Jump to content
CCleaner Community Forums


Experienced Members
  • Content Count

  • Joined

  • Last visited

Everything posted by AndyManchesta

  1. Hi JD, Yes the current ransomware variant is very well detected by AV companies now, there's quite afew malware bundles around that include this trojan though except its the infostealer by itself and not the ransomware variant but they are changing the files often to try avoid being detected by AV's, they tend to spread using exploits on malicious websites but this ransomware variant appears to have mainly spread by being spammed which is explained more on the Prevx blog RRidgely linked to earlier Here's the current detections for the ransomware variant from VT I did just run
  2. No its fine here in sunny Manchester Its really abit wet as usual but like you say it looks like its further south thats got most of the problems again
  3. Yeah there's some great tools on there, you may find that AV's detect some as risk tools though but that would only apply if they were added without consent by trojans as it would allow them to get personal information or make changes to the system, the tools themselves are clean and can be very useful. Examples after scanning the files at VirusTotal Protected Storage Pass Viewer NirCmd
  4. Hi Leluc You do have the LinkOptimizer trojan showing which likely means you also have a variant of the Gromozon Rootkit, this is its entry in the log There is a newer variant of this trojan that also adds a debugger for iexplore.exe but the one you have appears to be the older version which has just added a debugger value for explorer.exe, this trojan is very difficult to manually remove as it changes permissions on its file and registry entry to deny anyone access and can restore its reg entry instantly if its removed, if the file is removed and the reg entry remains then its no
  5. Hi Dennis, I think there's always going to be a small risk involved with shopping or banking online but I doubt the majority of people will ever have a problem unless they do get infected with these types of trojans, sometimes the information may not always be stolen from your own system and a legit site you have done business with at one stage may get compromised but thankfully that isnt common and generally banks would always refund the account if it was used without the owners consent For account and login details it really depends on how you enter the site, IE's autocomplete featu
  6. The main problem with this trojan is the information it steals, it shows in HJT as F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe, Its been around for a long time but this 'ransomware' variant has only been showing up since the start of July, the trojan is very nasty as it will record login usernames and passwords for every site used even if its secure and upload it to a drop site and the sites tend to have many GB's worth of stolen information ranging from myspace and email logins to Paypal, Ebay and Banking login information. SecureS
  7. Hi Leluc, Welcome to the forum This does sound like it maybe trojan related, can you download the attached zip file (LinkOptCheck), extract the folder then double click RunThis.bat, it will then export some registry keys and check a couple of folders for non-default exe files then write the information to a text file named Report.txt which will save inside the LinkOptCheck folder and also open with Notepad once its finished, Please post the full contents of that report back on here and we can then take it from there Let us know if you have any problems running the file Cheers
  8. Your welcome, I'm glad it solved the problem Andy
  9. Check your Screen Saver and Monitor power options Right click the desktop > click Properties > click Screen Saver (Check the screen saver settings and if its set to password protect when it resumes) > click Power at the bottom > then check the settings for the power scheme (Turn Off Monitor / Turn Off Hard Disks / System Standby / System Hibernates ), Click Apply and OK if you make any changes
  10. My maths isnt that good Its very kind of Microsoft to give me the award though, alot of my spare time on the pc these days is spent on research (testing trojans and submitting them to AV's) and developing a tool called SDFix but I didnt expect to have enough public postings to be considered for the award as my forum posts are abit few and far between these days so it was a great suprise to be accepted and I'm proud to now show the mvp icon in my signature
  11. I dont know the answer to that CeeCee, some people nominated me (who may already be MVP's) and then they decide if they think my work over the past year merits the award based on the information they have been given
  12. Hi CeeCee Yes, Microsoft contacted me a couple of months ago saying I had been nominated to receive the award and asking if I would be interested which I obviously said yes to as I have alot of respect for the MVP program and its members, I then received another email at the start of this month saying Congrats' on becoming an MVP in Windows Security
  13. Thanks alot for the kind comments everyone, it's really appreciated
  14. http://www.sophos.com/security/blog/2007/07/322.html If anyone does open it Id suggest running a full scan with Kaspersky's online scanner and also running a rootkit scanner such as GMER as it will likely attempt to install windev-*-*.sys which is a component of the Nuwar/Storm worm (*=random numbers and letters) http://www.google.co.uk/search?hl=en&q...*.sys&meta=
  15. Its really not possible to say what installed it but it may of been a program or game you installed at some stage then removed and it may of left the oreans32 service behind, It's possible a spyware remover added it to their database so it was removed on your system but the file and service is harmless as its a genuine program, like alot of things though its starting to be abused by trojan writers as it also helps them to avoid being detected by Antivirus companies so some vendor may of added it by mistake. Here's an example of a backdoor IRCbot (rBot) I got yesterday thats packed wit
  16. oreans32 is part of Themida protection http://www.oreans.com/themida.php Its used in quite alot of programs such as games to prevent piracy, it is also being used by some trojans like backdoor IRCBots as they can make it alot harder for the files to be analysed by preventing people reverse engineering or dissembling the files and also by preventing them being run in a virtual environment If you do not still have the oreans32.sys file on your system then it's fine to remove its service but make sure the file doesnt exist first as the program that added it will not start if the serv
  17. You may want to give Startuplite a try as that will list any unnecessary items and give you some descriptions on each one to help you decide if you want it starting with Windows or not http://www.malwarebytes.org/startuplite.php
  18. I remember this program when it was being promoted early last year http://forums.spywareinfo.com/index.php?showtopic=77280 I tested it at the time and it wasnt great, it was fine to reverse the changes made by Adware type programs that already had add/remove screen entries and uninstallers but it had alot of problems with more nasty infections like rootkits and trojans that hook to system files, it kept showing it had fully removed files then crashing at random points when it was reversing the changes and the same files were there again when it reopened. It also appeared to interfere w
  19. Thanks Ian Its hard to say where this trojan is coming from, the gromozon infections in the past have only attacked users with Italian IP's but this variant is different as we have seen it infecting users with U.K IP addresses, there's another member on here who posted today with the same trojan so its difficult to say at the moment what type of site is adding it, Im glad we were able to get it removed from your system but let us know if you have problems again anytime Happy Surfing Andy
  20. Hi Ian, Sorry for the delay in replying, I wasn't able to get on the pc for most of yesterday so Ive just been catching up with my emails, Unfortunately Avenger wasnt able to create a backup of the file, Im not sure why but the backup.zip is empty except for a text file showing that it removed the file, Its nice to see it was removed though The logs look fine, Kaspersky is finding an infected System Restore point but thats to be expected after getting the trojans and we can clear them out now the system is clean, I'll also post afew basic steps to help avoid further infections Cl
  21. Hi Ian, Thanks for the logs, Its nice to see seagate-helper hasnt got any additional registry entries except for the userinit hook that we fixed earlier, I didn't think the .exe would be found after reading your earlier post but thought we may as well include it while we were deleting the .old file, can you please upload the avenger backups for me so I can have a closer look at the seagate file Please visit SpyKillers forum here http://www.thespykiller.co.uk/index.php?board=1.0 Read the instructions for uploading files which is the first topic on the forum then start a new To
  22. Cheers Ian, No problem regarding the help, this is quite a new infection so getting any information on it or samples of additional files is really helpful so we can get them sent to Antivirus companies and also find easier ways of dealing with it each time it shows up, 1. Please download The Avenger by Swandog46 to your Desktop Click on Avenger.zip to open the file Extract avenger.exe to your desktop 2. Copy all of the text contained in the code box below (making Files to delete: the top line) to your Clipboard by highlighting it and pressing (Ctrl+C): Files to Delete:c:\windo
  • Create New...