anyone know if this file: ibhfcyte.exe is a virus or is my avg anti-virus giving me a false positive? i ask because even though this popped up with AVG, they dont list the thing in their virus encyclopedia/database and google has nothing on it either.

AVG says it's a 'Trojan horse downloader.Generic3XEN' . i've got so many automatic downloaders that i just cant tell if this is a legitimate file or a virus.

It gets zero google hits, so I definitely wouldn't trust it.

Hi Craig

This does sound like a random file name and is probably a bad file.
You may get more info by checking its properties (right click the file and click properties)

You can test the file at jotti or virustotal.

Go to VirusTotal (www.virustotal.com) or Jotti's (http://virusscan.jotti.org/), and scan the following file(s).

ibhfcyte.exe


Click on the Browse button at the top of the screen.
Browse to the file.
Click OK.
Click Send, and the file will upload to VirusTotal / Jotti, where it will be scanned by several anti-virus programmes.
After a while, a window will open, with details of what the scans found.
Note details of any viruses found.


Ken.

thanks, doug, ken.

this thing is quite weird. it's only 9kb and when i open windows explorer and go to windows, system32 to look at the file, when the file comes into view, the avg alert goes off. i dont have to click on anything or even mouse ever anything. all i have to do is see the file name in windows explorer and the alert goes off.

but, that's not even the strangest part. i decided to go to microsoft.com and see if they recognized it. i entered the file name into their search and it came up with nothing, but on the new results page of the search, avg once again went off seeing the name.

then, going down to the task bar and minimizing windows explorer or internet explorer and then maximizing either one again with that same name showing, avg would go off again.

quite odd.

oh, and i went to both of those sites, ken and both gave the same results, the file wouldnt upload so they couldnt analyze it.

and when the avg alert comes up, it gives me 4 options, ignore, info, heal or move to vault. when i click on info, it takes me to avg's encyclopedia. they have no knowledge of the file/virus.

when i try to open it in notepad, i'm denied because it's a 'system file'.

never seen a file act quite like this.

If this is only 9kb I would drop it into a notepad or text pad to see what is hidden inside. Could you send it to me? I'll try to play with it.

when i try to open it in notepad, i'm denied because it's a 'system file'.

sorry, chillin, tried that.

2 things, do a system search for the file name and try to find out what folder it is hiding itself in...that could give you an idea of what program it is attached to.

2nd thing.....go to your "run" command under the start menu, type "msconfig" without quotes, and click the startup tab....look through the list and try to spot that file, it will typically tell you what program is running that exe file.

basically, it IS a program that is running on your computer. My guess is some plugin that you recently installed.

photo678, it's in the system32 folder.

well, there's lots of programs in system32 that dont get run until you call something else up. the file is not in my startup list, at least not in the stuff that msconfig can see. the file has been there since january of this year, apparently.

i dont ever recall seeing that name come up in zone alarm asking for permissions and i dont recall win patrol ever asking about it either. it doesnt seem to be an active program. it's not denying me access to because of 'file in use'. it's just denying me access because it's a 'system file', or so it says. but microsoft has no knowledge of it and google has no knowledge of it and avg has no knowledge of it, even though the avg alerter is calling it a 'trojan horse downloader.generic3xen'. so, i dont know where it came from or if it's doing anything or associated with some other program. it may well be a legit file and associated with something i installed back in january of this year, but i cant tell.

i suppose i could isolate it to the avg virus vault and see if anything then fails to run. but i hate doing things like that blindly, with no knowledge of if this is legit or not.

Hi Craig.

That is often the effect of files in use and malware files that protect themself.
Try copying the files to some other place and submit them from there. If that does not work try the following:

Go to Start > My Computer. Click the C drive. On the right side of the window please find Make a new folder and click it. Call it Cleanup

Now download IceSword from http://www.majorgeeks.com/Icesword_d5199.html to a place where you can find it.

Extract it to a place where you can find it.

Once you have extracted it click on Icesword.exe to start the program.
Next find the tab Files on the right side. Click it and it will open up an interface that looks like Windows Explorer.

Navigate your way to >ibhfcyte.exe<

Right click it and select "copy to". Send it to C:\Cleanup

Next please submit C:\cleanup\bad File to be scanned by Jotti and/or by Virus Total.


Ken.

Run a HJT scan and post the log back here Craig, there may be other items on your log that will give us a clue as to what your problem file is connected with.


