Jump to content


  • Content Count

  • Joined

  • Last visited

About Caveman

  • Rank
    Lunar Novice

Personal Information

  • Country
  • OS
    None specified
  1. Yes, that's the name "Sanity Check" I use it to check for hidden rootkits, but I should clarify, the program states that as a general rule programmers should not use that mehtod of hooking unless they are very very good, so as you say it's part of vista so probably no issue there. It was merely pointing out the methods which it used should only and can only be done by extremely good programmers, otherwise it is probably some sort of Rootkit activity of a general nature which could cause more problems as it could very easily make windows unstable.
  2. Up for discussion: What do you guys think, is this a potential problem in UPH Cleanup. This is the result of a scan using " Sanity Check" , the results of the scan are posted here:The application says UPH is intercepting system services. I know its purpose but is theier arisk using the program causing a even bigger issue. System routines are being intercepted One or more system services are being intercepted on your system. This could be initiated by a rootkit or malware but there is also the possibility a security product is responsible for this. With the indications given you should find out if this is the work of a product that you have installed deliberately or not. Note that these SSDT hooks are very notorious because they rely on undocumented techniques and are incredibly difficult to implement right for a programmer. Even if they are installed by a legitimate product, these hooks very often are the cause of sudden unexpected reboots, blue screens, hangups and other misery. If you have more than one product installed which makes use of these techniques then your system is almost sure to be messed up. The module uphcleanhlp.sys is hooking the kernel to intercept base system services. Information about the responsible module uphcleanhlp.sys: file path: c:\windows\system32\drivers\uphcleanhlp.sys
  3. Wot's this then. The only things Dial-a-fix doesn't (yet) do that WUFix does are: place Windows Update sites in the Trusted Zone, place Windows Update sites in the exception list of IE Popup Blocker The problem is that most people don't notice the "Flush SoftwareDistribution" button which does the other half of the stuff you mentioned. The next version of Dial-a-fix will do all of the above but I am not going to place any sites in the Trusted Zone or IE Popup Blocker exceptions because it is unnecessary. I will make sure that they don't go onto the *block* lists, but there's no need for them to be in the Trusted Zone or other exceptions. Really glad to see you actively monitor the posts DJLizard, I use your DAF everyday, love it. Just thought his security settings were off a bit. Should have just suggested he run the "Flush software Distribution" and reset his browser security settings back to normal.
  4. That's waaay out of date. Current version is Update 10. See: http://java.com/en/download/manual.jsp hey, of course it outdated, i was just trying to cover over items. my bad..
  5. The automated fix (WUFix) performs the following functions: Clears out the proxy cache, places Windows Update sites in the Trusted Zone, places Windows Update sites in the exception list of IE Popup Blocker, starts all dependent services, registers required DLLS, empties the Windows Update temporary folder (with backup), renames the catroot2 folder, retains update history and Event log, and deletes BITS pending download queue. Automated Windows Update Fix Download WUFix.zip and unzip to your desktop. Double-Click WUFix.bat to run fix. You will see a window open and commands processing. When the window closes the fix will have completed.
  6. Tarun is correct try the following guide: WINDOWS UPDATE TROUBLESHOOTING FIX Preliminary Recommendations, 1. Ensure following conditons are met: You are signed on with an XP User Account that has Administrative privledges You are using Internet Explorer or a browser that supports activeX downloads Verify that time and date settings for your computer are correct - Click Start->Click Control Panel->Click Date and Time 2. Enable Javascript and Disable Script Blocking Programs Since Windows Updates is script dependent, any preventative programs which employ script blocking or restrict javascript should be disabled. The automated fix will adjust Internet Explorer's javascript settings, so that it is enabled for the Windows Update sites only. It is important that you have the most current Java Runtime Environment (JRE) installed on your system. The current JRE version is Java Runtime Environment (JRE) 6 Update 5. Older versions of the Sun Java Platform are know to contain Critical Vulnerabilities which are corrected by the current version. Determine what Java version you have installed on your system by doing the following Click Start-> Control Panel -> Add/Remove Programs Check the listings under JRE or J2SE Runtime Environment for your Java Version Alternatively, you can check the Java version you have installed by clicking here You should update your version of the Sun Java Platform (JRE) to the newest version which is Java Runtime Environment (JRE) 6 Update 5: Download the latest JRE version at the Sun Microsystem's website Scroll down to Java Runtime Environment (JRE) 6u5 and click Download button Check the box that says: Accept License Agreement Under the Windows Platform - Java SE Runtime Environment 6 Update 5 section, click on the link to download the Windows Offline Installation and save to your desktop. Close any programs you may have running - especially your web browser. Next, remove all older versions of the Sun Java Platform using the Control Panel's Add/Remove Program feature (as they may contain security vulnerabilities). Reboot your system Then from your desktop double-click on jre-6u5-windows-i586-p.exe to install the newest version of the Sun Java Platform You may verify that the current version installed properly by clicking here Now it is very important, that you turn off any script blocking applications you may have running such as Norton Script blocking. 