RetouchPRO

Go Back   RetouchPRO > Tools > Software
Register Blogs FAQ Site Nav Search Today's Posts Mark Forums Read


Software Photoshop, Lightroom, Paintshop Pro, Painter, etc., and all their various plugins. Of course, you can also discuss all other programs, as well.

Anyone know if this is a false positive?

Reply
 
Thread Tools
  #11  
Old 06-27-2007, 11:53 PM
Craig Walters's Avatar
Craig Walters Craig Walters is offline
Senior Member
 
Join Date: Apr 2005
Location: somewhere over there
Posts: 8,786
Blog Entries: 4
Re: Anyone know if this is a false positive?

it wont do it, ken. i got icesword, followed everything exactly as you said, but it wont enter the file name or save in the copy to window. enclosed is a screenshot of where i got to. everything worked fine up to being able to save to 'Cleanup'.
Attached Images
File Type: jpg bugger-1-k-1.jpg (190.2 KB, 20 views)
Reply With Quote top
  #12  
Old 06-27-2007, 11:59 PM
Craig Walters's Avatar
Craig Walters Craig Walters is offline
Senior Member
 
Join Date: Apr 2005
Location: somewhere over there
Posts: 8,786
Blog Entries: 4
Re: Anyone know if this is a false positive?

in fact, i cant copy anything with this. nothing will enter into where the file name shld go. this is version 1.20. maybe bugged or blocked? and yes, i can do normal copies in windows explorer. just tried it.
Reply With Quote top
  #13  
Old 06-28-2007, 12:09 AM
Craig Walters's Avatar
Craig Walters Craig Walters is offline
Senior Member
 
Join Date: Apr 2005
Location: somewhere over there
Posts: 8,786
Blog Entries: 4
Re: Anyone know if this is a false positive?

this must be a newer/older version. the 'files' tab is on the lower left, not the right.

and what is this 'cooperator' thing that came with icesword?
Reply With Quote top
  #14  
Old 06-28-2007, 12:17 AM
Craig Walters's Avatar
Craig Walters Craig Walters is offline
Senior Member
 
Join Date: Apr 2005
Location: somewhere over there
Posts: 8,786
Blog Entries: 4
Re: Anyone know if this is a false positive?

here's the hjt logfile, gary:

Logfile of HijackThis v1.99.1
Scan saved at 12:11:12 AM, on 6/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo XI\Corel Paint Shop Pro Photo.exe
D:\Applications-Utilities\HijackThis-1-9 free\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.retouchpro.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.filterforge.com
O15 - Trusted Zone: http://www.retouchpro.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1171850158937
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1172812827828
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Reply With Quote top
  #15  
Old 06-28-2007, 02:31 AM
Gary Richardson's Avatar
Gary Richardson Gary Richardson is offline
Senior Member
 
Join Date: Mar 2004
Location: Yorkshire, England
Posts: 2,717
Re: Anyone know if this is a false positive?

HJT log's clean Craig.

However HJT isn't the be all and end all of diagnostics and there's a whole bunch of things it doesn't show, so lets look a little further.

First clear your temp files out so we have less to scan.
  • Click Start > Run and type cleanmgr then click OK.
  • This will bring up the Disk Cleanup window.
  • Check the following entries.
    • Temporary Internet Files.
    • Recycle Bin.
    • Temporary Files.
  • Click OK.
  • When a prompt pops up click Yes.

Next

Please do an online scan with Kaspersky Online Scanner

Note: You must be using Internet Explorer as your browser as it will be necessary to install an Active X component to your computer.

Important If you have previously used Kaspersky Online Scanner (before 8th Aug 2006), you will have to uninstall the old version using Add/Remove Programs in Control Panel before you can use the new version.

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings.
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK.
  • Now under select a target to scan select My Computer.
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Note: The Kaspersky online scanner is not yet fully compatible with IE7. You may get returned to a window without the Accept/Decline buttons after allowing the ActiveX control. The buttons are there - you just can't see them! Click on the zoom button (bottom, right of the window) and change it from 100% to 75%. You should now see the buttons. Reset to 100% once the license has been accepted.

Might as well check for "hidden" stuff as well.

Download GMER and unzip it to your Desktop. (It will create a folder GMER)

Alternate Download Site
  • Disconnect from the Internet, and close all running programmes.
  • There is a small chance this programme may crash your computer, so save any work you have open.
  • Open the GMER folder, and double click gmer.exe
  • Let the gmer.sys driver load if asked.
  • If it gives you a warning at programme start about rootkit activity and asks if you want to run a scan ..... click OK.
  • If no warning:
    • Click Rootkit tab.
    • Ensure that All the boxes to the right of the program are checked except Show All.
    • Click Scan.
  • Once scan is finished click Copy.
    • Click Start > Run then type Notepad.exe then click OK.
    • This will open a Notepad file.
    • Hit Ctrl+V to paste log into it.
    • Save the log to your Desktop.
  • Reconnect to internet and post the log please.

Don't try and clear anything it says is a Rootkit, a lot of Firewall and Anti-Virus programmes use techniques similar to Rootkits to operate, the entries found may be related to them.

Post each log seperately as they can be quite long sometimes and the post size limiter might cut them off.


PS. Tried the IceSword technique myself, didn't work for me either. This was posted at MRU by one of the teachers there, which is why Ken posted it, I'll have to have a word with him about it.

Last edited by Gary Richardson; 06-28-2007 at 02:48 AM.
Reply With Quote top
  #16  
Old 06-28-2007, 01:01 PM
Cameraken's Avatar
Cameraken Cameraken is offline
Senior Member
 
Join Date: Feb 2005
Location: Lancashire (UK)
Posts: 1,158
Re: Anyone know if this is a false positive?

