Databaseben, I sent you a message below

G

Guest

Hi, Databaseben, I sent a message to you below titled "Danger Warning! to the
public" and had put "note to Databaseben" on the end, but the title was too
long and cut your name off! You helped me out last July with computer
problems.

Now I can't get my message of today to load. Maybe it was too long. Could
you let me know if you can get it to load so you can read it? If not, I'll
shorten it and tell you the situation.

I don't understand why it won't open! Maybe it's just my luck.
 
D

DatabaseBen

hello mtnlady,
yeh found the other posting with
your discovery.

i'm very interested with your analysis
and will take a look into it.

but, lets not be hasty in considering
that the ntregopt is the perpetrator of
a trojan. i checked that website and
followed that link to the home page at
http://www.larshederer.homepage.t-online.de/erunt/index.htm
and when the file sizes are compared they are both 472kb.
Then when i clicked to download a copy from majorgeek
the file size was also 472. (Of course i already had
a copy for a long time, but wanted to double check
out the download.)

This is important to know, because if the file
size was bigger or smaller than the original file
found at http://www.larshederer.homepage.t-online.de/erunt/index.htm
then we know the code was rewrittened.

now a days, there are softwares that
pretend to have discovered something
bad, but they are the cause of
the infiltration. But trojans can also
be snucked onto your system, with
music, videos and lots of other ways.

remember that a trojan by design hides
malacious code but figuring out
how it got on your system and where
that file is located is the question.
you disovered the malacious code but
the trojan imay still on your system and
hiding until the time is right to unleash
the malware....

Have you downloaded or allowed somekind
of toolbars to be installed recently?

Just to top of my head
right now, it sounds like the data you pasted
on the other posting is referring to an explorer
toolbar.

I know that today I was searching for old music
from that cold case tv show, and i swear i had
to install 3 different kinds of music players and
all of them kept asking me if i wanted a toolbar.
Of course, i said "no"....

again, thanks for the update.

btw, until the trojan can be discovered and
eliminated, it may not be wise to make any
restore points or backups because you would
only be helping with saving the trojan...


"MtnLadyinBlackHills1986"
 
G

Guest

Hi again, Databaseben. OMG, what have I gotten myself into this time?

Did you read the answer to my original question, that was posted by "Glee"?
If not, could you read it? I'm such a novice, I don't know if I understand
what he/she is trying to tell me.

I did read the article you linked to me, and it was really scary. What is
more scary is thinking I might still have a Trojan Horse on my system! I
rercently ran all the security software I have - Ad-Aware SE, Webroot Spy
Sweeper, and Norton Anti-Virus scans. I also ran Norton's One-Button
Checker, Windows Doctor, Disk Doctor and Check Disk. I have also added all
of the October Windows Security Updates to my system. And everything (except
the code I sent you) checked out fine.

I have not added any toolbars in a very long time. The only thing I can
think of that I've done differently is that I switched to Real Player from
Windows Media Player. I have a large bunch of commercial music CD's that I
wanted to put in a library in case a disk got damaged. When I did it with
WMP, I found that none of the song titles, artist, album name or genre came
through, just track numbers. Not wanting the very long, tedious job of
typing all this in manually, I tried Real Player, which worked fine. I was
connected to the Internet at the time to get the CD information. Could Real
Player be the cause of a Trojan? I thought they were reputable. I never did
get a toolbar from them...

Please help! I need to know how to find and get rid of this Trojan if all
I've done above security-wise didn't find it. I've tried so hard to avoid
all the "pitfalls" of these Internet Monsters. I'm about ready to have the
Internet taken off my computer - I just don't know if it's worth the dangers
out there.

Thanks, Databaseben, for your interest and for any help you can give me....
 
G

Guest

MtnLadyinBlackHills1986 said:
Hi, Databaseben, I sent a message to you below titled "Danger Warning! to the
public" and had put "note to Databaseben" on the end, but the title was too
long and cut your name off! You helped me out last July with computer
problems.