3. Disable Blocking Programs Many popular programs, even some security applications used to protect you, can actually interfere with the ability to obtain Windows Updates. The following programs have been associated with such issues, and you should check to see if you have any of them running/installed on your system: Download Accelerator Download Accelerator Plus GetRight Browser Blaster Pop-up blocker BitTorrent PC-cillin - WebTrap component eMule Surfin Guard Pro Sygate Personal Firewall Norton Internet Security Freedom Firewall Zone Alarm Firewall If you are using one of the above programs, please do the following: If if the interfering program is a firewall, enable the built-in WIndows Firewall (ICF): Click start->Control Panel->Security Center->Windows Firewall and Check the 'automatic' circle next to the green shield icon to turn ON the WIndows Firewall. Temporarily turn off your resident firewall program which can usually be accomplished by right-clicking it's icon in the system tray and selecting the appropriate action to disable it. For example, if you have the ZoneAlarm firewall, click "Shutdown ZoneAlarm". After Windows Updates is complete, re-enable the your resident firewall by clicking start->All Programs->navigate and open your resident firewall program, then reactivate it. This will automatically disable the Windows Firewall. Next, temporarily disable any of the other blocking programs listed above. If you are using any other Spam/Popup/Ad Blocker programs which are not on the list, disable them, as well. Also, disable any download accelerator software. Disabling can usually be accomplished by right-clicking the program's system tray icon and selecting the disable/shutdown option. After Windows Updates is complete, you may re-enable all disabled programs. 4. Disable registry monitoring/blocking software If you use a registry monitoring program, you must disable it before running the automated fix. Some popular programs which do that are Adwatch, TeaTimer, and Windows Defender / Microsoft Antispyware
  7. Hi, try this then run Dial-A-Fix afterwards. Stop: Sorry just noticed you have XP with Sp3 in your log. this is only recommended for SP1 and SP2. Sorry for confusion. The automated fix (WUFix) performs the following functions: Clears out the proxy cache, places Windows Update sites in the Trusted Zone, places Windows Update sites in the exception list of IE Popup Blocker, starts all dependent services, registers required DLLS, empties the Windows Update temporary folder (with backup), renames the catroot2 folder, retains update history and Event log, and deletes BITS pending download queue. Automated Windows Update Fix Download WUFix.zip and unzip to your desktop. Double-Click WUFix.bat to run fix. You will see a window open and commands processing. When the window closes the fix will have completed. Then go run Dial _A-Fix again please.
  8. Hi, its the Caveman here: A little info on Spy Counter: I believe it started as Cybermedia Cleaner, then Microsoft bought the good app, turned it into crap with Microsoft anti-spyware, then some other company bought the engines, revamped it and called it Spy Counter. OK now for testing results, I read all the media hype and so-called editors picks and top scoring of this product. I tested it ver. 2.5, updated for free to vers. 3. standard and Vipre is all hype, used it on many computers. It found the odd trojan and malware issues but really super-antispyware and malwarebytes found all the same entries and removed them, the scanner was actually slow for me. My suggestion: Don't buy, I stopped using it in my arsenal. I need apps that work fast and remove clean. No time to mess around wiating for long scans to finish and find 2 entries while standard cleaners find hundreds of legit issues.
  9. Hey Greenliaght, thanks for the interest, I actually went back to thier site and downloaded the "portable version", no install necessary, it works great, its a great tool to show all the Vundo entries and select them to be removed and the reboot.
  10. Note on SAS: I have used it 7 to 10 times a day on client computers for quite awhile now, I'm surprised it took so long to add it. Its afirst rate app. and very effective.