Glad to see you've been reading Elrond's posts Ken.

it wont do it, ken. i got icesword, followed everything exactly as you said, but it wont enter the file name or save in the copy to window. enclosed is a screenshot of where i got to. everything worked fine up to being able to save to 'Cleanup'.

in fact, i cant copy anything with this. nothing will enter into where the file name shld go. this is version 1.20. maybe bugged or blocked? and yes, i can do normal copies in windows explorer. just tried it.

this must be a newer/older version. the 'files' tab is on the lower left, not the right.

and what is this 'cooperator' thing that came with icesword?

here's the hjt logfile, gary:

Logfile of HijackThis v1.99.1
Scan saved at 12:11:12 AM, on 6/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo XI\Corel Paint Shop Pro Photo.exe
D:\Applications-Utilities\HijackThis-1-9 free\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.retouchpro.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.filterforge.com
O15 - Trusted Zone: http://www.retouchpro.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1171850158937
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172812827828
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

HJT log's clean Craig.

However HJT isn't the be all and end all of diagnostics and there's a whole bunch of things it doesn't show, so lets look a little further.

First clear your temp files out so we have less to scan.


Click Start > Run and type cleanmgr then click OK.
This will bring up the Disk Cleanup window.
Check the following entries.

Temporary Internet Files.
Recycle Bin.
Temporary Files.

Click OK.
When a prompt pops up click Yes.


Next

Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner)

Note: You must be using Internet Explorer as your browser as it will be necessary to install an Active X component to your computer.

Important If you have previously used Kaspersky Online Scanner (before 8th Aug 2006), you will have to uninstall the old version using Add/Remove Programs in Control Panel before you can use the new version.

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings.
In the scan settings make sure that the following are selected:


Scan using the following Anti-Virus database:

Extended (If available otherwise Standard)

Scan Options:

Scan Archives
Scan Mail Bases


Click OK.
Now under select a target to scan select My Computer.
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.


Note: The Kaspersky online scanner is not yet fully compatible with IE7. You may get returned to a window without the Accept/Decline buttons after allowing the ActiveX control. The buttons are there - you just can't see them! Click on the zoom button (bottom, right of the window) and change it from 100% to 75%. You should now see the buttons. Reset to 100% once the license has been accepted.

Might as well check for "hidden" stuff as well.

Download GMER (http://www.gmer.net/gmer.zip) and unzip it to your Desktop. (It will create a folder GMER)

Alternate Download Site (http://gmer.thespykiller.co.uk/)


Disconnect from the Internet, and close all running programmes.
There is a small chance this programme may crash your computer, so save any work you have open.
Open the GMER folder, and double click gmer.exe
Let the gmer.sys driver load if asked.
If it gives you a warning at programme start about rootkit activity and asks if you want to run a scan ..... click OK.
If no warning:

Click Rootkit tab.
Ensure that All the boxes to the right of the program are checked except Show All.
Click Scan.

Once scan is finished click Copy.

Click Start > Run then type Notepad.exe then click OK.
This will open a Notepad file.
Hit Ctrl+V to paste log into it.
Save the log to your Desktop.

Reconnect to internet and post the log please.


Don't try and clear anything it says is a Rootkit, a lot of Firewall and Anti-Virus programmes use techniques similar to Rootkits to operate, the entries found may be related to them.

Post each log seperately as they can be quite long sometimes and the post size limiter might cut them off.


Photoshop. Tried the IceSword technique myself, didn't work for me either. This was posted at MRU by one of the teachers there, which is why Ken posted it, I'll have to have a word with him about it.

Hi Craig.

Sorry it did not work, Craig. It 'should' have worked.
It works fine for me.

There should be an extra step in the instructions.

F1) Type a name (eg. Bad.file) into the filename box

And as you mentioned the 'File Tab' is at the left.

But apart from that it is working perfectly on my PC. (I am on FAT32)

We should get some answers at MRU. As to why you had problems.

I thought this was an easier method than trying to copy the file in DOS which is how I used to copy a file in use.

In the meantime this may not be necessary as the scans Gary has suggested should locate any problems.

