Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Oct 8th, 2008, 6:12am
   Mischel Internet Security Forum
   TrojanHunter
   TrojanHunter Guard (Moderators: Helena, Gavin_Coe, Magnus)
   please HELP		 « Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: please HELP  (Read 1475 times)
cybermegabytes
Newbie
*





   


Posts: 7
please HELP
« on: Jul 17th, 2005, 10:18am »		 Quote Quote  Modify Modify
I!m very surprised, with the scan-results , I received from TH scan ! NO TROYANS , but hundreds of ADS -streams + files with
double extentions + unpackeble files !!
 
I cannot delete the streams , they are everywhere!!!! , neither , I don't know how to handle the UPX unpackables + the files with double extentions , Icannot find them in the first place.....I think , these are serious threats for my pc ....
or should I not be worried att all ???????
 
ANY help ,  I would  appreciate strongly !!! 1000*thankyous
in advance ......!!!!!
ps ::: sorry for English incorrect grammar.
 
cybermegabytes. ???[
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5662
Re: please HELP
« Reply #1 on: Jul 17th, 2005, 12:30pm »		 Quote Quote  Modify Modify
Welcome to the forum cybermegabytes,  Cheesy
 
Let's see if we can get you more comfortable with what TrojanHunter is detecting for you and how you can make it more fun to see the scan results.
 
First, let's address the ADS streams that you finding.  It sounds to me like you have a lot of downloads from the Internet on your hard drive which are program setups that you have used to install the programs on your system.  Under Windows XP, when you download a file from the Internet, it tacks a Zone Identifier on the download and this is attached as an Alternate Data Stream....ADS.  If you view the ADS, it will clearly state that it is a Zone Identifier. These are not needed and the ADS can be safely deleted.  
 
I suggest that you open TrojanHunter Scanner, click on the Options icon on the left side and uncheck the option that is "Log NTFS Alternate Data Streams".  Be sure to check mark "Scan NTFS Alternate Data Streams".  This will prevent all these from being printed out when you do a TH scan.  It does NOT prevent TH from scanning them.  TH will still scan them and report if finds a trojan in an ADS...which is unlikely.  
 
It does sound like you would benefit from cleaning up your C:\ drive a bit by placing unnecessary program Setup files onto a CD or ZIP disk for safe keeping.  Leaving the downloaded setup files on your C:\ drive after you install the program just clutters your C:\ drive and does detract from system performance a bit.
 
Second Double Extensions have a potential of being a malicious trojan.  For example, the Internet criminals that want to harm you have been known to "hide" an extension on an otherwise benign looking file attached to an email or internet download.  For example, an email attachment may appear in the email as "Nicelooker.jpg", but in fact it is really "Nicelooker.jpg.exe".  When you open Nicelooker to see a jpg picture, the .exe actually installs a malicious item on your hard drive....sneaky..unknown...and often quite harmful. That is why TH looks for double extensions and alerts you to them.    
 
HOWEVER, legitimate program developers have clouded this security threat significantly.  They name good legitimate files with a name that has 2-3 periods (.) in the name...such as "GoodFileV1.2.3.exe".  Well, TH and other security programs will see this as a double extension file.  
 
That being said, I suggest that you uncheck the TH Option that is "Log executible files with double extensions".  Again, TH will scan them and alert if it finds a trojan or possible trojan in them.  Some of these will go away if you store your program setup files out on a CD or ZIP drive.  
 
Third UPX unpackables
If you recognize the file as being part of a legitimate program, just add the UPX unpackable file to the TH Ignore list.  If you do not recognize the file, post back here the name and folder where it is located and we'll try to find out if its legitimate.  
 
ALSO and FINALLY
 
It sounds like you need to change a couple of view options on your system so that you can view/find hidden files/folders/extension.  The Windows XP default hides these from users.  Here's what you need to do:
 
Go to START-SETTINGS-CONTROL PANEL-FOLDER OPTIONS-VIEW tab.
 
1.  Uncheck "Do Not show hidden files and folders"
2.  Check "Show hidden files and folders"
3.  Uncheck "Hide Extensions for known file types"
4.  Uncheck "Hide Protected Operating System Files (recommended)".
5.  Click on APPLY and OK at the bottom of the window.
 