  11. update# 4: more info on Osam Autorun Manager, I like this app more and more, it's like Unhackme and and Regassasin and Unlocker in one easy scan format and a whole lot more and Its free. Warning: Only experienced Techs should test or use this product ok. OSAM" (Online Solutions Autorun Manager) is a powerful and reliable tool for controlling the 'cleanliness' of components and applications that are automatically loaded or started under certain conditions without user's consent. "OSAM" provides an easy one-click way of obtaining detailed information about the components that are run automatically at the system start and can potentially affect its operation. Basically, all types of malicious software that have been around for the last 7-10 years use various mechanisms of sticking to an infected system. With this product, you will be able to monitor and control these activities and, which is more important, eradicate the threat on your own. Image Image Image Rootkits are one of the biggest threats for end user systems. This malicious software integrates into the system on a very low level and completely hides its presence. The user is often totally unaware that the computer is being controlled by hackers. But that's not a problem: whether it's a hidden start of a rootkit driver or other hidden keys, "OSAM" will detect any of these autorun variants. Modern malicious software, such as adware, spyware and spambots cannot be completely removed by existing anti-virus solutions. However, such treatment attempts often leave the user without working network connections or damage other system components. The user becomes helpless and alone with the problem. The "OSAM" manager will easily solve this problem! Image Image Image The virus blocks access to a registry key or file? You can't remove them using any possible means? The "OSAM" manager will tackle this problem, too*. If the user is experiencing problems, he can use several program functions to seek experts' assistance (for instance, on our forum) - save a detailed system report (all autoruns) or save a full snapshot of the startup data (in the same form as on the user's system). Downloads >> Functional capabilities: * support of virtually all known methods of automatic loading using the system registry or special folders; * automatic detection of the peculiarities of settings on specific user systems; * validation of digital file signatures; * color marking of file statuses for better comprehension; * filtering by statuses of detected objects; * search by masks using any parameter in any display mode; * output of additional information for any object type; * output of detailed file information, validation of file existence and accessibility; * temporary disablement of registry objects or files without creating additional keys or subfolders; * generation of two types of report files (text and HTML*) with all autoload information. Unique capabilities: * protection against rootkits by detecting hidden registry keys and records using the method of direct registry data analysis (without using OS functions); * comprehensive support of LSP (Layered Service Providers) filters deletion and recovery with rearrangement of the providers chain; * support of namespace providers (NSP) with rearrangement of the providers chain*. Advantages: * a completely free application! * grouping by file objects enables you to quickly find all links to a specific automatically loaded file; * regular updates of the methodological database after the analysis of in-the-wild malicious software; * full Unicode support (any national characters, filenames and registry data); * support of visual themes (skins) for users who do care how their favorite software looks. Downloads >> * - available only for registered users (conditions may be changed in the near future) Compatibility: * Microsoft Windows 2000 * Microsoft Windows XP * Microsoft Windows 2003 * Microsoft Windows Vista The company is currently working on providing full support of these operating systems: * Microsoft Windows XP x64 * Microsoft Windows 2003 x64 * Microsoft Windows Vista x64
  12. Update#: the Company forums tlak aboutthe direct access to the hard-drive as a good thing as do some of the reader to enable the scanners Direct Disk Access feature for raw data. NO word on direct access to keyboard yet.
  13. Update#2: I emailed the Company in Russia re; the Keybaord access request concern i have , and checked out the other things in the program, Interesting is there full instructions on using the program to get rid of all the Trojan Vundo problems. Very nice: Link is here for the Visdeo and Instructions within OSAM Automanager: http://www.online-solutions.ru/en/how_to_remove_vundo_trojan_virtumonde.php VUNDO TROJAN REMOVAL How to remove the Vundo Trojan (also known as Virtumonde, Virtumondo, Virtumundo, Monder, Monderb, MS Juan) using the OSAM Autorun Manager (Portable Version, 3.63mb or Installation Package, 8.84mb). Please note! These steps are only for the Windows XP / 2003 / 2000 users. 1. First you should click on the "Settings" button in the top menu: OSAM Menu - Settings And then change the value for "Disable objects using the driver" option to "Always", as it is shown below: OSAM Settings - Driver Mode: Always 2. Now look through the list of the objects and find the randomly-named .DLL files under the following registry keys: Internet Explorer section: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects Winlogon section: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify Explorer section: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks Randomly-named .DLL files means something like that: nnnkLcCU.dll, opNdccDV.dll, hgGxyXQH.dll, yfcfqtfd.dll, cbxvttsR.dll, pmnkLCSk.dll. And these files should be located in the WINDOWS\system32 directory. Use the OSAM Online Malware Scanner function, if you have problems with finding the right ones: OSAM: Scan using Online Malware Scanner 3. Disable the trojan entries by removing the checkmarks in the checkboxes next to these randomly-named .DLL files. 