Ken.

ken, tried just typing the name in after the save dialogue window opened and that worked. it's now in my 'cleanup' folder. so, i went back to the two sites you posted for sending the file to for checking and both reported back that the file either couldnt be sent or had 0 bytes.

so, i tried to open it from the cleanup folder and got an error message saying: 'Windows cannot access the specified device, path, or file. You may not have teh appropriate permissions to access the item.' .

and gary, i havent ignored your last post, but i am delaying acting on it for a bit. i'm beginning to believe this may be just a corrupted file. nobody seems to recognize the file, not avg, not microsoft, and not google. corrupted files often show the wrong file size and sometimes the wrong name. it doesnt seem to be 'active' i've never had anything pop up trying to get through zone alarm to call home and win patrol has never tried to tell me that some idiot program is trying to run or install using this thing. and, hjt sees nothing. so, i think what i'm going to try next is to have avg isolate this thing to the virus vault and see what that does. with all the idiot permissons stuff coming up on this, i'm not sure avg can do it, but i think it's worth a try at this point.

i dont know what i was doing back in january (that being the date this thing says it was created), but if i've not detected any ill effects on my system since that time, i'd say this thing is pretty innocuous, whatever it is.

i'll keep you informed...providing everything doesnt crash and burn :)

ok, i had avg consign this thing to the virus vault. if it turns out to be something i actually need, i can retrieve it from there.

and, immediately after moving it to the vault, i rebooted to see if something .dll or startup would put it back. i checked system32 for the file and it wasnt there. so, nothing in windows or startup is creating the file. it remains to be seen if some other program will do this or not, but at least it doesnt seem to be in my startup... and that's good!

so, i'll keep on eye on it and check system32 every so often and also watch for odd behavior on any of the other programs i use.

and as always, thanks guys! you're the best! :)

oh, and ken, that icesword looks like it has more uses than just a super-copy. what else does it do?

Hi Craig.

Try naming the file bad.dll (you need to type the extension ie .dll)
That may upload to jotti.

Icesword is a rootkit finder/remover with extras.

The instructions for using it are here
http://www.castlecops.com/t165203-IceSword_Instructions_in_English_Illustrated.html

I am not sure if you need to register to see that link.

Beware. IceSword can toast your PC.

While you have it installed you could check for rootkits.


Once IceSword is open, click the Win32 Service Function on the left Menu Bar
If any red entries are found, click the blue Log Tab at the top of the screen and save the log to documents folder as service-list.txt.
Now, Click IceSword's Process Function on the left Menu Bar
If any red entries are found, click the blue Log tab at the top of the screen and save the log to documents folder as processlist.txt.



Ken.

Be very careful with Icesword, it is an extremely powerful programme, and can do untold damage if used inappropriately.

It can be used to delete files, edit your registry, and a whole lot of other things. Unlike windows it will not give you any warnings if you're doing something foolish, and will remove anything (system files, registry hives, etc. etc).

You can quickly turn your PC into a lovely paperweight by using Icesword without due care.

Glad to hear the file Quarantined OK, I'd still like to see a GMER scan though, the file may just have been an installer for something really nasty (some of them self destruct to a degree afterwards). Not all Malware gives you pop-ups or indeed any indication of their presence but may be being used to steal data. Best we find out that is not the case.

I also use the AVG Anti-virus. I tried to look it up at the whatis.com, but see that you already have.

Craig, just been looking over your HJT log again.

Are you running both AVG AntiVirus AND Symantec as real-time scanners?

Not a good idea if you are, there will be conflicts. You need to kill the real-time protection of one of them if you are.

Better still remove one of the programmes, 2 AV's rarely co-exist happily, especially when one of them is Norton/Symantec.

gary, no. the symantec stuff is from Ghost.

i've downloaded Gmer. not run it yet.

That's strange that the file doesn't appear anywhere in Google.
Do you have some program that is named something with an I....

smak, could be. got lots of programs :) i think there's a program that's supposed to be able to trace back to the parents, but i dont have it installed nor can i even remember the name.

That's strange that the file doesn't appear anywhere in Google.
Do you have some program that is named something with an I....

It's not at all unusual with a Malware file (not that I'm saying this is such), where random names (which don't Google) are pretty much the norm.

Anything that doesn't Google is pretty much always a reason for suspicion, though there are legit programmes that also use randomly generated file names.

Many AV companies use randomly named files so that they can't be targeted by Malware which tries to shut them down.


Craig, these don't look like Ghost services and files to me, they look like an incomplete Symantec uninstall.