HTHs.  Please post back if you need further assistance...  Cheesy
 
 
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5662
Re: please HELP
« Reply #2 on: Jul 17th, 2005, 1:55pm »		 Quote Quote  Modify Modify
Another thing that might help your system is to download/install CCLEANER to clean off junk files.  You can download this freebie program from:
 
http://www.ccleaner.com/
 
Just install it, set it up, and then run the Cleaner.  I would not run the ISSUES part unless you are familiar with the system registry because ISSUES deletes elements from the registry that are not needed.  
 
In the set up for the file cleaner ("Cleaner"), I recommend check mark everything EXCEPT Advanced under "Windows".  Under Applications, check mark everything.  
 
You can then see what CCLEANER is finding as junk/unnecessary files that it will remove by clicking on Analyze.  Then to do the actual cleaning, click on Run Cleaner.  
 
HTHs.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
cybermegabytes
Newbie
*





   


Posts: 7
Re: please HELP
« Reply #3 on: Jul 20th, 2005, 1:05pm »		 Quote Quote  Modify Modify
for Siliconman01,
 
first , SORRY for this late reply !
I changed everything as you asked in TH otions + i added all the upx files, to IGNORE ; Further , i see No ADS -sreams now:
see my last scan results ( doc file ) . First i used all the deletion tabs( hundreds ) ...they are gone , i think .
I changed the file proporties too , as you said , i can see ALL the files now .A few upx files DO still remain, also after ignoring them .
There is still left one great problem in the scan results TH : a
huge amount of .....restore- zip files , PASSWORD protected !
But that's the problem , i don' t know WhICH password Huh?
The password for Spybot S& D ? from Huh? i NEVER made any password , and the program ?? automatically puts an password on it ?? ; with the result that the scan mentions ALL these protected files . Do you know the solution for pasword recovery ?? I looked on the web , but they all are not free in use + i don't know which to choose for zip- files ., because i dont know the program , or ...it must be Powerarchiver 04 , that is installed , or is it the ZIp -function built in XP system Huh
all the cracks and keygens you see in doc file are the remainings at the begin time of my computing : my PC was standing by a friend  of mine for 5 weeks and , he installed and did experiments , a lot ; but he left me with all his "troep"=recycle bin items !
I think i will clean this partion  : e:\and D:\ and F:\ i think ,
contain a lot of setup items , exe files , and .....all the remainins of the First program- directory ( on c:\ , i used in the beginning !
I copied them all on several locations , i think , before formatation off the whole hard disk .(a few months ago )
These exes and setups off all these programs INTERFERE with the real programs , i've installed , i think .
They are not installed on those partitions, but many of them ARE installed on c:\program files\ !
 
i'l try , to put now my  last scan results- doc file :.......(?? ):
i cannot succeed , i can't paste the file here after copying !
 
allo Siliconman01 , will you be so kind to explain me how i must do this! then i'll post the scan results shortly ( no great delay!!) anymore .
With fully regards and most respect ,
 
Cybermegabytes.
IP Logged
claire
Stole All the Forum Stars
********



carpe diem

   


Gender: female
 Posts: 3478
Re: please HELP
« Reply #4 on: Jul 20th, 2005, 1:52pm »		 Quote Quote  Modify Modify
Spybot automatically zip and password the backups he makes
 
If you are ABSOLUTELY sure not to need these backups you may
delete this list in Spybot
 
These files would then no more show up in TH logs.
 
HTH  Smiley
IP Logged
Claire
cybermegabytes
Newbie
*





   


Posts: 7
Re: please HELP
« Reply #5 on: Jul 20th, 2005, 2:55pm »		 Quote Quote  Modify Modify
Allo Claire ,
 
Thanks for your quick reply ! Smiley
 
I deleted all the  zip-files , maybe i had kept those from the last month ! But no regrets , they are all gone now , and TH scan , will not mention them anymore , as you said !
 
Do you know , Claire , what i have to do if i wish to paste a file here ( here in this posting ) , Like an attachement of so ..
in mail .( it seems , i am not an IT- expert ....)
 
If I have further computing problems , I will post them here .
 
regards and respects,
 
Cybermegabytes.
IP Logged
claire
Stole All the Forum Stars
********



carpe diem

   


Gender: female
 Posts: 3478
Re: please HELP
« Reply #6 on: Jul 20th, 2005, 3:10pm »		 Quote Quote  Modify Modify
Hi Cybermegabytes,
 
I am glad I could help you a little bit.
 
Each time I have a screenshot for instance to post here(to show a problem)
I ask first one of the mods here(Randy is very patient and helpful)If he agrees I mail him my screenshot and he can post here at TH forum.Don't ask me how this magician does his trick Wink
 
For dubious files I mail them to submit @misec.com so Magnus can analyze them
 
Have a great day Smiley
IP Logged
Claire
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5662
Re: please HELP
« Reply #7 on: Jul 20th, 2005, 3:21pm »		 Quote Quote  Modify Modify
Claire is absolutely correct.  This is Spybot's technique of quarantining and then giving you the ability to restore a quarantined item.  Spybot puts the password on the files to keep them safe.  It is not intended for you to know the password.  You have to use Spybot's restore function to put the quarantined file(s)(whatever) back into use....which you probably DO NOT want to do.  
 
As Claire said, if you have no intent on restoring quarantined items that are in the Spybot quarantine folder, just delete all the files in that folder.  
 
Another thing you should do is set up TrojanHunter scanner to bypass the Spybot quarantine folder altogether.
 
1.  Open TH scanner
2.  Click on the SCAN icon on the left side.
3.  Expand the C:\ drive by clicking on the (+) sign next to it in the list of drives you have.
4.  Keep expanding until you locate the Spybot quarantine folder and then UNCHECK that folder.  TH scanner will no longer scan that folder as long as it remains unchecked.
 
Also you may wish to uncheck the other drives (D, E, F, etc) if you do not use them as part of your primary operating system.  In other words, if you do not activate programs from them and only use them for backup, there is no need for TH to scan them each time.  I only scan my 4 other drives once a week, automatically late at night, unattended.  
 
To show your scan results on this thread.
 
1.  Perform a TrojanHunter scan.
 
2.  In the results/report window after the scan is completed, just highlight all the items.  (Just put your cursor in the results window, hold down the ALT key on your keyboard and tap the A key once.  That will highlight everything in the results window.)
 
3.  Then on your keyboard, hold down the ALT key and tap once on the C key.  This will copy the highlighted elements.  
 
4.  Come over to the forum and open a post window.  Put your mouse cursor in the post window as if you are getting ready to type a reply.
 
5.  On your keyboard, hold down the ALT key and tap the V key once.  This will paste what you copied into the post window.
 
Please Note:  There is a limit to the amount of characters that can be in a post.  So you may have to split your results into 2-3 posts.  
 
Note also that the scan report of TH is saved as .TXT file.  Open it using NotePad.  An ALT+A will select/highlight everything in the report.  Then copy (ALT+C) whatever you want to show in the forum post.  An ALT+V will paste what you copied.  
 
It does sound like you would benefit from cleaning off a lot of unnecessary files from your system.   Wink  Friends have a way of leaving things lying around.   Grin
 
HTHs  Smiley
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
cybermegabytes
Newbie
*





   


Posts: 7
Re: please HELP
« Reply #8 on: Jul 21st, 2005, 5:56am »		 Quote Quote  Modify Modify
Hi Siliconman01 ,
 
I made a full scan with TH (updated manually 18/5 today ),
hereby i paste the results , as you told me in previous .Thanks again for your clear explanation !! SmileyAt this tempo ,i become an expert in , let's say 2 years ! Grin. See now the scan , i putted all the reds several times allready in ignore list , but they come back each time in scan-results :
Registry scan
No suspicious entries found
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan
Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Richard\Mijn documenten\Mijn documenten\Mijn ontvangen bestanden\Cracks\C\D\CD_to_MP3_Ripper_v1.31.zip/Patch.exe (Add to ignore list)
Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Richard\Mijn documenten\Mijn documenten\Mijn ontvangen bestanden\Cracks\M\A\Macromedia_Fireworks_MX_2004_v7.0.288.zip/keygen.ex e (Add to ignore list)
Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Richard\Mijn documenten\Mijn documenten\Mijn ontvangen bestanden\Cracks\R\E\Registry_Medic_v2.95_build_1009.zip/RegMed295Load.e xe (Add to ignore list)
C:\pagefile.sys  Not scanned (in use by another application)
Warning: Unable to unpack UPX-packed file E:\Documents and Settings\Mijn documenten\Mijn ontvangen bestanden\Cracks\C\D\CD_to_MP3_Ripper_v1.31.zip/Patch.exe (Add to ignore list)
Warning: Unable to unpack UPX-packed file E:\Documents and Settings\Mijn documenten\Mijn ontvangen bestanden\Cracks\M\A\Macromedia_Fireworks_MX_2004_v7.0.288.zip/keygen.ex e (Add to ignore list)
Warning: Unable to unpack UPX-packed file E:\Documents and Settings\Mijn documenten\Mijn ontvangen bestanden\Cracks\R\E\Registry_Medic_v2.95_build_1009.zip/RegMed295Load.e xe (Add to ignore list)
Warning: Unable to unpack UPX-packed file E:\Mijn ontvangen bestanden\Cracks\C\D\CD_to_MP3_Ripper_v1.31.zip/Patch.exe (Add to ignore list)
Warning: Unable to unpack UPX-packed file E:\Mijn ontvangen bestanden\Cracks\M\A\Macromedia_Fireworks_MX_2004_v7.0.288.zip/keygen.ex e (Add to ignore list)
Warning: Unable to unpack UPX-packed file E:\Mijn ontvangen bestanden\Cracks\R\E\Registry_Medic_v2.95_build_1009.zip/RegMed295Load.e xe (Add to ignore list)
Not scanning password-protected file Sam275Load.exe in F:\Downloads\streamaudio.zip
Warning: Unable to unpack UPX-packed file G:\Mijn documenten\Mijn ontvangen bestanden\Cracks\C\D\CD_to_MP3_Ripper_v1.31.zip/Patch.exe (Add to ignore list)
Warning: Unable to unpack UPX-packed file G:\Mijn documenten\Mijn ontvangen bestanden\Cracks\M\A\Macromedia_Fireworks_MX_2004_v7.0.288.zip/keygen.ex e (Add to ignore list)
Warning: Unable to unpack UPX-packed file G:\Mijn documenten\Mijn ontvangen bestanden\Cracks\R\E\Registry_Medic_v2.95_build_1009.zip/RegMed295Load.e xe (Add to ignore list)
No trojan files found
14241 files scanned in 1042 seconds .
Please note :
there is a macromedia folder on c\ program files ; I want to delete the content , in CONFIGURATION  ( i don't use it ), but it is NOT mentionned there! and neither i can't find an uninstaller.exe! The two other .zips are NOT installed on c:\ program files\.These files are ALSO on E:\ and G:\ . Huh  
I have to delete EVERYTHING of earlier SETUPS and all the *.exe , on these partitions !!!( from the starting period ).
 
I found troyans allready on these partitions . Huh too !! .(like Bloodhond e32 i think ) .Can troyans or malware not choose all
locations and partitions on hard disk ,
 Another problem would be , i think , NOT everything will be deletable ,( i think ), thanks to the " troep , left...."
 
with kindly regards and most respect ,
 
Cybermegabytes.
IP Logged
cybermegabytes
Newbie
*





   


Posts: 7
Re: please HELP
« Reply #9 on: Jul 21st, 2005, 6:29am »		 Quote Quote  Modify Modify
hi Siliconman01 ,
 
Me again , for telling you , about another item : i made a RAV scan online , and this was the result , i made it +- 2 weeks ago .
 
C:\Program Files\Ahead\NVE-3.1.0.14.exe->(RARSfx)->Nero Recode\Recode.exe - Win95/Wolf.C -> Suspicious
C:\Program Files\Ahead\Nero Recode\Recode.exe - Win95/Wolf.C -> Suspicious
are these dangerous ? are FALSE alarms  Huh
 
I cannot find these files on my pc .
 
with kind regards and most respect ,
 
Cybermegabytes.
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5662
Re: please HELP
« Reply #10 on: Jul 21st, 2005, 7:12am »		 Quote Quote  Modify Modify
Quote:
C:\Program Files\Ahead\NVE-3.1.0.14.exe->(RARSfx)->Nero Recode\Recode.exe - Win95/Wolf.C -> Suspicious  
C:\Program Files\Ahead\Nero Recode\Recode.exe - Win95/Wolf.C -> Suspicious  
are these dangerous ? are FALSE alarms

 
Recode.exe for Nero is not malicious.  I have it on my system, same version as you show here.  I recommend that you update your antivirus definitions to the latest versions and rescan.  I suspect that this has been corrected by RAV.
 