Now I can't get my message of today to load. Maybe it was too long. Could
you let me know if you can get it to load so you can read it? If not, I'll
shorten it and tell you the situation.

I don't understand why it won't open! Maybe it's just my luck.
Click to expand...

Hi Sue,
I hope I'm not intruding here!, but your computer is screwed up in away may
your only option is to do a ( Clean Install ) for Windows.
I would like to ask you some Questions:
1=> Does your Anti-viruses softwares are all up to date and you still have
Valid subscriptions to them (i.e not out of date)?.
2=>Is your Firewall set to block Pop-ups and Bugs from websites which target
you through other websites?.
3=> Do you have OEM version or Full version of your Windows Copy CD?.
Please tell us about the above.
<------------------------------------------------------------------------>
Then come to your problem;
Win32/Dumdor Trojan, is the kind of trojan uses stealth sheild mode to avoid
been detected by Firewall, Antiviruses and it always download Files from
servers to excute on the infected machine, not installing a bigger file on
the infected machine avoiding been detected or deleted by AVs.
Advertisment companies , use Trojan droppers to hiddenly drop their Adware
components/sourceCode on users' computers, in your case my guess you may be
get it through RealPlayer, not because Realplaer done this to you but the
Advertisments which on RealPlayer.
From your past threads, it looks like the Trojan is installed a Toolbar to
rdirect you to where it want to and to excute itself on your system and send
data to its' programmer/webmaster to tell him/her that you are in! and it has
created login Profile on your computer.
Try to download *HijackThis* File from this website and send the report to
the Aumha forum:
http://www.aumha.org/free.htm
Also try to turn System restore OFF and when you get rid of this Trojan
completely Turn it back ON to create a new Restore Point for your system but
do that after you get your Answer back from the aumha forum.
Another similar case like yours' here on this forum:
http://forums.spybot.info/showthread.php?t=7862
Scan online from here:
http://www.pandasecurity.com
http://www.trendmicro.com
HTH.
Please let us know your progress.
Regards,
nass
 
D

DatabaseBen

hey there mtnlady,

don't be scarred about this, it isn't as bad
as you think. There are trojans that are not
evil, instead they act in a way to obtain
statistics from the people who use there
"freeware". They are designed to work
in the background and silently thus they
are looked upon as trojans by some software,
including software companies that are competing
against each other.

It might be that you are in a funny situation,
whereas your antiviral that discovered the
toolbar is a direct competition with the
maker of the toolbar.

The statistics they get from your
activity and the millions of others
via its toolbar can help
improve there services and or
get money from marketing companies.

"And" if you really "read" the fine print
of those end user license agreements,
there will be an itty bitty line stating something
like "by using this free software you agree
to share information about your usage with us...."

I think an easy way to fix this is simply
is to restore your computer to the date
when we got you back up and running
a few months ago.

Or figure out what program you
installed that subsequently may
have asked you if you wanted to use
a toolbar and said ok so you can
unintall it.

If you are not sure, you can
open you ie browser, go
to managing addins and disable
any toolbars. You don't need
any extra toolbars added to your system.

If you like the ie browser from microsoft
download the new version released a few
days ago and be sure to say yes
to protecting you with anti phising
technology.

I think you'll be ok and I don't
think you will have any problems.
But its a good thing that you had
a place like this to find
earnest people who want
to help and get you through this,
However this is a positive opinion for you,
but I have others as well.

Incidently, i know you have found
and use some anti viruls already. But I would
like for you to know that out of
many years of trying out "and paying"
for anitviruls, I discovered that using
the "spywareterminator" with the
"clam anitvirus addin" and the "defender"
from microsoft to be an excellent
combination and reliable too.

take a look at these next time
you are unsure about the ones
you have now....


