CastleCops :: View topic - I can't see if it's malware, or just a common nessecary file

I can't see if it's malware, or just a common nessecary file
Goto page 1, 2 Next
CastleCops -> Unknown Files

Author: Casual Question,

Posted: Mon Jul 31, 2006 1:33 pm Post subject: I can't see if it's malware, or just a common nessecary file

So i have researched some files and found that they are nessecary to the system but can at the same time be malware. So how am i suppose to find out if those programs are indeed malware or just programs my computer needs to run inorder to work. But I just have a suspicion that they are good programs that my computer needs because they are all located in my windows folder, or my windows system folder, or my windows system 32 folder, you catch the drift somewhere in that folder.

Anyway those programs are things like 2esa0c.exe ALCXMNTR.EXE cTTQufYW.exe sndcfg16.exe and svchost.exe

---Thanks for your time

Author: nosirrah, Location: USA

Posted: Mon Jul 31, 2006 2:06 pm Post subject:

Did you submit them with your post ? If not go ahead and use the brows and submit buttons .

This is not a reliable trick but if you right click those files and select properties . You can check both the creation date and version information .

If the file has a recent creation date and there is no version information then malware would a more likely diagnosis .

Author: Mere_Mortal, Location: Kidderminster

Posted: Mon Jul 31, 2006 5:04 pm Post subject:

Hello

svchost.exe, if found in the System32 directory, is the legitimate Windows file and is critical to the runnings of the system. If found in any other directory (except a backup directory, such as DLL Cache or i386), then it will be a malicious file.

sndcfg16.exe is a malware file related to an Rbot variant. It should be terminated immediately.

ALCXMNTR.EXE is not a desirable process, nor is it malware. Termination is recommended but at your discretion.

As for 2esa0c.exe, vqetf.exe, cTTQufYW.exe and any other random filenames, especially such that do not return any results on Google, you can attach these for analysis, as well as sndcfg16.exe.

It is very likely they are malware and could be further files related to Rbot. You may need expert assistance in order to remove the threats and reverse any changes to the system that may have occured. A good start would be to review the CastleCops MRP, as in the link in my signature below, then you might also consider posting a HijackThis logfile, either to the HJT Forum on this site or to your thread at GamingForums.

Regards,
M_M

Author: IP: 71.251.*.*,

Posted: Tue Aug 01, 2006 5:43 pm Post subject:

nosirrah wrote:

Uh how recent are we talking about one file had no version info and said it was created in april 2005.

Mere_Mortal wrote:

Hello

Hello M_M

I dont get it what does submitting them do? Does that give you guys like an idea of how the programs are behaving on my computer? Ill do it anyway though. But before i do it i tried deleting sndcfg16.exe and it told me access is denied, that happened with Ssk.exe to which i know is a malware file.

Author: IP: 71.251.*.*,

Posted: Tue Aug 01, 2006 5:45 pm Post subject:

nosirrah wrote:

Uh how recent are we talking about one file had no version info and said it was created in april 2005.

Mere_Mortal wrote:

Hello

Author: nosirrah, Location: USA

Posted: Tue Aug 01, 2006 5:48 pm Post subject:

They will be run through a number of malware scanners and members here also have the ability to hex edit them . This will help determine if the submissions are new malware .

Author: IP: 71.251.*.*,

Posted: Tue Aug 01, 2006 5:51 pm Post subject:

Just submitting a file

Author: IP: 71.251.*.*,

Posted: Tue Aug 01, 2006 5:53 pm Post subject:

Cool i got like 2 or 3 more is there anyway i can group them so i dont make a bunch of post.

Author: Casual Question,

Posted: Tue Aug 01, 2006 5:58 pm Post subject:

ssk.exe was in multiple places do i have to submit each file?

Author: nosirrah, Location: USA

Posted: Tue Aug 01, 2006 6:03 pm Post subject:

Make a new folder and copy and paste the files in question into it . Now zip and submit the folder .

Author: IP: 71.251.*.*,

Posted: Tue Aug 01, 2006 7:33 pm Post subject:

So these are all my questionable files its only 2 files but the thing is i was able to get 2esa0C.exe in the zip i just uploaded, but the ssk.exe is only a copy, i was not able to get the original ssk.exe file in the .zip so in there its just a copy of the folder and contents the original ssk.exe was in.

