Jump to content

Caveman

Member
  • Posts

    33
  • Joined

  • Last visited

Personal Information

  • Country
    Philippines
  • OS
    None specified

Caveman's Achievements

  1. Yes, that's the name "Sanity Check" I use it to check for hidden rootkits, but I should clarify, the program states that as a general rule programmers should not use that mehtod of hooking unless they are very very good, so as you say it's part of vista so probably no issue there. It was merely pointing out the methods which it used should only and can only be done by extremely good programmers, otherwise it is probably some sort of Rootkit activity of a general nature which could cause more problems as it could very easily make windows unstable.
  2. Up for discussion: What do you guys think, is this a potential problem in UPH Cleanup. This is the result of a scan using " Sanity Check" , the results of the scan are posted here:The application says UPH is intercepting system services. I know its purpose but is theier arisk using the program causing a even bigger issue. System routines are being intercepted One or more system services are being intercepted on your system. This could be initiated by a rootkit or malware but there is also the possibility a security product is responsible for this. With the indications given you should find out if this is the work of a product that you have installed deliberately or not. Note that these SSDT hooks are very notorious because they rely on undocumented techniques and are incredibly difficult to implement right for a programmer. Even if they are installed by a legitimate product, these hooks very often are the cause of sudden unexpected reboots, blue screens, hangups and other misery. If you have more than one product installed which makes use of these techniques then your system is almost sure to be messed up. The module uphcleanhlp.sys is hooking the kernel to intercept base system services. Information about the responsible module uphcleanhlp.sys: file path: c:\windows\system32\drivers\uphcleanhlp.sys
  3. Hi, its the Caveman here: A little info on Spy Counter: I believe it started as Cybermedia Cleaner, then Microsoft bought the good app, turned it into crap with Microsoft anti-spyware, then some other company bought the engines, revamped it and called it Spy Counter. OK now for testing results, I read all the media hype and so-called editors picks and top scoring of this product. I tested it ver. 2.5, updated for free to vers. 3. standard and Vipre is all hype, used it on many computers. It found the odd trojan and malware issues but really super-antispyware and malwarebytes found all the same entries and removed them, the scanner was actually slow for me. My suggestion: Don't buy, I stopped using it in my arsenal. I need apps that work fast and remove clean. No time to mess around wiating for long scans to finish and find 2 entries while standard cleaners find hundreds of legit issues.
  4. Hey Greenliaght, thanks for the interest, I actually went back to thier site and downloaded the "portable version", no install necessary, it works great, its a great tool to show all the Vundo entries and select them to be removed and the reboot.
  5. Note on SAS: I have used it 7 to 10 times a day on client computers for quite awhile now, I'm surprised it took so long to add it. Its afirst rate app. and very effective.
  6. update# 4: more info on Osam Autorun Manager, I like this app more and more, it's like Unhackme and and Regassasin and Unlocker in one easy scan format and a whole lot more and Its free. Warning: Only experienced Techs should test or use this product ok. OSAM" (Online Solutions Autorun Manager) is a powerful and reliable tool for controlling the 'cleanliness' of components and applications that are automatically loaded or started under certain conditions without user's consent. "OSAM" provides an easy one-click way of obtaining detailed information about the components that are run automatically at the system start and can potentially affect its operation. Basically, all types of malicious software that have been around for the last 7-10 years use various mechanisms of sticking to an infected system. With this product, you will be able to monitor and control these activities and, which is more important, eradicate the threat on your own. Image Image Image Rootkits are one of the biggest threats for end user systems. This malicious software integrates into the system on a very low level and completely hides its presence. The user is often totally unaware that the computer is being controlled by hackers. But that's not a problem: whether it's a hidden start of a rootkit driver or other hidden keys, "OSAM" will detect any of these autorun variants. Modern malicious software, such as adware, spyware and spambots cannot be completely removed by existing anti-virus solutions. However, such treatment attempts often leave the user without working network connections or damage other system components. The user becomes helpless and alone with the problem. The "OSAM" manager will easily solve this problem! Image Image Image The virus blocks access to a registry key or file? You can't remove them using any possible means? The "OSAM" manager will tackle this problem, too*. If the user is experiencing problems, he can use several program functions to seek experts' assistance (for instance, on our forum) - save a detailed system report (all autoruns) or save a full snapshot of the startup data (in the same form as on the user's system). Downloads >> Functional capabilities: * support of virtually all known methods of automatic loading using the system registry or special folders; * automatic detection of the peculiarities of settings on specific user systems; * validation of digital file signatures; * color marking of file statuses for better comprehension; * filtering by statuses of detected objects; * search by masks using any parameter in any display mode; * output of additional information for any object type; * output of detailed file information, validation of file existence and accessibility; * temporary disablement of registry objects or files without creating additional keys or subfolders; * generation of two types of report files (text and HTML*) with all autoload information. Unique capabilities: * protection against rootkits by detecting hidden registry keys and records using the method of direct registry data analysis (without using OS functions); * comprehensive support of LSP (Layered Service Providers) filters deletion and recovery with rearrangement of the providers chain; * support of namespace providers (NSP) with rearrangement of the providers chain*. Advantages: * a completely free application! * grouping by file objects enables you to quickly find all links to a specific automatically loaded file; * regular updates of the methodological database after the analysis of in-the-wild malicious software; * full Unicode support (any national characters, filenames and registry data); * support of visual themes (skins) for users who do care how their favorite software looks. Downloads >> * - available only for registered users (conditions may be changed in the near future) Compatibility: * Microsoft Windows 2000 * Microsoft Windows XP * Microsoft Windows 2003 * Microsoft Windows Vista The company is currently working on providing full support of these operating systems: * Microsoft Windows XP x64 * Microsoft Windows 2003 x64 * Microsoft Windows Vista x64
  7. Update#: the Company forums tlak aboutthe direct access to the hard-drive as a good thing as do some of the reader to enable the scanners Direct Disk Access feature for raw data. NO word on direct access to keyboard yet.
  8. Update#2: I emailed the Company in Russia re; the Keybaord access request concern i have , and checked out the other things in the program, Interesting is there full instructions on using the program to get rid of all the Trojan Vundo problems. Very nice: Link is here for the Visdeo and Instructions within OSAM Automanager: http://www.online-solutions.ru/en/how_to_remove_vundo_trojan_virtumonde.php VUNDO TROJAN REMOVAL How to remove the Vundo Trojan (also known as Virtumonde, Virtumondo, Virtumundo, Monder, Monderb, MS Juan) using the OSAM Autorun Manager (Portable Version, 3.63mb or Installation Package, 8.84mb). Please note! These steps are only for the Windows XP / 2003 / 2000 users. 1. First you should click on the "Settings" button in the top menu: OSAM Menu - Settings And then change the value for "Disable objects using the driver" option to "Always", as it is shown below: OSAM Settings - Driver Mode: Always 2. Now look through the list of the objects and find the randomly-named .DLL files under the following registry keys: Internet Explorer section: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects Winlogon section: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify Explorer section: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks Randomly-named .DLL files means something like that: nnnkLcCU.dll, opNdccDV.dll, hgGxyXQH.dll, yfcfqtfd.dll, cbxvttsR.dll, pmnkLCSk.dll. And these files should be located in the WINDOWS\system32 directory. Use the OSAM Online Malware Scanner function, if you have problems with finding the right ones: OSAM: Scan using Online Malware Scanner 3. Disable the trojan entries by removing the checkmarks in the checkboxes next to these randomly-named .DLL files. 4. Once you have finished with the disabling the items, press the "Apply" button: OSAM: Apply Button You will see the list of the disabling items (press the "Close" button) and then the following message will be displayed: OSAM: Reboot now Press the "Reboot now" button. Once your computer will be rebooted, the Vundo Trojan will be disinfected. 1. Start the OSAM again - you will see the report about deleted entries. 2. Press the "Settings" button to change the value for "Disable objects using the driver" option back to "For undeletable objects only". 3. Also you can use the "Jump to file" function to delete the inactive trojan files: OSAM: Jump to file 4. And then use the "Delete from storage" function to delete the disabled items from the list of the objects: OSAM: Delete from storage If you still need help or have any questions - you are welcome to our forum. To register on forum please follow this instruction. Comments and discussion are here. Step-by-step Vundo removal video instruction: Comments and discussion are here
  9. Update on Autorun Manager: after install and running the program, it removed the few things I choose to remove, and then I scanned my entire system with SAS, Malwarebytes, 5 rootkit scanners, Hi-jack This, Kasperskey A/V tool, Avira Anti-virus, Pest Patrol by CA, AVAST A/V tool, unhackme 4.8, SBS& D, and DAF to see if any policies restriction had taken place. Well everything was except 5 cookies found. So, it looks ok so far, But I'm still concerned about the program wanting direct access to my keyboard.
