| View previous topic :: View next topic |
| Author |
Message |
Casual Question
Guest
IP: 70.105.*.*
|
 Posted: Mon Jul 31, 2006 1:33 pm Post subject: I can't see if it's malware, or just a common nessecary file |
|
|
So i have researched some files and found that they are nessecary to the system but can at the same time be malware. So how am i suppose to find out if those programs are indeed malware or just programs my computer needs to run inorder to work. But I just have a suspicion that they are good programs that my computer needs because they are all located in my windows folder, or my windows system folder, or my windows system 32 folder, you catch the drift somewhere in that folder.
Anyway those programs are things like 2esa0c.exe ALCXMNTR.EXE cTTQufYW.exe sndcfg16.exe and svchost.exe
---Thanks for your time
|
|
| Back to top |
|
 |
nosirrah
Security Expert
Special Response Team
Joined: Apr 19, 2006
Posts: 6299
Location: USA
|
| Posted: Mon Jul 31, 2006 2:06 pm Post subject: |
|
|
Did you submit them with your post ? If not go ahead and use the brows and submit buttons .
This is not a reliable trick but if you right click those files and select properties . You can check both the creation date and version information .
If the file has a recent creation date and there is no version information then malware would a more likely diagnosis .
|
|
| Back to top |
|
|
Mere_Mortal
1st Responder
Joined: Apr 10, 2004
Posts: 4191
Location: Kidderminster
|
| Posted: Mon Jul 31, 2006 5:04 pm Post subject: |
|
|
Hello 
svchost.exe, if found in the System32 directory, is the legitimate Windows file and is critical to the runnings of the system. If found in any other directory (except a backup directory, such as DLL Cache or i386), then it will be a malicious file.
sndcfg16.exe is a malware file related to an Rbot variant. It should be terminated immediately.
ALCXMNTR.EXE is not a desirable process, nor is it malware. Termination is recommended but at your discretion.
As for 2esa0c.exe, vqetf.exe, cTTQufYW.exe and any other random filenames, especially such that do not return any results on Google, you can attach these for analysis, as well as sndcfg16.exe.
It is very likely they are malware and could be further files related to Rbot. You may need expert assistance in order to remove the threats and reverse any changes to the system that may have occured. A good start would be to review the CastleCops MRP, as in the link in my signature below, then you might also consider posting a HijackThis logfile, either to the HJT Forum on this site or to your thread at GamingForums.
Regards,
M_M
_________________
[Malware Removal and Prevention] [Malware Complaints]
|
|
| Back to top |
|
|
IP: 71.251.*.*
Guest
|
| Posted: Tue Aug 01, 2006 5:43 pm Post subject: |
|
|
| nosirrah wrote: | Did you submit them with your post ? If not go ahead and use the brows and submit buttons .
This is not a reliable trick but if you right click those files and select properties . You can check both the creation date and version information .
If the file has a recent creation date and there is no version information then malware would a more likely diagnosis . |
Uh how recent are we talking about one file had no version info and said it was created in april 2005.
| Mere_Mortal wrote: | Hello
svchost.exe, if found in the System32 directory, is the legitimate Windows file and is critical to the runnings of the system. If found in any other directory (except a backup directory, such as DLL Cache or i386), then it will be a malicious file.
sndcfg16.exe is a malware file related to an Rbot variant. It should be terminated immediately.
ALCXMNTR.EXE is not a desirable process, nor is it malware. Termination is recommended but at your discretion.
As for 2esa0c.exe, vqetf.exe, cTTQufYW.exe and any other random filenames, especially such that do not return any results on Google, you can attach these for analysis, as well as sndcfg16.exe.
It is very likely they are malware and could be further files related to Rbot. You may need expert assistance in order to remove the threats and reverse any changes to the system that may have occured. A good start would be to review the CastleCops MRP, as in the link in my signature below, then you might also consider posting a HijackThis logfile, either to the HJT Forum on this site or to your thread at GamingForums.
Regards,
M_M |
Hello M_M
I dont get it what does submitting them do? Does that give you guys like an idea of how the programs are behaving on my computer? Ill do it anyway though. But before i do it i tried deleting sndcfg16.exe and it told me access is denied, that happened with Ssk.exe to which i know is a malware file.
|
|
| Back to top |
|
|
IP: 71.251.*.*
Guest
|
| Posted: Tue Aug 01, 2006 5:45 pm Post subject: |
|
|
| nosirrah wrote: | Did you submit them with your post ? If not go ahead and use the brows and submit buttons .
This is not a reliable trick but if you right click those files and select properties . You can check both the creation date and version information .
If the file has a recent creation date and there is no version information then malware would a more likely diagnosis . |
Uh how recent are we talking about one file had no version info and said it was created in april 2005.
| Mere_Mortal wrote: | Hello
svchost.exe, if found in the System32 directory, is the legitimate Windows file and is critical to the runnings of the system. If found in any other directory (except a backup directory, such as DLL Cache or i386), then it will be a malicious file.
sndcfg16.exe is a malware file related to an Rbot variant. It should be terminated immediately.
ALCXMNTR.EXE is not a desirable process, nor is it malware. Termination is recommended but at your discretion.
As for 2esa0c.exe, vqetf.exe, cTTQufYW.exe and any other random filenames, especially such that do not return any results on Google, you can attach these for analysis, as well as sndcfg16.exe.
It is very likely they are malware and could be further files related to Rbot. You may need expert assistance in order to remove the threats and reverse any changes to the system that may have occured. A good start would be to review the CastleCops MRP, as in the link in my signature below, then you might also consider posting a HijackThis logfile, either to the HJT Forum on this site or to your thread at GamingForums.
Regards,
M_M |
Hello M_M
I dont get it what does submitting them do? Does that give you guys like an idea of how the programs are behaving on my computer? Ill do it anyway though. But before i do it i tried deleting sndcfg16.exe and it told me access is denied, that happened with Ssk.exe to which i know is a malware file.
|
|
| Back to top |
|
|
nosirrah
Security Expert
Special Response Team
Joined: Apr 19, 2006
Posts: 6299
Location: USA
|
| Posted: Tue Aug 01, 2006 5:48 pm Post subject: |
|
|
They will be run through a number of malware scanners and members here also have the ability to hex edit them . This will help determine if the submissions are new malware .
|
|
| Back to top |
|
|
IP: 71.251.*.*
Guest
|
| Posted: Tue Aug 01, 2006 5:51 pm Post subject: |
|
|
Just submitting a file
|
|
| Back to top |
|
|
IP: 71.251.*.*
Guest
|
| Posted: Tue Aug 01, 2006 5:53 pm Post subject: |
|
|
Cool i got like 2 or 3 more is there anyway i can group them so i dont make a bunch of post.
|
|
| Back to top |
|
|
Casual Question
Guest
IP: 71.251.*.*
|
| Posted: Tue Aug 01, 2006 5:58 pm Post subject: |
|
|
ssk.exe was in multiple places do i have to submit each file?
|
|
| Back to top |
|
|
nosirrah
Security Expert
Special Response Team
Joined: Apr 19, 2006
Posts: 6299
Location: USA
|
| Posted: Tue Aug 01, 2006 6:03 pm Post subject: |
|
|
Make a new folder and copy and paste the files in question into it . Now zip and submit the folder .
|
|
| Back to top |
|
|
IP: 71.251.*.*
Guest
|
| Posted: Tue Aug 01, 2006 7:33 pm Post subject: |
|
|
So these are all my questionable files its only 2 files but the thing is i was able to get 2esa0C.exe in the zip i just uploaded, but the ssk.exe is only a copy, i was not able to get the original ssk.exe file in the .zip so in there its just a copy of the folder and contents the original ssk.exe was in.
