E
Edna Boxe
Guest
Re: WinXP sp 3 contains keylogger?
Addendum: looking in the correct place (using msconfig rather than regedit)
I find 1 (one) entry for ctfmon.exe
Edna.
"Edna Boxe" <spamtrap@ntlworld.com> wrote in message
news:11D900F9-0E1A-426F-93AE-5E2F11F0D473@microsoft.com...
> Checking the registry there's no entries for ctfmon.exe, there's one in
> HKEY_LOCAL_MACHINE\system\control\terminal server\SysProc though.
>
> History & cookies are deleted every time my computer starts - using
> CCleaner.
>
> Edna.
>
> "nass" <nass@discussions.microsoft.com> wrote in message
> news:A4F3509C-F85A-4E88-9C47-6CC2F8E3FEFE@microsoft.com...
>>
>> Yes, but you can have 6 instances of svchost.exe running in the task
>> manager? did you searched for it (Ctfmon.exe)?
>> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run = how
>> many
>> entries there for the ctfmon.exe here?
>>
>> The svchost.exe is a security process and can be used by many running
>> services, also you can experiencing a memory leak.
>> Process located here:
>> C:\WINDOWS\system32\svchost.exe size: 14336
>>
>> Use this tool to see what taken the most usage of the CPU on your
>> machine.
>> ShellExView v1.19 - Shell Extensions Manager
>> http://www.nirsoft.net/utils/shexview.html
>>
>> Go through these cleaning steps:
>> 1... Click start >> Control Panel >> Double Click Network and Internet
>> Connections >> Double click Internet Options, on the IE Properties window
>> you will see these Options:
>> General | Security | Privacy | Content | Connections | Programs
>> | Advanced .
>>
>> Click on General Tab (1st Tab on the left) and you will see a Button
>> called
>> [ Clear History ..] click on it to clear your History caches, then click
>> on
>> [Delete Files..] to delete Internet Files created over the time, click on
>> [
>> Delete Cookies...] to delete your cookies left by visiting websites.
>> Then click on Advanced tab and scroll down to under the Browsing Option:
>> [&] Browsing
>> [ ] Enable Third-Party browser extensions (Req Rest) uncheck this box.
>>
>> = Then try to Disable the Add-Ons on your Browser somehow installed on
>> your
>> browser, On how to disable the Add-ons follow this:
>> Click on Programs Tab and then click the Manage Add-Ons Button there
>> Disable
>> the None/Not Verified Plug-ins/Add-ons ( you need to Renable them
>> one-by-one
>> later and see which is the culprit .
>> How to manage Add-Ons:
>> http://support.microsoft.com/kb/883256
>>
>> Scan for malware from here:
>> SuperAntispyware - Free
>> http://www.superantispyware.com/superantispywarefreevspro.html
>> http://onecare.live.com/site/en-gb/default.htm?s_cid=sah
>> http://onecare.live.com/standard/en-gb/default.htm
>>
>> RootkitRevealer v1.71
>> By Bryce Cogswell and Mark Russinovich
>> http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx
>>
>> Run a scan from here on-line:
>> http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
>> http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
>> Download Avast Cleaner (off-line scanner) from here:
>> http://www.avast.com/eng/avast-virus-cleaner.html
>>
>> Lots of tools to download and disinfect your machine (off-line scanner):
>> http://www.bitdefender.co.uk/site/Downloads/browseFreeRemovalTool/
>>
>> How to speed your PC:
>> http://www.blackviper.com/WinXP/supertweaks.htm
>>
>> Run disk clean up and then run this command:
>> sfc /scannow
>>
>> How To: troubleshoot svchost.exe:
>> http://blogs.technet.com/askperf/ar...started-with-svchost-exe-troubleshooting.aspx
>>
>>
>> Download the Hijackthis and send the report to one of
>> many
>> forums for analysis and troubleshooting:
>> When all else fails, HijackThis v2.0.2
>> (http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php)
>> is
>> the preferred tool to use.
>> It will help you to both identify and remove any hijackware/spyware. Post
>> your log to:
>> http://aumha.net/viewforum.php?f=30,
>> http://castlecops.com/forum67.html,
>> http://forums.subratam.org/index.php?showforum=7
>> http://www.bleepingcomputer.com/tutorials/tutorial42.html
>> http://www.bleepingcomputer.com/forums/
>> Or other appropriate
>> forums for expert analysis, not here.
>> Let us know your progress.