4. Once you have finished with the disabling the items, press the "Apply" button: OSAM: Apply Button You will see the list of the disabling items (press the "Close" button) and then the following message will be displayed: OSAM: Reboot now Press the "Reboot now" button. Once your computer will be rebooted, the Vundo Trojan will be disinfected. 1. Start the OSAM again - you will see the report about deleted entries. 2. Press the "Settings" button to change the value for "Disable objects using the driver" option back to "For undeletable objects only". 3. Also you can use the "Jump to file" function to delete the inactive trojan files: OSAM: Jump to file 4. And then use the "Delete from storage" function to delete the disabled items from the list of the objects: OSAM: Delete from storage If you still need help or have any questions - you are welcome to our forum. To register on forum please follow this instruction. Comments and discussion are here. Step-by-step Vundo removal video instruction: Comments and discussion are here
  14. Update on Autorun Manager: after install and running the program, it removed the few things I choose to remove, and then I scanned my entire system with SAS, Malwarebytes, 5 rootkit scanners, Hi-jack This, Kasperskey A/V tool, Avira Anti-virus, Pest Patrol by CA, AVAST A/V tool, unhackme 4.8, SBS& D, and DAF to see if any policies restriction had taken place. Well everything was except 5 cookies found. So, it looks ok so far, But I'm still concerned about the program wanting direct access to my keyboard.
  15. OK, I checked out one of our Visitors requests at our for an an evaluation of his product. Said he had a new security software company in RU. Flags went off right away, but I checked out the site and downloaded OSAM Auto Manager. Interesting product, upon Installing it things were going well, then Comodo firewall flagged a request for direct access to my Keyboard, ohhh, I din't like that and said " deny access" this is a great example of why Comodo Firewall Pro is an excellent product. the product Install continued , no bad effect from saying "NO access" , then it asked for Direct access to the hard-drive, well many programs need that like disk management and defraggers, but again being cautious I said " Deny Access always in Comodo. it continued on and seemed to install fine. I opened the product up. Normal popups from Comodo 3 more time based on my actions, I expected those to pop up and I said " allow access to the internet to check its database for questionable files it found on my Hard drive. OK then it allowed me to view items in fairly unique way, I have not seen this combination of associating the registry entries to the program in such an easy to read format before. The scans themselves were very fast. I saw some entries which i thought were gone, the crap by Paretologic that I tested previously. So my question is to others, could this Keyboard access thing denied by Comodo be a keylogger? Well my first step was to submit the installer 8.7 mb to Virus Total online scanners. I wouldn't go to all this trouble but this app has very good possibilities and I don't want to dismiss it out of hand. The results are posted here, it back all clean. if anyone wishes to test and provide feedback i would appreciate the assistance. I will scan my entire system now looking for infections of any type, my previous full scans came up 0 before so any change should be related to the app. Wish me luck. I'll let you know how it went. Virus Total: Results: File osam_autorun_manager.msi received on 10.11.2008 21:52:38 (CET) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 0/35 (0%) Loading server information... Your file is queued in position: 1. Estimated start time is between 37 and 53 seconds. Do not close the window until scan is complete. The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result. If you are waiting for more than five minutes you have to resend your file. Your file is being scanned by VirusTotal in this moment, results will be shown as they're generated. Compact Print results Your file has expired or does not exists. Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time. You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email: Antivirus Version Last Update Result AhnLab-V3 2008.10.10.1 2008.10.10 - AntiVir 2008.10.11 - Authentium 2008.10.11 - Avast 4.8.1248.0 2008.10.11 - AVG 2008.10.11 - BitDefender 7.2 2008.10.11 - CAT-QuickHeal 9.50 2008.10.11 - ClamAV 0.93.1 2008.10.11 - DrWeb 2008.10.11 - eSafe 2008.10.08 - eTrust-Vet 31.6.6141 2008.10.10 - Ewido 4.0 2008.10.11 - F-Prot 2008.10.11 - Fortinet 2008.10.11 - GData 19 2008.10.11 - Ikarus T3. 2008.10.11 - K7AntiVirus 7.10.491 2008.10.11 - Kaspersky 2008.10.11 - McAfee 5403 2008.10.11 - Microsoft 1.4005 2008.10.11 - NOD32 3515 2008.10.11 - Norman 5.80.02 2008.10.10 - Panda 2008.10.11 - PCTools 2008.10.11 - Prevx1 V2 2008.10.11 - Rising 2008.10.10 - SecureWeb-Gateway 6.7.6 2008.10.11 - Sophos 4.34.0 2008.10.11 - Sunbelt 3.1.1715.1 2008.10.11 - Symantec 10 2008.10.11 - TheHacker 2008.10.11 - TrendMicro 8.700.0.1004 2008.10.10 - VBA32 2008.10.10 - ViRobot 2008.10.10.1416 2008.10.10 - VirusBuster 2008.10.11 - Additional information File size: 9299968 bytes MD5...: f3d6426eaa31be98618c21210bbc1054 SHA1..: c246aea1f15bbe65061709c053a31c9db4cb5e9c SHA256: e67ead2b31bbda8153c9765e60d26d9d9e4e7513f97d1279c4e084c7afebad05 SHA512: 9da42d7aa1e4b8e1e77eec32de7b491a1eb06e926390f1d56083204b276ec270 e8d4538251a4695f2fc34bb8827e905fb2eb3ff388a4fc30cf13a102a0c1f95d PEiD..: - TrID..: File type identification Microsoft Windows Installer (92.7%) Windows SDK Setup Transform Script (6.3%) Generic OLE2 / Multistream Compound File (0.8%)
  • Create New...