AndyManchesta
-
Posts
1,796 -
Joined
-
Last visited
Posts posted by AndyManchesta
-
-
-
Thats a good one, It took some thinking about but I believe its a S****
I dont want to Hijack Humpty's post so will leave people to figure out his and your puzzle
Andy
-
Nice Puzzle Humpty,
I know the answer
Here's another to add to the topic
What is strange about these sentences?
Was it a car or a cat I saw?
Warsaw was raw.
No lemons, no melon.
Dennis and Edna sinned.
-
Try this:
Open MSN Messenger > Goto Tools > Options > Connection > then click Start on the Connection TroubleShooter
Hopefully it will let you know where the problem is, If not try Re-Installing MSN and see if that fixes the issue.
-
-
Hi Bujar
If you saved the report from Ewido can you post it back on here as there should of been more files deleted than whats showing, Ewido might of already removed them so it would help to see the log but its fine if you didnt save it.
Can you to run option 1 on Smitfraud Fix so we can check that they have gone and check one of the Registry Keys then run a Online Virus scanner to see if there is more problems and finally post a new Hijack This log.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply
Run Kaspersky WebScanner
- Please go HERE and click Kaspersky Online Scanner
- Read and Accept the Agreement
- You will be promted to install an ActiveX component from Kaspersky, Click Yes.
- If you see a Windows dialog asking if you want to install this software, click the Install button.
- The program will launch and then begin downloading the latest definition files,
- When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
- Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
- Under "Please select a target to scan:", click My Computer to start the scan.
- When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.
Please post the text file back from SmitFraudFix and from Kaspersky's scanner then post a New Hijack This log so we can finish the cleanup
Thanks
Andy
- Please go HERE and click Kaspersky Online Scanner
-
Nice Work MrG
I like the new Website, It does look alot better than the previous page on there and I'm looking forward to the future projects you mention
Regarding the Toolbar, I really do not understand why it keeps being mentioned on here, I understand that people were worried when it was first added to Ccleaner and were maybe thinking it will become a required part of the install but MrG always releases versions without the Toolbar so that is not an issue, even for people who get the full version its very simple to uncheck the box and not download the toolbar so it does appear that some people are looking for confrontations and are maybe just using the toolbar as an excuse.
I appreciate being able to use Ccleaner for free as it's an excellent program but we need to understand that there is a business side which is required if they wish to continue developing Ccleaner and other projects. If they do not make any income then it would be difficult for them to continue in the long term as there is running costs for Website Hosting, Bandwidth charges, Domain Names, Forums etc.. so I think its kind of them to do it this way and try generate a small amount of money without forcing anyone to install the Toolbar.
I think Adobe is a good example and they are alot bigger than Piriform so Im suprised the people who are finding a problem with Ccleaner do not take the same issue up with Macromedia (Now Adobe) for installing Yahoo's Toolbar with the Flash Player, Shockwave player, Adobe Reader etc...
To me this part of Adobe's FAQ sums it up well:
Why is the Yahoo! Toolbar being distributed from the Macromedia website?Macromedia is offering the Yahoo! Toolbar for download from its website as part of a larger agreement and relationship with Yahoo!.
<snip>
In addition, Macromedia is committed to continuing to offer the Flash Player on desktop computers for free. Partnerships like this one with Yahoo! enable us to support this business model and also allow us to invest far more in new functionality, testing, documentation, and tooling than we could without it. We think the new innovation that will be possible because of this, will make a big positive impact on the developer community.
I appreciate its a different company but I believe the reasons behind it are the same, If the people who do not want the toolbar included at all are able to build an application and host it, then open up sites to promote it and forums to support people who use it, all without getting anything back then Id love to see them try stay in business for more than 6 months
Andy
-
Hi AJ
Your spot on
The system is infected with the same trojans that promote SpyAxe, This one is related to SpyFalcon but there really isnt much difference.
These are the signs in the log:
O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - C:\WINDOWS\System32\hp1BF8.tmp (file missing)The hp****.tmp is a random named file but the CLSID "{f79fd28e-36ee-4989-aa61-9dd8e30a82fa}" shows it to be a variant of Trojan Zlob
C:\WINDOWS\System32\atmclk.exeThis file is a SpyFalcon component, as you can see in the log there isnt a start up entry for this file but its in the Running Processes, it will load via the SharedTaskScheduler registry key usually with a file named appmagr.dll as shown below.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
SharedTaskScheduler]
{64ba30a2-811a-4597-b0af-d551128be340}= AppManager
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\
{64ba30a2-811a-4597-b0af-d551128be340}\InProcServer32]
@= C:\WINDOWS\system32\appmagr.dll
This way its running all the time on the system as its loaded with explorer.exe so explorer.exe will need stopping to remove it which S!Ri's tool will do without problems, Usually the first step is to get a logfile from Smitfraudfix to confirm there is an infection but Ive skipped that as its clear what is on the system by the above entries.
Andy
-
Hi Bujar,
Ive not checked the log in any detail yet but will do after seeing the logs from the below programs, I can see signs of the Smitfraud infection so lets get that fixed first then we can clean up anything that remains
Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.
Please download, install, and update the free version of Ewido Anti-Malware:
- When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
- From the main Ewido screen, click on update in the left menu, then click the Start update button.
- After the update finishes, the status bar at the bottom will display "Update successful"
- Exit Ewido. DO NOT run a scan yet.
Next, please reboot your computer in Safe Mode by doing the following :
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, a menu with options should appear;
- Select the first option, to run Windows in Safe Mode, then press "Enter".
- Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
After SmitfraudFix finishes (and after a reboot if required), please open Ewido. (If a reboot is required, please boot BACK into Safe Mode.)
- Click on Scanner
- Click on Complete System Scan and the scan will begin.
- If ewido finds anything, it will pop up a notification. You can select "Remove" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
- When the scan is finished, click the Save report button at the bottom of the screen.
- Save the report to your desktop
- Close Ewido
Then please restart the PC so it returns to Normal Mode. Please post the contents of the SmitfraudFix log located at C:\rapport.txt into this thread, along with the Ewido report and a new HijackThis log.
Note * Running option #2 will remove your Desktop background as some of the trojans related to this infection change the wallpaper and set restrictions to prevent you changing it back, When you reboot to Normal mode right click the desktop and choose Properties then goto the Desktop tab and select the wallpaper you want to use from there.
Let us know if you have any questions or problems,
Regards
Andy
- When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
-
-
If the program works then you dont need to add it to the startup folder as you would of already changed the Start name the first time you use it , If it keeps returning to the name 'Start' then its not working
-
The help file is also in the zipped file you uploaded (Its the html file with a blue 'e' I.E logo on it), the program doesnt work so you may want to consider removing it so other people dont use it. Like I said It doesnt seem to be compatible with Service Pack 2 or didnt work on my test system but may work on XP with no Service Packs. You'll have to live with the Start Menu being the way it should be and not renamed. Just get a marker pen and write the new name on your monitor over the start menu button, that should work
-
Hi Aaron ,
Ive just tried it on my test machine and it doesnt work, It renames it but If I right click the System Tray and choose Task Manager it returns to Start, Same if I stop explorer.exe and restart it, I wouldnt run it on my main pc as Im happy with the start menu name but if its doing the same for you then somethings not right with the program. The homepage in the help file doesnt work and it shows it was last updated in 2002 so Id guess its not compatible with Service Pack 2
If it does work try Changing the name to STOP as it may make your system more secure
Maybe contact the Author of the program using the email in the html file if it keeps returning to Start on yours but I doubt he will be able to help if its not been updated for more than 4 years.
-
It does well for me, I have the ZX Spectrum as a back up if its needed
-
You'll have to sell the prizes and buy some webhosting space , most that are free will include adverts
-
COMMADORE 64
Processor 6510 CPU
1.02 Mhz(NTSC).985(PAL)
Memory 64 Kb RAM
20 Kb ROM
Display Text Mode 40 x 25, 16 colors
Graphics Mode 320 x 200
Sound 16 Sound generator: 3 voice, 9 octaves
Ports Composite Graphics Output
RF
Cartridge Slot
"User" Connector
2 Joystick ports
Serial Port
C2N cassette Interface
-
Maybe Im missing something, Your program displays a number between 1 and 120 so why would someone want to rig it to show a different number, Are you giving away presents for anyone who gets the number correct
I dont think making any of the files read only or hidden is a good idea and if its something that could be rigged then your best not using the program at all and just hosting it on a web site so that they cannot modify the source code. Good Luck
-
You dont want to make your files hidden and read only as it could cause problems if they want to uninstall it, it can be done using batch and adding attribute commands but I dont think its a good idea, What part of it would be or could be changed by anyone and why would they want to change it as its just a number thats showing ?
-
No, If you using Javascript to generate the random numbers then you will always get the warning when its run on your machine and not through the internet, Once you choose to allow the content then it shouldnt ask again when the page is refreshed if you want to allow it unless the new page contains different javascript which it wouldnt if your just opening the same page with a different number,
-
Have a look at Javascript websites
http://www.google.co.uk/search?hl=en&q=javascript&meta=
The simple answer is make a button that just contains the page address then when its clicked the page will refresh
-
If you click the Add Reply button at the bottom of the screen then below where you type the reply it shows File Attachments and you can browse to add the file then press add this attachment, Ive run out space with that as I have alot of attachments in different posts so I couldnt upload the image unless I put it in a zipped folder, I will use the My Controls option later and remove all my attachments from here so I have some space if I need to add more anytime.
Its probably because your using Javascript why it shows the warning, If its used on a website then it will be allowed but if you try to run it on the computer and not through IE then it will be blocked unless the person decides to allow it themselves, Im not sure how you would make a button without using JS as most programs that run on the machine are not html files as they are mostly only used on the Internet.
-
Hey Aaron , You've done a good job with that, So its not a keylogger after all
Ive included a zipped file with a screenshot and a text file that shows all the changes the setup.exe file makes.
One slight problem is a Windows Active Content warning when you press any of the numbers as shown in the screenshot in the attached file. Its probably just because of one of the Javascripts that are being used but I didnt check the code, Its fine if you allow it once then the numbers show on screen but it may worry some people who havent seen the warning before.
Nice work
-
Hi Aaron, the answer is %userprofile% or %allusersprofile% but If you need more help with things could you let us know what the program is and what its going to do when its run, Also what did you use to write the program? Im just being abit cautious with what I say after you said its only for your system and now its for other peoples, especially with you recently using keylogger programs so I wouldnt want to make it easier if thats what your trying to use/install on someones system.
-
EDIT: Good Question Hazelnut, I missed that part in his reply . Removed examples incase its for malicious use.
HKCU_....CurrentVersion/Run-
in CCleaner Bug Reporting
Posted
Hi lmscc, Welcome to the forum
Have you got any products from Freedom installed ?
If not open Regedit again and right click the run subkey, choose export and save it to your desktop, right click the exported reg file on your desktop and choose Edit then copy and paste the contents back on here.
Thanks
Andy