Thank you

Author: AbuIbrahim,

Posted: Tue Aug 01, 2006 8:19 pm Post subject:

All the files you have uploaded are infected except with ctfmon.exe.

I recommend that you follow the MRP procedure here and then post a hijackthis log in its associated forum:
CastleCops Link

/t49271-How_to_post_in_the_Hijackthis_forum.html

Author: Mere_Mortal, Location: Kidderminster

Posted: Tue Aug 01, 2006 10:17 pm Post subject:

Hello

Here are the results of a scan of each file at http://virusscan.jotti.org

2esa0c.exe

AntiVir : Adware-Spyware/WinFetcher.H adware
ArcaVir : Trojan.Statblasertad.J20
Avast : Win32:Trojan-gen. {Other}
AVG Antivirus : Generic.TW
BitDefender : Trojan.Statblasterad.A
ClamAV : Adware.Statblaster
Dr.Web : Trojan.StatBlasterAd
F-Prot Antivirus : Found nothing
Fortinet : Adware/StatBlaster.A
Kaspersky Anti-Virus : not-a-virus:AdWare.Win32.WinFetcher.g
NOD32 : Win32/Adware.StatBlaster application
Norman Virus Control : W32/WinFetcher.G
UNA : Found nothing
VirusBuster : Adware.StatBlaster.A
VBA32 : AdWare.WinFetcher.g

ssk.exe

AntiVir : Trojan/Drop.Small.qn.1
ArcaVir : Trojan.Dropper.Small.Qn
Avast : Win32:Trojano-1152
AVG Antivirus : Dropper.Small.24.C
BitDefender : Trojan.Dropper.Small.QN
ClamAV : Trojan.Downloader.Small-607
Dr.Web : Trojan.MulDrop.2321
F-Prot Antivirus : Found nothing
Fortinet : W32/Small
Kaspersky Anti-Viru : Trojan-Dropper.Win32.Small.qn
NOD32 : Win32/Adware.SurfSideKick application
Norman Virus Control : W32/Smalldrp.JKL
UNA : Found nothing
VirusBuster : Found nothing
VBA32 : Trojan-Dropper.Win32.Small.qn

sndcfg16.exe

AntiVir : Worm/Krepper.C
ArcaVir : Worm.P2p.Krepper.C
Avast : Win32:Mopy
AVG Antivirus : Worm/Krepper.C
BitDefender : Win32.Worm.KGen.A
ClamAV : Worm.P2P.Poom.A
Dr.Web : Win32.HLLW.Krepper
F-Prot Antivirus : W32/Pcbot.A@p2p
Fortinet : W32/Pcbot.A!worm.p2p
Kaspersky Anti-Virus : P2P-Worm.Win32.Krepper.c
NOD32 : Win32/Krepper.C
Norman Virus Control : PCBot.A
UNA : Found nothing
VirusBuster : Worm.P2P.Krepper.B
VBA32 : Worm.P2P.Krepper.c

Author: Casual Question,

Posted: Tue Aug 01, 2006 11:33 pm Post subject:

Um whats the point of the logfile, and do i really need to post one because my computer runs just fine its just that now that i which files are bad can't i just delete them. If i can just delete them is their such a thing that'll prevent them from ever launching or downloading again on my computer.

Btw like i said before i tried to delete ssk.exe but whenever i try it says access is denied it's in use, allthough it's not in use according to my task manager.

Author: nosirrah, Location: USA

Posted: Tue Aug 01, 2006 11:50 pm Post subject:

You are infected .

Quote:

Btw like i said before i tried to delete ssk.exe but whenever i try it says access is denied it's in use, allthough it's not in use according to my task manager.

Malware does not play by the rules . If you want to get this stuff out of your machine then following our suggestions will do just that . If you don't mind your passwords being stolen along with other personal information then just leave that stuff there .

The log file will tell what exactly you have and we will in turn tell you exactly how to kill it .

CastleCops -> Unknown Files

All times are GMT

Goto page 1, 2 Next Page 1 of 2