I'm afraid we have a bit of a problem.  If "CRACKS" on your system is what I think it is, it is something this forum nor Mischel Internet Security absolutely does not approve of or condone because it performs illegal functions of breaking into licensed software and utilizing without purchasing the license.  
 
Can you please clarify this for me?  
 
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
cybermegabytes
Newbie
*





   


Posts: 7
Re: please HELP
« Reply #11 on: Jul 21st, 2005, 9:05am »		 Quote Quote  Modify Modify
hi Siliconman01,
 
thanks for explanation !
 
I totally agree, with you , regarding previous !
 
I explained to you that my pc standed 5 weeks not at my place . I was not aware of everything the friend of mine , ,putted/ installed/downloaded....
or did with my pc , when I was not there ! it was at the beginning of 2004 , when i bought this pc .
AT THAT TIME , I ONLY WAS CAPABLE TO PUT A PC ON / OFF !
At this moment , i learned a lot ( in my view ), in those +- 18 months , due to SELF study and the FIRST XP cursus , i followed  with 85 procent at university,highschool ( evening lessons ) !
 
the second part starts again , in the beginning of Septembre.
I enjoy computing a lot . As i said :  I am against these practices . A main proof for this : because i can obtain a lot of software , very cheap , due to  
my pc study  at higschool , see the links under.
for the installed flash , i needed it probably to see some flash item , and i used the EARLIER  setup . For the downloads , these are not installed , as i said before , I even don't know where they come from ! It must be from downloads in starting period....i see no other connection .
 
 I have  eg. Nero Reloaded full legally, intervideo DVD copy 2 legally,etc, etc, ..  all my programs on c :\ ARE freeware , shareware of legal software  
 
And there is  also a lot of freeware to become of good programs ! on zdnet.com for example .
 
A second good reason , i should not post this , where everybody can watch it , and loose  privacy too ! IF i had a bad conscience , i would send you all this privatly !  
 
Please see here the links for cheap software :for students, docents etc.. :  
 
https://www.ma3d.com/article/14
and http://www.academicshop.be/fr/
and http://www.academicdownload.com/section/650
 
kindly regards and most respect ,
 
 
Cybermegabytes .
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5662
Re: please HELP
« Reply #12 on: Jul 21st, 2005, 10:07am »		 Quote Quote  Modify Modify
Thanks much for the explanation.  I recommend that you remove all the CRACK items from your system.  Misec would not analyze them for possible malicious elements because they are in themselves not reputable software.  
 
Quote:
there is a macromedia folder on c\ program files ; I want to delete the content , in CONFIGURATION  ( i don't use it ), but it is NOT mentionned there! and neither i can't find an uninstaller.exe! The two other .zips are NOT installed on c:\ program files\.These files are ALSO on E:\ and G:\ .

 
As for the Macromedia folder, you should be able to just delete the folder.  If something stops working, it is very easy to redownload Macromedia from the Internet and reinstall it.  You might run into a web page that wants to use Flash Player or Shockwave, but that's only to a nicety anyway in my opinion.  I assume you checked ADD/REMOVE Programs in the Control Panel to see if Macromedia is in the list of programs that can be removed, eh?  I suspect that the folder is related to Macromedia Fireworks as shown below:
 
Quote:
Warning: Unable to unpack UPX-packed file E:\Documents and Settings\Mijn documenten\Mijn ontvangen bestanden\Cracks\M\A\Macromedia_Fireworks_MX_2004_v7.0.288.zip/keygen.ex  e (Add to ignore list)  

 
The webpage link for Macromedia is:
 http://www.macromedia.com
 
Quote:
Another problem would be , i think , NOT everything will be deletable ,( i think ), thanks to the " troep

 
You may have to Reboot into SAFE MODE to perform some deletions if there is no uninstaller.  
 
 
HTHs
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register