Thank you
|
|
| Back to top |
|
|
AbuIbrahim
Security Expert
Special Response Team
Joined: Jan 18, 2006
Posts: 1914
|
|
| Back to top |
|
|
Mere_Mortal
1st Responder
Joined: Apr 10, 2004
Posts: 4191
Location: Kidderminster
|
| Posted: Tue Aug 01, 2006 10:17 pm Post subject: |
|
|
Hello
Here are the results of a scan of each file at http://virusscan.jotti.org
2esa0c.exe
AntiVir : Adware-Spyware/WinFetcher.H adware
ArcaVir : Trojan.Statblasertad.J20
Avast : Win32:Trojan-gen. {Other}
AVG Antivirus : Generic.TW
BitDefender : Trojan.Statblasterad.A
ClamAV : Adware.Statblaster
Dr.Web : Trojan.StatBlasterAd
F-Prot Antivirus : Found nothing
Fortinet : Adware/StatBlaster.A
Kaspersky Anti-Virus : not-a-virus:AdWare.Win32.WinFetcher.g
NOD32 : Win32/Adware.StatBlaster application
Norman Virus Control : W32/WinFetcher.G
UNA : Found nothing
VirusBuster : Adware.StatBlaster.A
VBA32 : AdWare.WinFetcher.g
ssk.exe
AntiVir : Trojan/Drop.Small.qn.1
ArcaVir : Trojan.Dropper.Small.Qn
Avast : Win32:Trojano-1152
AVG Antivirus : Dropper.Small.24.C
BitDefender : Trojan.Dropper.Small.QN
ClamAV : Trojan.Downloader.Small-607
Dr.Web : Trojan.MulDrop.2321
F-Prot Antivirus : Found nothing
Fortinet : W32/Small
Kaspersky Anti-Viru : Trojan-Dropper.Win32.Small.qn
NOD32 : Win32/Adware.SurfSideKick application
Norman Virus Control : W32/Smalldrp.JKL
UNA : Found nothing
VirusBuster : Found nothing
VBA32 : Trojan-Dropper.Win32.Small.qn
sndcfg16.exe
AntiVir : Worm/Krepper.C
ArcaVir : Worm.P2p.Krepper.C
Avast : Win32:Mopy
AVG Antivirus : Worm/Krepper.C
BitDefender : Win32.Worm.KGen.A
ClamAV : Worm.P2P.Poom.A
Dr.Web : Win32.HLLW.Krepper
F-Prot Antivirus : W32/Pcbot.A@p2p
Fortinet : W32/Pcbot.A!worm.p2p
Kaspersky Anti-Virus : P2P-Worm.Win32.Krepper.c
NOD32 : Win32/Krepper.C
Norman Virus Control : PCBot.A
UNA : Found nothing
VirusBuster : Worm.P2P.Krepper.B
VBA32 : Worm.P2P.Krepper.c
_________________
[Malware Removal and Prevention] [Malware Complaints]
|
|
| Back to top |
|
|
Casual Question
Guest
IP: 71.251.*.*
|
| Posted: Tue Aug 01, 2006 11:33 pm Post subject: |
|
|
Um whats the point of the logfile, and do i really need to post one because my computer runs just fine its just that now that i which files are bad can't i just delete them. If i can just delete them is their such a thing that'll prevent them from ever launching or downloading again on my computer.
Btw like i said before i tried to delete ssk.exe but whenever i try it says access is denied it's in use, allthough it's not in use according to my task manager.
|
|
| Back to top |
|
|
nosirrah
Security Expert
Special Response Team
Joined: Apr 19, 2006
Posts: 6299
Location: USA
|
| Posted: Tue Aug 01, 2006 11:50 pm Post subject: |
|
|
You are infected .
| Quote: | | Btw like i said before i tried to delete ssk.exe but whenever i try it says access is denied it's in use, allthough it's not in use according to my task manager. |
Malware does not play by the rules . If you want to get this stuff out of your machine then following our suggestions will do just that . If you don't mind your passwords being stolen along with other personal information then just leave that stuff there .
The log file will tell what exactly you have and we will in turn tell you exactly how to kill it .
|
|
| Back to top |
|
|
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
