help please. possible keylogging infection?

LGG_2

AntivirusVersionLast UpdateResulta-squared4.0.0.1012009.04.07-AhnLab-V35.0.0.22009.04.07-AntiVir7.9.0.1382009.04.07-Antiy-AVL2.0.3.12009.04.07-Authentium5.1.2.42009.04.07-Avast4.8.1335.02009.04.06-AVG8.5.0.2852009.04.07-BitDefender7.22009.04.07-CAT-QuickHeal10.002009.04.07-ClamAV0.94.12009.04.07-Comodo11022009.04.07-DrWeb4.44.0.091702009.04.07-eSafe7.0.17.02009.04.06-eTrust-Vet31.6.64422009.04.07-F-Prot4.4.4.562009.04.07-F-Secure8.0.14470.02009.04.07-Fortinet3.117.0.02009.04.07-GData192009.04.07-IkarusT3.1.1.49.02009.04.07-K7AntiVirus7.10.6952009.04.07-Kaspersky7.0.0.1252009.04.07-McAfee55762009.04.06-McAfee+Artemis55762009.04.06-McAfee-GW-Edition6.7.62009.04.07-Microsoft1.45022009.04.07-NOD3239922009.04.07-Norman6.00.062009.04.07-nProtect2009.1.8.02009.04.07-Panda10.0.0.142009.04.06-PCTools4.4.2.02009.04.06-Prevx1V22009.04.07-Rising21.24.12.002009.04.07-Sophos4.40.02009.04.07-Sunbelt3.2.1858.22009.04.06-Symantec1.4.4.122009.04.07-TheHacker6.3.4.0.3032009.04.07-TrendMicro8.700.0.10042009.04.07-VBA323.12.10.22009.04.07-ViRobot2009.4.7.16822009.04.07-VirusBuster4.6.5.02009.04.06-Additional informationFile size: 15360 bytesMD5...: 5f1d5f88303d4a4dbc8e5f97ba967cc3SHA1..: 99cb7370f16773c8e2d0c86fe805ec638ab126e9SHA256: 5fb24fc7916a6e6b3be7d84cb1684215b266cd1495575c2e5672b8447932e5b1SHA512: 600621c9035028d5722f3b5b073d2ec73108d12acd8ed4479e1e789a670c6841
4bdf2d6118153b64039b2ff8d660c509fc631e7fa11ec490f1e545879ab49585ssdeep: 192:W6hGoc4F/MNhlYWpjZ+o7NpO7MIl8SVPTI7mW7rOi7oLG9lMnjmxAITljrUF
E3W3:FA1Eo7NY8MPTIaW7/lumxlJlWDlgW
PEiD..: -TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x2e35
timedatestamp.....: 0x48025356 (Sun Apr 13 18:39:18 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2ab8 0x2c00 6.75 414ce647d4328e7513d4155b1a2c9499
.data 0x4000 0x210 0x200 1.07 bd8c5cd346a9f53dc0dbc69260ab2240
.rsrc 0x5000 0x870 0xa00 3.85 421ca88053c2138f828a915f2a95d754

( 6 imports )
> msvcrt.dll: _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _cexit, _XcptFilter, _exit, _c_exit
> ADVAPI32.dll: RegDeleteValueA, RegOpenKeyExA, RegCloseKey, RegSetValueExA, RegCreateKeyA, RegCreateKeyExA
> KERNEL32.dll: lstrcpynA, lstrlenA, GetSystemDirectoryA, GetSystemWindowsDirectoryA, GetVersionExA, GetACP, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, LocalFree, CloseHandle, ResetEvent, OpenEventA, CreateProcessA, lstrcatA, GetSystemInfo, lstrcmpiA, FreeLibrary, LoadLibraryA, CreateEventA, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleHandleA, GetStartupInfoA, LocalAlloc, GetProcAddress
> USER32.dll: EnumWindows, GetClassNameA, FindWindowA, PostMessageA, SetTimer, KillTimer, MsgWaitForMultipleObjects, PeekMessageA, TranslateMessage, DispatchMessageA, GetMessageA, SetWindowPos, LoadCursorA, RegisterClassExA, DefWindowProcA, PostQuitMessage, CreateWindowExA, GetSystemMetrics
> MSCTF.dll: TF_InitSystem, TF_GetGlobalCompartment, TF_InvalidAssemblyListCacheIfExist, TF_InvalidAssemblyListCache, TF_PostAllThreadMsg, TF_CreateCicLoadMutex, TF_UninitSystem
> MSUTB.dll: ClosePopupTipbar, GetPopupTipbar

( 0 exports )
RDS...: NSRL Reference Data Set
-ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=5f1d5f88303d4a4dbc8e5f97ba967cc3' target='_blank'>http://www.threatexpert.com/report.aspx?md5=5f1d5f88303d4a4dbc8e5f97ba967cc3</a&gt;

posted_2

Yo have to wait for the scan to complete, same as jotti

LGG_2

it saysthe scan is finished on my page but when i copy and past u get that not finished scanned note and scroll bar

posted_2

If it says 0 infection found, and jotti says the same, it's probably ok

You can disable it running by following the steps in my earlier post.

LGG_2

posted wrote: »

Assuming it is legit/false positive - it's a poor false positive if it is, this will be running on 99.9% of systems out there.

Go into task manager, processes, look for ctfmon.exe

Then start, control panel, regional, languages, details, advanced, tick turn off advanced text services, ok

Reboot, and look in task manager to see if it is gone from processes - If it's still there you may have to uninstall a component of office if you have it.

where do i find task manager

posted_2

ctrl alt del

LGG_2

jotti says its ok

Scan taken on 07 Apr 2009 12:06:09 (GMT) A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Quick Heal Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

LGG_2

Assuming it is legit/false positive - it's a poor false positive if it is, this will be running on 99.9% of systems out there.

Go into task manager, processes, look for ctfmon.exe

Then start, control panel, regional, languages, details, advanced, tick turn off advanced text services, ok

Reboot, and look in task manager to see if it is gone from processes - If it's still there you may have to uninstall a component of office if you have

done that and its gone. what should that do/help

posted_2

If ctfmon was the cause of the norton message, if it is no longer running, the message should stop.

LGG_2

i have the message again posted at 1309 saying it was blocked i guess this was b4 i took it out of the task manager