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Title: [Symantec Event Manager]

Filename: ccEvtMgr.exe

Status=L

Description:
Related to Norton/Symantec AntiVirus

More information:
http://antispyware.nextdesigns.net/023l.php?action=search2&name=Symantec Event Manager


Title: [Symantec Password Validation]

Filename: ccPwdSvc.exe

Status=L

Description:
Related to Norton/Symantec AntiVirus.

More information:
http://antispyware.nextdesigns.net/023l.php?action=search2&name=Symantec Password Validation



Title: [Symantec Settings Manager]

Filename: ccSetMgr.exe

Status=L

Description:
Related to Norton/Symantec AntiVirus.

More information:
http://antispyware.nextdesigns.net/023l.php?action=search2&name=Symantec Settings Manager


Title: [Symantec Core LC]

Filename: symlcsvc.exe

Status=L

Description:
Related to Norton/Symantec Anti-Virus.

More information:
http://antispyware.nextdesigns.net/023l.php?action=search2&name=Symantec Core LC



If you want I'll give you instructions for their removal.

gary,

i unzipped and ran gmer.exe. as it was loading i got several error messages, all the same: cannot find drive (this may be my printer flash card slot which is seen by windows as a drive. i disabled it before doing the scan). i simply clicked 'continue' a few times and gmer seemed ok with that.

next, i checked to see that all the stuff you said about using the rootkit tab and that all was checkmarked except 'show all' and then hit the 'scan' button. gmer started running through a bunch of stuff and then crashed with a notice to send to microsoft or not. i double checked that i'd done all you said and ran it again. it crashed again.

on the 2nd try, before hitting the 'dont send' button, i hit save and copied what i had so far over to notepad. i'll post that. i then hit the 'dont send' and everything closed down again.

in preparation to running gmer, i disconnected my dsl cable, turned off zone alarm, avg, sound manager, the hp photosmart flash stick device, win patrol and an nvidia display manager. all that stuff i could turn off in the systray, i turned off. it would not let me turn off the service pack 2 security manager.

i dont know if turning all that off was a good idea or not, but it said turn off all running programs, so i did.

after all this, the turning off of all that and running and crashing gmer twice, i finally rebooted. oddly, the nvidia display manager did not come back up in my systray, though it's still in my right click on desktop menu. everything else came back up fine, as far as i can tell.

ok, here's as much of the log as i could get:

Far as I can see your GMER log is clean (didn't expect it to be otherwise, just being thorough). Nothing there that i wouldn't have expected to be there.

ntkrnlpa.exe is a M$ system file.

vsdatant.sys is the driver for Zone Alarm, as is srescan.sys

avg7rsw.sys and avgtdi.sys belongs to AVG

SymSnap.sys is Norton Ghost

It's not entirely unheard of for GMER to crash a system (which is why I mention it in my use speech), it has to install a driver into a sensitive kernel area and sometimes this results in instability. I don't think it's anything other than this.

I'm happy you've not got anything skulking away on your box that you should be worried about.

Don't know why NVidia hasn't come up in your systray, can you start the program manually?


The stray Norton Services I mentioned in my last post could still do with removing. Don't use HJT, it won't remove them properly.

Did you have Norton installed previously?

Norton is infamous for not removing all its services when uninstalled, so this is not an unusual thing for me to deal with.

thanks, gary :)

as far as the norton stuff, the only thing i can think of is that this is a leftover from the last computer, though i thought i'd reformatted this drive. i'm quite aware of the nature of most norton products, some being almost bloat-ware. so, are you sure these arent Ghost files? the last norton anti-virus i had was the 2003 version and i just cant imagine any part of that still being on this drive, unless it's something tucked away on the D: drive perhaps. i'm pretty sure, when i had all that computer problems that i left the D: drive alone but reformatted the C: and i'm also pretty sure that the only anti-virus i've had on the current C: drive is AVG.

i've checked 'add/remove software' is control panel and no mention of other norton or symantec products there. nothing in 'start > all programs' and nothing in windows explorer besides Ghost except for one thing under program files, 'symantec live update'. could that be it?

Have you checked to see if the files are present?

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

If so, leave things alone, I'll check to see if any of them are used with Ghost as well as with Norton AV (they're all in the Shared folder so it's possible they're common to more than one Norton product).

Don't have a copy of Ghost so I'll have to ask someone who has.

If files not present let me know.


Ghost service is

O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe

gary,

yes, all of those files are there in the common files > symantec shared folders.

OK.

