Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

TrojanHunter Download Not Working [RESOLVED]


  • This topic is locked This topic is locked

#16
Paul999

Paul999

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Maybe the 'flash' has been there for a while, although I am pretty certain that I has only be happening since I got Winfixer. It is difficult to say as I have become much more watchful over the last week or so.

I have downloaded and run the scan as requested. However, I couldn't put a tick in the 'Scan through Windows Explorer' box as I didn't see one. Have they changed the app or did I miss it?

Here is the log

01/28/06 14:48:33 [Info]: BlackLight Engine 1.0.30 initialized
01/28/06 14:48:33 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/28/06 14:48:33 [Note]: 7019 4
01/28/06 14:48:33 [Note]: 7005 0
01/28/06 14:48:57 [Note]: 7006 0
01/28/06 14:48:58 [Note]: 7011 1360
01/28/06 14:48:58 [Note]: FSRAW library version 1.7.1014


Regards

-Paul
  • 0

Advertisements


#17
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
It may have done - it's still a beta. Anyway there is nothing to worry about there.

Not sure what to advise on the window flash, haven't got much to go on. Instincts are telling me it's just one of your applications starting. Does it happen if you start in Safe Mode?

You could disable the remaining 3rd party applications using Spybot as before, one by one, and see if you can track it down that way. Re-enable them afterwards.
  • 0

#18
Paul999

Paul999

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I've just been into msconfig > Startup and found a possible anomaly.

The list below are the startups that you said in an earlier post that I needed to leave alone -


O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [STManager] C:/Program Files/SpeedTouch/Dr SpeedTouch/drst.exe -b
O4 - HKCU\..\Run: [SSS5SAFE] "C:\Program Files\Steganos Security Suite 5\safe.exe" /booting
O4 - HKCU\..\Run: [SSS5] "C:\Program Files\Steganos Security Suite 5\steganos5.exe" /booting
O4 - Global Startup: Digital Line Detect.lnk = ?


Well, I recognised the 'Steganos' entries as a freebie I got a while ago. I deleted it after a couple of weeks and so they're not needed and I deleted them too along with all but one of the others you said were optional or not required.

The only 'optional' one I left was the Skype startup as I use that.

So, this brings me to the reason why I went into msconfig. I was going to take the tick out of the box for Skype and reboot to see if the flash came up, when I noticed that there is an 'un-named' startup in the list. I've checked it against the known startups (above) and (with the stranger), there is one too many in my msconfig > startup tab.

Anyway, I took the tick out of the Skype box, rebooted and it flashed up again. So I guess it ain't the Skype! So, is it down to the mystery guest and how can I check it and is it safe to disable?

The entry in msconfig is as below -

Startup Item Blank

Command Blank

Location HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Any ideas?

Look forward to hearing from you.

Regards

-Paul
  • 0

#19
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Get an export of your registry key for me:

Click Start>Run and paste the following into the box, then click OK:

regedit /e C:\run.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"

That will export the contents of the Registry Machine Run key to a C:\Run.txt file. Copy and paste the contents of the Run.txt file here.
  • 0

#20
Paul999

Paul999

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hi Daemon

Here is the Run.txt


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"DadApp"="C:\\Program Files\\Dell\\AccessDirect\\dadapp.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"Wise-FTP Scheduler"=""

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



Regards

-Paul
  • 0

#21
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
I wonder if it is that FTP scheduler. Copy the contents of the quote box below into Notepad:

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"DadApp"="C:\\Program Files\\Dell\\AccessDirect\\dadapp.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"


Name as fix.reg. Save as All Files on the desktop. When done, double-click the fix.reg and when asked to merge say yes.

Reboot and let me know.
  • 0

#22
Paul999

Paul999

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hi Daemon

I did that and this is a copy of the run.txt

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"DadApp"="C:\\Program Files\\Dell\\AccessDirect\\dadapp.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"Wise-FTP Scheduler"=""

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"


And the 'flash' is still there as is the'stranger' in msconfig > startup

Regards

-Paul
  • 0

#23
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
That entry is back. Do you use Wise FTP - if so then leave it.