>> nass
>> ----
>> http://www.nasstec.co.uk
>>
>>
>> "Edna Boxe" wrote:
>>
>>> From what I hear if the svchost is in the system 32 folder then it's ok,
>>> anywhere else & it's definitely a virus, is this correct?
>>>
>>> Edna.
>>>
>>> "nass" <nass@discussions.microsoft.com> wrote in message
>>> news:40A528C2-4DD0-435F-869C-483B1E093449@microsoft.com...
>>> >
>>> > but this process can be infected R.McCarty with a virus or keyloggers?
>>> > Not because of the updates but it could be the updates revealed the
>>> > infection and the OP need to check further.
>>> > Like the Svchost.exe can be embedded with a Troj?
>>> >
>>> > FileMon for Windows v7.04
>>> > http://technet.microsoft.com/en-us/sysinternals/bb896642.aspx
>>> > Have a look here for windows Sysinternals
>>> > http://technet.microsoft.com/en-us/sysinternals/default.aspx
>>> >
>>> > Use this tool to see what taken the most usage of the CPU on your
>>> > machine.
>>> > ShellExView v1.19 - Shell Extensions Manager
>>> > http://www.nirsoft.net/utils/shexview.html
>>> >
>>> > To the OP please upload this file ( ctfmon.exe) to this link for scan:
>>> > http://www.virustotal.com
>>> >
>>> >
>>> >
>>> > "R. McCarty" wrote:
>>> >
>>> >> Yes because NIS = Not Intelligent Software
>>> >>
>>> >> Really gives a good sense of security when it indicts a Microsoft
>>> >> Office component as a keylogger.
>>> >>
>>> >> "Edna Boxe" <spamtrap@ntlworld.com> wrote in message
>>> >> news:79EDC435-E3C9-4694-B521-33FCF8FF1FE3@microsoft.com...
>>> >> > Since I've downloaded sp 3 Norton Internet Security says that
>>> >> > c:\\windows\system32\ctfmon.exe has a keylogger, is this a false
>>> >> > positive?
>>> >> > If I remove sp 3 the keylogger also goes so I know it's nothing
>>> >> > else.
>>> >> >
>>> >> > Edna.
>>> >> >
>>> >>
>>> >>
>>> >>
>>>
>>>
>
Addendum: looking in the correct place (using msconfig rather than regedit)
I find 1 (one) entry for ctfmon.exe
Edna.
"Edna Boxe" <spamtrap@ntlworld.com> wrote in message
news:11D900F9-0E1A-426F-93AE-5E2F11F0D473@microsoft.com...
> Checking the registry there's no entries for ctfmon.exe, there's one in
> HKEY_LOCAL_MACHINE\system\control\terminal server\SysProc though.
>
> History & cookies are deleted every time my computer starts - using
> CCleaner.
>
> Edna.
>
> "nass" <nass@discussions.microsoft.com> wrote in message
> news:A4F3509C-F85A-4E88-9C47-6CC2F8E3FEFE@microsoft.com...
>>
>> Yes, but you can have 6 instances of svchost.exe running in the task
>> manager? did you searched for it (Ctfmon.exe)?
>> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run = how
>> many
>> entries there for the ctfmon.exe here?
>>
>> The svchost.exe is a security process and can be used by many running
>> services, also you can experiencing a memory leak.
>> Process located here:
>> C:\WINDOWS\system32\svchost.exe size: 14336
>>
>> Use this tool to see what taken the most usage of the CPU on your
>> machine.
>> ShellExView v1.19 - Shell Extensions Manager
>> http://www.nirsoft.net/utils/shexview.html
>>
>> Go through these cleaning steps:
>> 1... Click start >> Control Panel >> Double Click Network and Internet
>> Connections >> Double click Internet Options, on the IE Properties window
>> you will see these Options:
>> General | Security | Privacy | Content | Connections | Programs
>> | Advanced .
>>
>> Click on General Tab (1st Tab on the left) and you will see a Button
>> called
>> [ Clear History ..] click on it to clear your History caches, then click
>> on
>> [Delete Files..] to delete Internet Files created over the time, click on
>> [
>> Delete Cookies...] to delete your cookies left by visiting websites.
>> Then click on Advanced tab and scroll down to under the Browsing Option:
>> [&] Browsing
>> [ ] Enable Third-Party browser extensions (Req Rest) uncheck this box.