Hi Craig.

Sorry it did not work, Craig. It 'should' have worked.
It works fine for me.

There should be an extra step in the instructions.

F1) Type a name (eg. Bad.file) into the filename box

And as you mentioned the 'File Tab' is at the left.

But apart from that it is working perfectly on my PC. (I am on FAT32)

We should get some answers at MRU. As to why you had problems.

I thought this was an easier method than trying to copy the file in DOS which is how I used to copy a file in use.

In the meantime this may not be necessary as the scans Gary has suggested should locate any problems.

Ken.
Reply With Quote top
  #17  
Old 06-28-2007, 01:43 PM
Craig Walters's Avatar
Craig Walters Craig Walters is offline
Senior Member
 
Join Date: Apr 2005
Location: somewhere over there
Posts: 8,786
Blog Entries: 4
Re: Anyone know if this is a false positive?

ken, tried just typing the name in after the save dialogue window opened and that worked. it's now in my 'cleanup' folder. so, i went back to the two sites you posted for sending the file to for checking and both reported back that the file either couldnt be sent or had 0 bytes.

so, i tried to open it from the cleanup folder and got an error message saying: 'Windows cannot access the specified device, path, or file. You may not have teh appropriate permissions to access the item.' .

and gary, i havent ignored your last post, but i am delaying acting on it for a bit. i'm beginning to believe this may be just a corrupted file. nobody seems to recognize the file, not avg, not microsoft, and not google. corrupted files often show the wrong file size and sometimes the wrong name. it doesnt seem to be 'active' i've never had anything pop up trying to get through zone alarm to call home and win patrol has never tried to tell me that some idiot program is trying to run or install using this thing. and, hjt sees nothing. so, i think what i'm going to try next is to have avg isolate this thing to the virus vault and see what that does. with all the idiot permissons stuff coming up on this, i'm not sure avg can do it, but i think it's worth a try at this point.

i dont know what i was doing back in january (that being the date this thing says it was created), but if i've not detected any ill effects on my system since that time, i'd say this thing is pretty innocuous, whatever it is.

i'll keep you informed...providing everything doesnt crash and burn
Reply With Quote top
  #18  
Old 06-28-2007, 01:56 PM
Craig Walters's Avatar
Craig Walters Craig Walters is offline
Senior Member
 
Join Date: Apr 2005
Location: somewhere over there
Posts: 8,786
Blog Entries: 4
Re: Anyone know if this is a false positive?

ok, i had avg consign this thing to the virus vault. if it turns out to be something i actually need, i can retrieve it from there.

and, immediately after moving it to the vault, i rebooted to see if something .dll or startup would put it back. i checked system32 for the file and it wasnt there. so, nothing in windows or startup is creating the file. it remains to be seen if some other program will do this or not, but at least it doesnt seem to be in my startup... and that's good!

so, i'll keep on eye on it and check system32 every so often and also watch for odd behavior on any of the other programs i use.

and as always, thanks guys! you're the best!

oh, and ken, that icesword looks like it has more uses than just a super-copy. what else does it do?
Reply With Quote top
  #19  
Old 06-28-2007, 02:44 PM
Cameraken's Avatar
Cameraken Cameraken is offline
Senior Member
 
Join Date: Feb 2005
Location: Lancashire (UK)
Posts: 1,158
Re: Anyone know if this is a false positive?

Hi Craig.

Try naming the file bad.dll (you need to type the extension ie .dll)
That may upload to jotti.

Icesword is a rootkit finder/remover with extras.

The instructions for using it are here
http://www.castlecops.com/t165203-Ic...lustrated.html

I am not sure if you need to register to see that link.

Beware. IceSword can toast your PC.

While you have it installed you could check for rootkits.
  • Once IceSword is open, click the Win32 Service Function on the left Menu Bar
    If any red entries are found, click the blue Log Tab at the top of the screen and save the log to documents folder as service-list.txt.
  • Now, Click IceSword's Process Function on the left Menu Bar
    If any red entries are found, click the blue Log tab at the top of the screen and save the log to documents folder as processlist.txt.


Ken.
Reply With Quote top
  #20  
Old 06-28-2007, 06:19 PM
Gary Richardson's Avatar
Gary Richardson Gary Richardson is offline
Senior Member
 
Join Date: Mar 2004
Location: Yorkshire, England
Posts: 2,717
Re: Anyone know if this is a false positive?

Be very careful with Icesword, it is an extremely powerful programme, and can do untold damage if used inappropriately.

It can be used to delete files, edit your registry, and a whole lot of other things. Unlike windows it will not give you any warnings if you're doing something foolish, and will remove anything (system files, registry hives, etc. etc).

You can quickly turn your PC into a lovely paperweight by using Icesword without due care.

Glad to hear the file Quarantined OK, I'd still like to see a GMER scan though, the file may just have been an installer for something really nasty (some of them self destruct to a degree afterwards). Not all Malware gives you pop-ups or indeed any indication of their presence but may be being used to steal data. Best we find out that is not the case.

Last edited by Gary Richardson; 06-28-2007 at 06:26 PM.
Reply With Quote top
Reply

  RetouchPRO > Tools > Software


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
True or false Doug Nelson Salon 8 06-14-2007 03:07 AM
positive glass slides chrishoggy Image Help 6 11-25-2006 04:53 PM
Positive Film! Help me please! arcadhia Image Help 9 09-08-2006 11:55 PM
Worshipping False Gods! chris h Hardware 26 01-03-2005 09:01 AM
False Hope Toad Critiques 7 07-13-2003 11:52 AM


All times are GMT -6. The time now is 02:15 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.
Copyright © 2016 Doug Nelson. All Rights Reserved