Only other things I can suggest is to check your run key after merging the fix to make sure it's been replaced and to disable that entry in msconfig you have found.

Let me know.
  • 0

#24
Paul999

Paul999

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I checked to see if the Run.reg was working and it wasn't. The reference to Wise was still in the Run.txt.

So I went into msconfig and took the tick out next to the stranger. That did the trick. It removed the reference to Wise in Run.txt as you can see from below.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"DadApp"="C:\\Program Files\\Dell\\AccessDirect\\dadapp.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

I use Wise for ftp uploading but I don't use the scheduler so not having it start shouldn't be a problem. If it does, I know where to find it :-)

However, I am still getting the 'flash' at start up. But, as long as you are reasonably sure it is one of the legitimate programs announcing its arrival, rather than something bad, I can live with it.

Is there anything that can be checked to be sure?

Regards

-Paul
  • 0

#25
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
We can do one more scan if you wish - click here to run ActiveScan.
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Paste the contents of the Panda scan report along with a new HijackThis Log.
  • 0

Advertisements


#26
Paul999

Paul999

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hi Daemon

This is the Pandascan report


Incident Status Location

Adware:adware/exact.bargainbuddy Not disinfected Windows Registry
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Paul\Cookies\[email protected][2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Paul\Cookies\[email protected][1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Paul\Cookies\[email protected][2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Paul\Cookies\[email protected][2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Paul\Cookies\[email protected][1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Paul\Application Data\Mozilla\Profiles\default\dmvt4hl5.slt\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Paul\Application Data\Mozilla\Profiles\default\dmvt4hl5.slt\cookies.txt[.hitbox.com/]
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Paul\Application Data\Mozilla\Profiles\default\dmvt4hl5.slt\cookies.txt[.2o7.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Paul\Application Data\Mozilla\Profiles\default\dmvt4hl5.slt\cookies.txt[.advertising.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Paul\Application Data\Mozilla\Profiles\default\dmvt4hl5.slt\cookies.txt[.atdmt.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Paul\Application Data\Mozilla\Profiles\default\dmvt4hl5.slt\cookies.txt[]
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Paul\Cookies\[email protected][2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Paul\Cookies\[email protected][1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Paul\Cookies\[email protected][2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Paul\Cookies\[email protected][2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Paul\Cookies\[email protected][1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Paul\My Documents\VundoFix\VundoFix\process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\RECYCLER\S-1-5-21-2016876102-2216872029-1542766695-1006\Dc82\VundoFix\process.exe



and this is the HJT report


Logfile of HijackThis v1.99.1
Scan saved at 13:32:22, on 29/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Paul\Desktop\Geeks Software\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virgin.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.virgin.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virgin.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Virgin.net
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Paul\Application Data\Mozilla\Profiles\default\dmvt4hl5.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Paul\Application Data\Mozilla\Profiles\default\dmvt4hl5.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [STManager] C:/Program Files/SpeedTouch/Dr SpeedTouch/drst.exe -b
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: iOpus Internet Macros - {0483894E-2422-45E0-8384-021AFF1AF3CD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro....iler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://rcmdemo.perfo...ivex/msxml4.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe



Look forward to hearing from you.

Regards

-Paul
  • 0

#27
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Grab a copy of this little free application to help control those tracking cookies in future:

http://www.analogx.c...work/cookie.htm

Otherwise I can't see anything wrong there.
  • 0

#28
Paul999

Paul999

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Daemon - Thanks for all your help. And, when it gets to payday, I will be clicking on your 'donate' button. I only wish I'd known about you guys earlier.

Best Wishes

-Paul
  • 0

#29
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
You're welcome - glad to help :) and thanks for your support :tazz:

To help keep you clean follow the recommendations in Tony's article here:

So how did I get infected in the first place?



As this problem has been resolved the topic will be closed. If you need this topic reopened, please email the moderating team - be sure to include the address of the thread and the name you posted under.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP