Jump to content
Sign in to follow this  
Caveman

OSAM Autorun Manager by Online SeErvices in Russia

Recommended Posts

OK, I checked out one of our Visitors requests at our for an an evaluation of his product. Said he had a new security software company in RU. Flags went off right away, but I checked out the site and downloaded OSAM Auto Manager. Interesting product, upon Installing it things were going well, then Comodo firewall flagged a request for direct access to my Keyboard, ohhh, I din't like that and said " deny access" this is a great example of why Comodo Firewall Pro is an excellent product. the product Install continued , no bad effect from saying "NO access" , then it asked for Direct access to the hard-drive, well many programs need that like disk management and defraggers, but again being cautious I said " Deny Access always in Comodo. it continued on and seemed to install fine.

I opened the product up. Normal popups from Comodo 3 more time based on my actions, I expected those to pop up and I said " allow access to the internet to check its database for questionable files it found on my Hard drive. OK then it allowed me to view items in fairly unique way, I have not seen this combination of associating the registry entries to the program in such an easy to read format before. The scans themselves were very fast. I saw some entries which i thought were gone, the crap by Paretologic that I tested previously. So my question is to others, could this Keyboard access thing denied by Comodo be a keylogger? Well my first step was to submit the installer 8.7 mb to Virus Total online scanners. I wouldn't go to all this trouble but this app has very good possibilities and I don't want to dismiss it out of hand. The results are posted here, it back all clean. if anyone wishes to test and provide feedback i would appreciate the assistance. I will scan my entire system now looking for infections of any type, my previous full scans came up 0 before so any change should be related to the app. Wish me luck.

I'll let you know how it went.

Virus Total:

Results: File osam_autorun_manager.msi received on 10.11.2008 21:52:38 (CET)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/35 (0%)

Loading server information...

Your file is queued in position: 1.

Estimated start time is between 37 and 53 seconds.

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Print results

Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:

Antivirus Version Last Update Result

AhnLab-V3 2008.10.10.1 2008.10.10 -

AntiVir 7.8.1.34 2008.10.11 -

Authentium 5.1.0.4 2008.10.11 -

Avast 4.8.1248.0 2008.10.11 -

AVG 8.0.0.161 2008.10.11 -

BitDefender 7.2 2008.10.11 -

CAT-QuickHeal 9.50 2008.10.11 -

ClamAV 0.93.1 2008.10.11 -

DrWeb 4.44.0.09170 2008.10.11 -

eSafe 7.0.17.0 2008.10.08 -

eTrust-Vet 31.6.6141 2008.10.10 -

Ewido 4.0 2008.10.11 -

F-Prot 4.4.4.56 2008.10.11 -

Fortinet 3.113.0.0 2008.10.11 -

GData 19 2008.10.11 -

Ikarus T3.1.1.34.0 2008.10.11 -

K7AntiVirus 7.10.491 2008.10.11 -

Kaspersky 7.0.0.125 2008.10.11 -

McAfee 5403 2008.10.11 -

Microsoft 1.4005 2008.10.11 -

NOD32 3515 2008.10.11 -

Norman 5.80.02 2008.10.10 -

Panda 9.0.0.4 2008.10.11 -

PCTools 4.4.2.0 2008.10.11 -

Prevx1 V2 2008.10.11 -

Rising 20.65.42.00 2008.10.10 -

SecureWeb-Gateway 6.7.6 2008.10.11 -

Sophos 4.34.0 2008.10.11 -

Sunbelt 3.1.1715.1 2008.10.11 -

Symantec 10 2008.10.11 -

TheHacker 6.3.1.0.108 2008.10.11 -

TrendMicro 8.700.0.1004 2008.10.10 -

VBA32 3.12.8.6 2008.10.10 -

ViRobot 2008.10.10.1416 2008.10.10 -

VirusBuster 4.5.11.0 2008.10.11 -

Additional information

File size: 9299968 bytes

MD5...: f3d6426eaa31be98618c21210bbc1054

SHA1..: c246aea1f15bbe65061709c053a31c9db4cb5e9c

SHA256: e67ead2b31bbda8153c9765e60d26d9d9e4e7513f97d1279c4e084c7afebad05

SHA512: 9da42d7aa1e4b8e1e77eec32de7b491a1eb06e926390f1d56083204b276ec270

e8d4538251a4695f2fc34bb8827e905fb2eb3ff388a4fc30cf13a102a0c1f95d

PEiD..: -

TrID..: File type identification

Microsoft Windows Installer (92.7%)

Windows SDK Setup Transform Script (6.3%)

Generic OLE2 / Multistream Compound File (0.8%)

Share this post


Link to post
Share on other sites

Update on Autorun Manager: after install and running the program, it removed the few things I choose to remove, and then I scanned my entire system with SAS, Malwarebytes, 5 rootkit scanners, Hi-jack This, Kasperskey A/V tool, Avira Anti-virus, Pest Patrol by CA, AVAST A/V tool, unhackme 4.8, SBS& D, and DAF to see if any policies restriction had taken place. Well everything was except 5 cookies found. So, it looks ok so far, But I'm still concerned about the program wanting direct access to my keyboard.

Share this post


Link to post
Share on other sites

Update#2: I emailed the Company in Russia re; the Keybaord access request concern i have , and checked out the other things in the program, Interesting is there full instructions on using the program to get rid of all the Trojan Vundo problems. Very nice:

Link is here for the Visdeo and Instructions within OSAM Automanager:

http://www.online-solutions.ru/en/how_to_remove_vundo_trojan_virtumonde.php

VUNDO TROJAN REMOVAL

How to remove the Vundo Trojan (also known as Virtumonde, Virtumondo, Virtumundo, Monder, Monderb, MS Juan) using the OSAM Autorun Manager (Portable Version, 3.63mb or Installation Package, 8.84mb).

Please note! These steps are only for the Windows XP / 2003 / 2000 users.

1. First you should click on the "Settings" button in the top menu:

OSAM Menu - Settings

And then change the value for "Disable objects using the driver" option to "Always", as it is shown below:

OSAM Settings - Driver Mode: Always

2. Now look through the list of the objects and find the randomly-named .DLL files under the following registry keys:

Internet Explorer section:

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Winlogon section:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

Explorer section:

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

Randomly-named .DLL files means something like that: nnnkLcCU.dll, opNdccDV.dll, hgGxyXQH.dll, yfcfqtfd.dll, cbxvttsR.dll, pmnkLCSk.dll. And these files should be located in the WINDOWS\system32 directory.

Use the OSAM Online Malware Scanner function, if you have problems with finding the right ones:

OSAM: Scan using Online Malware Scanner

3. Disable the trojan entries by removing the checkmarks in the checkboxes next to these randomly-named .DLL files.

4. Once you have finished with the disabling the items, press the "Apply" button:

OSAM: Apply Button

You will see the list of the disabling items (press the "Close" button) and then the following message will be displayed:

OSAM: Reboot now

Press the "Reboot now" button.

Once your computer will be rebooted, the Vundo Trojan will be disinfected.

1. Start the OSAM again - you will see the report about deleted entries.

2. Press the "Settings" button to change the value for "Disable objects using the driver" option back to "For undeletable objects only".

3. Also you can use the "Jump to file" function to delete the inactive trojan files:

OSAM: Jump to file

4. And then use the "Delete from storage" function to delete the disabled items from the list of the objects:

OSAM: Delete from storage

If you still need help or have any questions - you are welcome to our forum. To register on forum please follow this instruction.

Comments and discussion are here.

Step-by-step Vundo removal video instruction:

Comments and discussion are here

Share this post


Link to post
Share on other sites

Update#: the Company forums tlak aboutthe direct access to the hard-drive as a good thing as do some of the reader to enable the scanners Direct Disk Access feature for raw data. NO word on direct access to keyboard yet.

Share this post


Link to post
Share on other sites

update# 4: more info on Osam Autorun Manager, I like this app more and more, it's like Unhackme and and Regassasin and Unlocker in one easy scan format and a whole lot more and Its free.

Warning:

Only experienced Techs should test or use this product ok.

OSAM" (Online Solutions Autorun Manager) is a powerful and reliable tool for controlling the 'cleanliness' of components and applications that are automatically loaded or started under certain conditions without user's consent.

"OSAM" provides an easy one-click way of obtaining detailed information about the components that are run automatically at the system start and can potentially affect its operation.

Basically, all types of malicious software that have been around for the last 7-10 years use various mechanisms of sticking to an infected system. With this product, you will be able to monitor and control these activities and, which is more important, eradicate the threat on your own.

Image Image Image

Rootkits are one of the biggest threats for end user systems. This malicious software integrates into the system on a very low level and completely hides its presence. The user is often totally unaware that the computer is being controlled by hackers. But that's not a problem: whether it's a hidden start of a rootkit driver or other hidden keys, "OSAM" will detect any of these autorun variants.

Modern malicious software, such as adware, spyware and spambots cannot be completely removed by existing anti-virus solutions. However, such treatment attempts often leave the user without working network connections or damage other system components. The user becomes helpless and alone with the problem. The "OSAM" manager will easily solve this problem!

Image Image Image

The virus blocks access to a registry key or file? You can't remove them using any possible means? The "OSAM" manager will tackle this problem, too*.

If the user is experiencing problems, he can use several program functions to seek experts' assistance (for instance, on our forum) - save a detailed system report (all autoruns) or save a full snapshot of the startup data (in the same form as on the user's system).

Downloads >>

Functional capabilities:

* support of virtually all known methods of automatic loading using the system registry or special folders;

* automatic detection of the peculiarities of settings on specific user systems;

* validation of digital file signatures;

* color marking of file statuses for better comprehension;

* filtering by statuses of detected objects;

* search by masks using any parameter in any display mode;

* output of additional information for any object type;

* output of detailed file information, validation of file existence and accessibility;

* temporary disablement of registry objects or files without creating additional keys or subfolders;

* generation of two types of report files (text and HTML*) with all autoload information.

Unique capabilities:

* protection against rootkits by detecting hidden registry keys and records using the method of direct registry data analysis (without using OS functions);

* comprehensive support of LSP (Layered Service Providers) filters deletion and recovery with rearrangement of the providers chain;

* support of namespace providers (NSP) with rearrangement of the providers chain*.

Advantages:

* a completely free application!

* grouping by file objects enables you to quickly find all links to a specific automatically loaded file;

* regular updates of the methodological database after the analysis of in-the-wild malicious software;

* full Unicode support (any national characters, filenames and registry data);

* support of visual themes (skins) for users who do care how their favorite software looks.

Downloads >>

* - available only for registered users (conditions may be changed in the near future)

Compatibility:

* Microsoft Windows 2000

* Microsoft Windows XP

* Microsoft Windows 2003

* Microsoft Windows Vista

The company is currently working on providing full support of these operating systems:

* Microsoft Windows XP x64

* Microsoft Windows 2003 x64

* Microsoft Windows Vista x64

Share this post


Link to post
Share on other sites

I'm very curious to see what happens if you don't deny it direct access to the keyboard and hard drive.

Hey Greenliaght, thanks for the interest, I actually went back to thier site and downloaded the "portable version", no install necessary, it works great, its a great tool to show all the Vundo entries and select them to be removed and the reboot.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...