I've posted over at MRU (one of the forums I work), and hopefully someone with Ghost will come back to me and let me know if they're usual with that programme.

I can't see how they'd be there if you've formatted (other than from a Ghost install), but I'm puzzled why they all research as AV files/services.

I don't like unexplained phenomena as far as files are concerned. If I don't get an answer from MRU I'll chase Symantec and see what they have to say.

Craig, do you know which version of Ghost you are using?

it says norton ghost 10.0 when i start it up.

Thanks, having trouble getting any authoritative info, so sorry for the delay. Seems not as many people use Ghost as they once did.

Did get one reply from a very respected person in the Malware field, which is why I'm asking about the version.

Nothing malicious about any of those files/services, I'm just curious as to why they should be present.

Hi Craig,

Looks like those services are almost certainly tied to Ghost, however I'd like you to run a couple of tests for me if you will.

I'd like to establish without doubt that they're tied to Ghost, may come in useful to me if I have to help someone with an infected Ghost system in future.

click start> run type services.msc then click OK.
Scan down the list till you find Symantec Core LC
Double click on it to open it.
Click the dependancies tab
What is listed there?


If not listed in services.msc....


Click Start > Run type Notepad click OK.
This will open an empty Notepad file.
Copy/Paste the contents of the box below into Notepad.

@ echo off

sc enumdepend ccevtmgr >> %systemdrive%\depend.txt
sc enumdepend ccpwdsvc >> %systemdrive%\depend.txt
sc enumdepend ccsetmgr >> %systemdrive%\depend.txt
sc enumdepend "Symantec core LC" >> %systemdrive%\depend.txt
notepad %systemdrive%\depend.txt


Click Format and ensure Wordwrap is unchecked.
Save as ServExp.bat
Save as file type All Files or it won't work.
Now double click on ServExp.bat to run it.
A file depend.txt will be created in this location C:\depend.txt, please post the contents in your next reply.


If the C drive is not your system drive, it will be found in the root of the drive that is your system drive.

it's listed... Remote Procedure Call (RPC)

OK, can you run the batch file I described in my last post and post the txt file back here please.

We're hoping to get the databases updated at Castle Cops (the biggest online Malware database) so that in future people with Ghost don't get their services mistakenly removed by over zealous helpers (like me).

To do that we'll need to prove that these services are in fact being used by Ghost. Most users of Ghost also have a Symantec AV or IS programme installed as well, so it's difficult to establish just what files and services are discrete to a particular programme, and which are common to many.

It's amazing just how hard it's been to get any info on these services, everywhere seems to have the same info as CC has, and getting info from Symantec is like pushing a rope uphill. The tech support is run by idiots who only seem able to answer stock questions.

The txt file should hopefully give us some proof of dependancy.

hi gary,

ok, i created and ran the .bat file. here are the results:

Enum: entriesRead = 0
Enum: entriesRead = 0
Enum: entriesRead = 1

SERVICE_NAME: ccEvtMgr
DISPLAY_NAME: Symantec Event Manager
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
Enum: entriesRead = 0

hope that helps.

Means nothing to me, but hopefully it means something to the person who asked for it.

Thanks Craig.

you're welcome. hope it helps.

basically, that little script just asked about the dependencies of those three services. it got 2 false and one positive. so, basically, it found one of those three in the services list and it's currently running in the background (odd, it shldnt be. but, that's norton for you).

now, i'm not as versed in this as i shld be, but i'm thinking that little script isnt going to tell the whole story on those dependencies. it will only be able to see those dependencies on active services or services listed. i think some services wont even be listed until you run a given program, but i may be wrong on that. and if i happened to disable some things in my startup, which i do, those services may not be listed until i call up the file. but again, i may be wrong on that.

and that reminds me, i shld go to blackviper.com again :)

Yup, that's pretty much it. (When I said I didn't know I was being a tad flippant :grin: )

Anyway, the database at CastleCops has now been updated as a result of your little "problem", which should prevent others mis-identifying these services.

O23 List of Windows XP/NT services
Field Value
Name Symantec Event Manager (ccEvtMgr)
Command ccEvtMgr.exe
Status L
Description Norton/Symantec Products Common service entries associated with versions of Norton Anti Virus, Norton SystemWorks, Norton Internet Security Suite and/or Norton Ghost

The others have been similarly changed.

Thank you for helping clarify things.

thanks, gary. glad if it's of some use.