
http://www.bleepingcomputer.com/tutorials/tutorial42.html
http://www.bleepingcomputer.com/forums/
Or other appropriate
forums for expert analysis, not here.
Let us know your progress.
nass

 

[nass]

Then it is false positive by Norton and you are clear from infestation.
Although it does not harm you if you performed the cleaning steps in my
previous post but it is n't necessary to do so unless you have some doubts
and you need to put them to rest!.

 

[smlunatick]

Where did you get your version of SP3? If it was not from a Microsoft's web
site, then it's integrity is "suspect!"

 

[Edna Boxe]

Checking the registry there's no entries for ctfmon.exe, there's one in
HKEY_LOCAL_MACHINE\system\control\terminal server\SysProc though.

History & cookies are deleted every time my computer starts - using
CCleaner.

Edna.

Yes, but you can have 6 instances of svchost.exe running in the task
manager? did you searched for it (Ctfmon.exe)?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run = how
many
entries there for the ctfmon.exe here?

The svchost.exe is a security process and can be used by many running
services, also you can experiencing a memory leak.
Process located here:
C:\WINDOWS\system32\svchost.exe size: 14336

Use this tool to see what taken the most usage of the CPU on your machine.
ShellExView v1.19 - Shell Extensions Manager
http://www.nirsoft.net/utils/shexview.html

Go through these cleaning steps:
1... Click start >> Control Panel >> Double Click Network and Internet
Connections >> Double click Internet Options, on the IE Properties window
you will see these Options:
General | Security | Privacy | Content | Connections | Programs
| Advanced .

Click on General Tab (1st Tab on the left) and you will see a Button
called
[ Clear History ..] click on it to clear your History caches, then click
on
[Delete Files..] to delete Internet Files created over the time, click on
[
Delete Cookies...] to delete your cookies left by visiting websites.
Then click on Advanced tab and scroll down to under the Browsing Option:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) uncheck this box.

= Then try to Disable the Add-Ons on your Browser somehow installed on
your
browser, On how to disable the Add-ons follow this:
Click on Programs Tab and then click the Manage Add-Ons Button there
Disable
the None/Not Verified Plug-ins/Add-ons ( you need to Renable them
one-by-one
later and see which is the culprit .
How to manage Add-Ons:
http://support.microsoft.com/kb/883256

Scan for malware from here:
SuperAntispyware - Free
http://www.superantispyware.com/superantispywarefreevspro.html
http://onecare.live.com/site/en-gb/default.htm?s_cid=sah
http://onecare.live.com/standard/en-gb/default.htm

RootkitRevealer v1.71
By Bryce Cogswell and Mark Russinovich
http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx

Run a scan from here on-line:
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Download Avast Cleaner (off-line scanner) from here:
http://www.avast.com/eng/avast-virus-cleaner.html

Lots of tools to download and disinfect your machine (off-line scanner):
http://www.bitdefender.co.uk/site/Downloads/browseFreeRemovalTool/

How to speed your PC:
http://www.blackviper.com/WinXP/supertweaks.htm

Run disk clean up and then run this command:
sfc /scannow

How To: troubleshoot svchost.exe:
http://blogs.technet.com/askperf/ar...started-with-svchost-exe-troubleshooting.aspx


Download the Hijackthis and send the report to one of
many
forums for analysis and troubleshooting:
When all else fails, HijackThis v2.0.2
(http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php)
is
the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. Post
your log to:
http://aumha.net/viewforum.php?f=30,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7
http://www.bleepingcomputer.com/tutorials/tutorial42.html
http://www.bleepingcomputer.com/forums/
Or other appropriate
forums for expert analysis, not here.
Let us know your progress.
nass
----
http://www.nasstec.co.uk

From what I hear if the svchost is in the system 32 folder then it's ok,
anywhere else & it's definitely a virus, is this correct?

Edna.

 

[Edna Boxe]

Thanks, I will.

Edna.

Then it is false positive by Norton and you are clear from infestation.
Although it does not harm you if you performed the cleaning steps in my
previous post but it is n't necessary to do so unless you have some doubts
and you need to put them to rest!.

 

[Edna Boxe]

Direct from the Microsoft website using Windows update this is why I believe
it's a false positive.

Edna.

 

[Edna Boxe]

The link refers to Microsoft XP Office, I don't have that but do have a PP
reader, it does seem I don't require Ctfmon.exe as I also don't use the
language bar.

I haven't asked Norton yet as it's a very poor support but will do so.

Edna.