RetouchPRO

Go Back   RetouchPRO > Tools > Software
Register Blogs FAQ Site Nav Search Today's Posts Mark Forums Read


Software Photoshop, Lightroom, Paintshop Pro, Painter, etc., and all their various plugins. Of course, you can also discuss all other programs, as well.

Anyone know if this is a false positive?

Reply
 
Thread Tools
  #31  
Old 07-03-2007, 11:20 PM
Craig Walters's Avatar
Craig Walters Craig Walters is offline
Senior Member
 
Join Date: Apr 2005
Location: somewhere over there
Posts: 8,786
Blog Entries: 4
Re: Anyone know if this is a false positive?

gary,

yes, all of those files are there in the common files > symantec shared folders.
Reply With Quote top
  #32  
Old 07-04-2007, 03:22 AM
Gary Richardson's Avatar
Gary Richardson Gary Richardson is offline
Senior Member
 
Join Date: Mar 2004
Location: Yorkshire, England
Posts: 2,717
Re: Anyone know if this is a false positive?

OK.

I've posted over at MRU (one of the forums I work), and hopefully someone with Ghost will come back to me and let me know if they're usual with that programme.

I can't see how they'd be there if you've formatted (other than from a Ghost install), but I'm puzzled why they all research as AV files/services.

I don't like unexplained phenomena as far as files are concerned. If I don't get an answer from MRU I'll chase Symantec and see what they have to say.
Reply With Quote top
  #33  
Old 07-05-2007, 05:43 AM
Gary Richardson's Avatar
Gary Richardson Gary Richardson is offline
Senior Member
 
Join Date: Mar 2004
Location: Yorkshire, England
Posts: 2,717
Re: Anyone know if this is a false positive?

Craig, do you know which version of Ghost you are using?
Reply With Quote top
  #34  
Old 07-05-2007, 08:37 PM
Craig Walters's Avatar
Craig Walters Craig Walters is offline
Senior Member
 
Join Date: Apr 2005
Location: somewhere over there
Posts: 8,786
Blog Entries: 4
Re: Anyone know if this is a false positive?

it says norton ghost 10.0 when i start it up.
Reply With Quote top
  #35  
Old 07-06-2007, 02:27 AM
Gary Richardson's Avatar
Gary Richardson Gary Richardson is offline
Senior Member
 
Join Date: Mar 2004
Location: Yorkshire, England
Posts: 2,717
Re: Anyone know if this is a false positive?

Thanks, having trouble getting any authoritative info, so sorry for the delay. Seems not as many people use Ghost as they once did.

Did get one reply from a very respected person in the Malware field, which is why I'm asking about the version.

Nothing malicious about any of those files/services, I'm just curious as to why they should be present.
Reply With Quote top
  #36  
Old 07-06-2007, 02:35 PM
Gary Richardson's Avatar
Gary Richardson Gary Richardson is offline
Senior Member
 
Join Date: Mar 2004
Location: Yorkshire, England
Posts: 2,717
Re: Anyone know if this is a false positive?

Hi Craig,

Looks like those services are almost certainly tied to Ghost, however I'd like you to run a couple of tests for me if you will.

I'd like to establish without doubt that they're tied to Ghost, may come in useful to me if I have to help someone with an infected Ghost system in future.
  • click start> run type services.msc then click OK.
  • Scan down the list till you find Symantec Core LC
  • Double click on it to open it.
  • Click the dependancies tab
  • What is listed there?

If not listed in services.msc....
  • Click Start > Run type Notepad click OK.
  • This will open an empty Notepad file.
  • Copy/Paste the contents of the box below into Notepad.
Code:
@ echo off

sc enumdepend ccevtmgr >> %systemdrive%\depend.txt
sc enumdepend ccpwdsvc >> %systemdrive%\depend.txt
sc enumdepend ccsetmgr >> %systemdrive%\depend.txt
sc enumdepend "Symantec core LC" >> %systemdrive%\depend.txt
notepad %systemdrive%\depend.txt
  • Click Format and ensure Wordwrap is unchecked.
  • Save as ServExp.bat
  • Save as file type All Files or it won't work.
  • Now double click on ServExp.bat to run it.
  • A file depend.txt will be created in this location C:\depend.txt, please post the contents in your next reply.

If the C drive is not your system drive, it will be found in the root of the drive that is your system drive.
Reply With Quote top
  #37  
Old 07-07-2007, 12:00 AM
Craig Walters's Avatar
Craig Walters Craig Walters is offline
Senior Member
 
Join Date: Apr 2005
Location: somewhere over there
Posts: 8,786
Blog Entries: 4
Re: Anyone know if this is a false positive?

it's listed... Remote Procedure Call (RPC)
Reply With Quote top
  #38  
Old 07-07-2007, 01:17 AM
Gary Richardson's Avatar
Gary Richardson Gary Richardson is offline
Senior Member
 
Join Date: Mar 2004
Location: Yorkshire, England
Posts: 2,717
Re: Anyone know if this is a false positive?

OK, can you run the batch file I described in my last post and post the txt file back here please.

We're hoping to get the databases updated at Castle Cops (the biggest online Malware database) so that in future people with Ghost don't get their services mistakenly removed by over zealous helpers (like me).

To do that we'll need to prove that these services are in fact being used by Ghost. Most users of Ghost also have a Symantec AV or IS programme installed as well, so it's difficult to establish just what files and services are discrete to a particular programme, and which are common to many.

It's amazing just how hard it's been to get any info on these services, everywhere seems to have the same info as CC has, and getting info from Symantec is like pushing a rope uphill. The tech support is run by idiots who only seem able to answer stock questions.

The txt file should hopefully give us some proof of dependancy.
Reply With Quote top
  #39  
Old 07-08-2007, 12:01 PM
Craig Walters's Avatar
Craig Walters Craig Walters is offline
Senior Member
 
Join Date: Apr 2005
Location: somewhere over there
Posts: 8,786
Blog Entries: 4
Re: Anyone know if this is a false positive?

hi gary,

ok, i created and ran the .bat file. here are the results:

Quote:
Enum: entriesRead = 0
Enum: entriesRead = 0
Enum: entriesRead = 1

SERVICE_NAME: ccEvtMgr
DISPLAY_NAME: Symantec Event Manager
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
Enum: entriesRead = 0
hope that helps.
Reply With Quote top
  #40  
Old 07-09-2007, 03:19 AM
Gary Richardson's Avatar
Gary Richardson Gary Richardson is offline
Senior Member
 
Join Date: Mar 2004
Location: Yorkshire, England
Posts: 2,717
Re: Anyone know if this is a false positive?

Means nothing to me, but hopefully it means something to the person who asked for it.

Thanks Craig.
Reply With Quote top
Reply

  RetouchPRO > Tools > Software


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
True or false Doug Nelson Salon 8 06-14-2007 03:07 AM
positive glass slides chrishoggy Image Help 6 11-25-2006 04:53 PM
Positive Film! Help me please! arcadhia Image Help 9 09-08-2006 11:55 PM
Worshipping False Gods! chris h Hardware 26 01-03-2005 09:01 AM
False Hope Toad Critiques 7 07-13-2003 11:52 AM


All times are GMT -6. The time now is 04:40 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.
Copyright © 2016 Doug Nelson. All Rights Reserved