cap2hccap — it's malware...

[smedley]

https://hashcat.net/cap2hccap/:

"This site is using cap2hccap for converting. It is intended for users who dont want to struggle with compiling SVN version of cap2hccap."

Here's an debug of the executable: http://i.imgur.com/xOS0M6C

Edit: Nope.. OP is a newb. Disregard.

[radix]

why would you provide a screenshot of disassembly when you could just point the code out?

[epixoip]

what precisely is leading you to conclude it's malware...? especially when the source is available?

[smedley]

Call me crazy, but are you guys looking at the same screenshot I am? I haven't looked at any source, just looking at the windows executable. I wouldn't have thought a simple parser needs to manipulate memory and Norton signatures.

[atom]

What makes you think it is manipulating memory and Norton signatures?

[undeath]

watch out, we got a security pro over here.

[D3ad0ne]

Norton injects itself into running processes to check it for malware. It doesn't mean that's it is malware.

Example: http://social.msdn.microsoft.com/Forums/...eb95249c5/

[smedley]

Welp I guess I'm wrong. I'm still new at debugging, but hey.. at least I'm trying, right? :-)

I had run the executable and started getting errors, so I freaked out and tried to take a closer look. I should have approached the question from a position of curiosity rather than accusation. Sorry about that.

[epixoip]

so that you know, all that your debugger was telling you was that umengx86.dll was loaded by the current process, along with a few other shared libraries. there was nothing to indicate that anything was being modified.

umengx86.dll is part of Norton's heuristic scanning engine, so as d3ad0ne stated, your av should be injecting this dll into every running process.

and always remember to use the source: http://sourceforge.net/p/cap2hccap/svn/HEAD/tree/trunk/