>>
>> = Then try to Disable the Add-Ons on your Browser somehow installed on
>> your
>> browser, On how to disable the Add-ons follow this:
>> Click on Programs Tab and then click the Manage Add-Ons Button there
>> Disable
>> the None/Not Verified Plug-ins/Add-ons ( you need to Renable them
>> one-by-one
>> later and see which is the culprit .
>> How to manage Add-Ons:
>> http://support.microsoft.com/kb/883256
>>
>> Scan for malware from here:
>> SuperAntispyware - Free
>> http://www.superantispyware.com/superantispywarefreevspro.html
>> http://onecare.live.com/site/en-gb/default.htm?s_cid=sah
>> http://onecare.live.com/standard/en-gb/default.htm
>>
>> RootkitRevealer v1.71
>> By Bryce Cogswell and Mark Russinovich
>> http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx
>>
>> Run a scan from here on-line:
>> http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
>> http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
>> Download Avast Cleaner (off-line scanner) from here:
>> http://www.avast.com/eng/avast-virus-cleaner.html
>>
>> Lots of tools to download and disinfect your machine (off-line scanner):
>> http://www.bitdefender.co.uk/site/Downloads/browseFreeRemovalTool/
>>
>> How to speed your PC:
>> http://www.blackviper.com/WinXP/supertweaks.htm
>>
>> Run disk clean up and then run this command:
>> sfc /scannow
>>
>> How To: troubleshoot svchost.exe:
>> http://blogs.technet.com/askperf/ar...started-with-svchost-exe-troubleshooting.aspx
>>
>>
>> Download the Hijackthis and send the report to one of
>> many
>> forums for analysis and troubleshooting:
>> When all else fails, HijackThis v2.0.2
>> (http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php)
>> is
>> the preferred tool to use.
>> It will help you to both identify and remove any hijackware/spyware. Post
>> your log to:
>> http://aumha.net/viewforum.php?f=30,
>> http://castlecops.com/forum67.html,
>> http://forums.subratam.org/index.php?showforum=7
>> http://www.bleepingcomputer.com/tutorials/tutorial42.html
>> http://www.bleepingcomputer.com/forums/
>> Or other appropriate
>> forums for expert analysis, not here.
>> Let us know your progress.
>> nass
>> ----
>> http://www.nasstec.co.uk
>>
>>
>> "Edna Boxe" wrote:
>>
>>> From what I hear if the svchost is in the system 32 folder then it's ok,
>>> anywhere else & it's definitely a virus, is this correct?
>>>
>>> Edna.
>>>
>>> "nass" <nass@discussions.microsoft.com> wrote in message
>>> news:40A528C2-4DD0-435F-869C-483B1E093449@microsoft.com...
>>> >
>>> > but this process can be infected R.McCarty with a virus or keyloggers?
>>> > Not because of the updates but it could be the updates revealed the
>>> > infection and the OP need to check further.
>>> > Like the Svchost.exe can be embedded with a Troj?
>>> >
>>> > FileMon for Windows v7.04
>>> > http://technet.microsoft.com/en-us/sysinternals/bb896642.aspx
>>> > Have a look here for windows Sysinternals
>>> > http://technet.microsoft.com/en-us/sysinternals/default.aspx
>>> >
>>> > Use this tool to see what taken the most usage of the CPU on your
>>> > machine.
>>> > ShellExView v1.19 - Shell Extensions Manager
>>> > http://www.nirsoft.net/utils/shexview.html
>>> >
>>> > To the OP please upload this file ( ctfmon.exe) to this link for scan:
>>> > http://www.virustotal.com
>>> >
>>> >
>>> >
>>> > "R. McCarty" wrote:
>>> >
>>> >> Yes because NIS = Not Intelligent Software
>>> >>
>>> >> Really gives a good sense of security when it indicts a Microsoft
>>> >> Office component as a keylogger.
>>> >>
>>> >> "Edna Boxe" <spamtrap@ntlworld.com> wrote in message
>>> >> news:79EDC435-E3C9-4694-B521-33FCF8FF1FE3@microsoft.com...
>>> >> > Since I've downloaded sp 3 Norton Internet Security says that
>>> >> > c:\\windows\system32\ctfmon.exe has a keylogger, is this a false
>>> >> > positive?
>>> >> > If I remove sp 3 the keylogger also goes so I know it's nothing
>>> >> > else.
>>> >> >
>>> >> > Edna.
>>> >> >
>>> >>
>>> >>
>>> >>
>>>
>>>
>