  10. OK, I checked out one of our Visitors requests at our for an an evaluation of his product. Said he had a new security software company in RU. Flags went off right away, but I checked out the site and downloaded OSAM Auto Manager. Interesting product, upon Installing it things were going well, then Comodo firewall flagged a request for direct access to my Keyboard, ohhh, I din't like that and said " deny access" this is a great example of why Comodo Firewall Pro is an excellent product. the product Install continued , no bad effect from saying "NO access" , then it asked for Direct access to the hard-drive, well many programs need that like disk management and defraggers, but again being cautious I said " Deny Access always in Comodo. it continued on and seemed to install fine. I opened the product up. Normal popups from Comodo 3 more time based on my actions, I expected those to pop up and I said " allow access to the internet to check its database for questionable files it found on my Hard drive. OK then it allowed me to view items in fairly unique way, I have not seen this combination of associating the registry entries to the program in such an easy to read format before. The scans themselves were very fast. I saw some entries which i thought were gone, the crap by Paretologic that I tested previously. So my question is to others, could this Keyboard access thing denied by Comodo be a keylogger? Well my first step was to submit the installer 8.7 mb to Virus Total online scanners. I wouldn't go to all this trouble but this app has very good possibilities and I don't want to dismiss it out of hand. The results are posted here, it back all clean. if anyone wishes to test and provide feedback i would appreciate the assistance. I will scan my entire system now looking for infections of any type, my previous full scans came up 0 before so any change should be related to the app. Wish me luck. I'll let you know how it went. Virus Total: Results: File osam_autorun_manager.msi received on 10.11.2008 21:52:38 (CET) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 0/35 (0%) Loading server information... Your file is queued in position: 1. Estimated start time is between 37 and 53 seconds. Do not close the window until scan is complete. The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result. If you are waiting for more than five minutes you have to resend your file. Your file is being scanned by VirusTotal in this moment, results will be shown as they're generated. Compact Print results Your file has expired or does not exists. Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time. You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email: Antivirus Version Last Update Result AhnLab-V3 2008.10.10.1 2008.10.10 - AntiVir 7.8.1.34 2008.10.11 - Authentium 5.1.0.4 2008.10.11 - Avast 4.8.1248.0 2008.10.11 - AVG 8.0.0.161 2008.10.11 - BitDefender 7.2 2008.10.11 - CAT-QuickHeal 9.50 2008.10.11 - ClamAV 0.93.1 2008.10.11 - DrWeb 4.44.0.09170 2008.10.11 - eSafe 7.0.17.0 2008.10.08 - eTrust-Vet 31.6.6141 2008.10.10 - Ewido 4.0 2008.10.11 - F-Prot 4.4.4.56 2008.10.11 - Fortinet 3.113.0.0 2008.10.11 - GData 19 2008.10.11 - Ikarus T3.1.1.34.0 2008.10.11 - K7AntiVirus 7.10.491 2008.10.11 - Kaspersky 7.0.0.125 2008.10.11 - McAfee 5403 2008.10.11 - Microsoft 1.4005 2008.10.11 - NOD32 3515 2008.10.11 - Norman 5.80.02 2008.10.10 - Panda 9.0.0.4 2008.10.11 - PCTools 4.4.2.0 2008.10.11 - Prevx1 V2 2008.10.11 - Rising 20.65.42.00 2008.10.10 - SecureWeb-Gateway 6.7.6 2008.10.11 - Sophos 4.34.0 2008.10.11 - Sunbelt 3.1.1715.1 2008.10.11 - Symantec 10 2008.10.11 - TheHacker 6.3.1.0.108 2008.10.11 - TrendMicro 8.700.0.1004 2008.10.10 - VBA32 3.12.8.6 2008.10.10 - ViRobot 2008.10.10.1416 2008.10.10 - VirusBuster 4.5.11.0 2008.10.11 - Additional information File size: 9299968 bytes MD5...: f3d6426eaa31be98618c21210bbc1054 SHA1..: c246aea1f15bbe65061709c053a31c9db4cb5e9c SHA256: e67ead2b31bbda8153c9765e60d26d9d9e4e7513f97d1279c4e084c7afebad05 SHA512: 9da42d7aa1e4b8e1e77eec32de7b491a1eb06e926390f1d56083204b276ec270 e8d4538251a4695f2fc34bb8827e905fb2eb3ff388a4fc30cf13a102a0c1f95d PEiD..: - TrID..: File type identification Microsoft Windows Installer (92.7%) Windows SDK Setup Transform Script (6.3%) Generic OLE2 / Multistream Compound File (0.8%)
  11. Try to do a system restore first, Press F8 on start, selct safe mode, select " no and go back a week. Then after its done, unistall ZA ,its crap like Tarun said. Run your scans, then install Comodo and watch what it asks you. ok. Hope this helps. Regards Caveman
  12. I agree PC Tools Spyware Doctor slows down your system, is bloatware and ineffective crap. Love this Site. Tell it like it is, if millions are using it , or should we say conned or duped into buying it, as the ads for this crap are everywhere. They must pay big kick-backs to websites that push Spyware Doctor crap.
  13. Hey Tarun, can you please investigate Paretologic, I thing most of there stuff is crap and should be blacklisted.
  14. Note: Update on Rootkit Unhooker from Caveman: Microsoft now owns Rootkit Unhooker and SEye….”As you can guess all our source code and concept were sold to MS. The new secret project of Micosoft is SEye ...
  15. Nothing against Windows Defender, but its a pain in the rear when I try to connect remotely to a Vista computer, it will often block my attempt, yeah I know maybe its supposed to do that, but even after the client tells it to allow or ignore and I'm coming in on port 80 Geez, and it's freezing me out. I'm all for Super-Antispyware free version, I use it 10 times a day on computers. It's rated in my top 5 tools for cleaning up malware and trojans, great engines, always improving the product, d*** nice program. Windows defender is a real time application but to me its just a real pain in the rear.
×
×
  • Create New...