"MtnLadyinBlackHills1986"
 
G

glee

Excuse me, but where in any of the original posts do you see mention of
Win32/Dumdor? In fact there is no trojan named Win32/Dumdor. There is a backdoor
trojan named Win32/Dumador, but where do you see any mention of that either, in the
thread by the original poster? The only info I see mentioned is the discovery of a
Trojan Downloader, unnamed, which is of a much lower order than a trojan itself.

In either case, it is unlikely that here system is "screwed up" nor is it likely
that she needs to do a clean install. That is all far beyond what is likely
required. From what I have seen, she may not even have a trojan on her system.
 
G

glee

Please read my latest reply in that thread, and answer any questions I posed there.

What parts did you have trouble understanding in my earlier reply? Please post to
that thread with those issues, and I will try to simplify it for you.
 
G

Guest

Good morning, DatabaseBen. Thank you for replying so quickly. First off, I
do want to express my appreciation for your (and other folks') help here. If
this site wasn't here, laymen (or women! LOL) like me would be completely
lost and I can't afford to pay to talk to a Microsoft techician as a "trouble
call"!

I don't know if you noticed, but another poster called "Nass" from the UK
also wrote to me. I have worked with you in the past and trust you. Could
you check out what Nass wrote and if you think I should reply to his(?)
questions? One thing he did mention that I thought was interesting was he
thought the Trojan might have come through an advertiser with Real Player
(not Real Player itself). Would make sense since that's the only real change
I have made.

Anyway, I don't think I want to go back to when we resolved my problems in
July. I've added a lot of data, which would be a terrible job to restore. I
do back up my data to an additonal hard drive I have in my PC. When my hubby
installed it (using the hardware's tool software), it copied over everything
from my C Drive at the time. But since then, I have not added any new
programs or program updates to that drive - only data. But it would still be
a lot of work. FYI, I when I do have to restore back, I have to use Norton's
"System Go Back", which loses all subsequent data. I have not been able to
get Microsoft's "System Restore" to work since I can remember. Awhile back,
I tried again and tried every bolded date for months and never got it to come
up. I just got the "go to another date". I tried to do a little reading on
Trojan Horses on Google last night and it was recommended that this function
should be turned off (temporarily for most people). I certainly did, as it
is of no use to me anyway!

When I went to disable toolbars, I found something interesting. I
recognized all the Toolbars but one. I have never heard of this one. Here
is its name and publisher: Name: PrxcnBHO Class Publisher: (Not
verified) Proxyconn, Inc.
I know I did NOT authorize that one! That was the first one I disabled. I
have disabled all my toolbars. What about the Browser Helper Objects and
Browser Extensions? Are they OK to leave active?

I did do one more thing on my own, which I figured sure couldn't hurt. I
had never bothered to put a password on my computer because it is just my
husband and me who use it. But I read that a complicated password can make
things more difficult for some Internet baddies to get access to my computer
(where I have all my credit card info, etc.) and pull an identity theft.

Do you think what I've done is adequate? You are a wealth of information
besides being helpful. It's a scary cyber world out there, and I appreciate
your putting my Trojan Horse situation in perspective. After my troubled
past and due to my limited knowledge, I was beginning to feel that the
Internet's "bad guys" were getting beyond my ability to cope with them. And
maybe, as much as I enjoy and depend on the Internet, it was time to give up
and "throw in the towel"!

Thanks again.

Sue
 
G

Guest

Doggone it! Right after I sent the last message, I found that the unknown
"toolbar" I told you about is actually a Browser Helper Object. Just wanted
you to know that, as it might make a difference.
 
G

Guest

Hello, Glee. I will go back to your original post and answer your posts. I
was not ignoring you. It's just that I've worked with DatabaseBen in the
past and he helped me solve my problems. So I thought I'd start with him.

Regarding the "Win32/Dumdor", I don't know anything about it. It was just
mentioned in the post from someone called "Nass", who has also written. I
haven't replied to this person. This "Win32/Dumdor" was nowhere in my posts
or the info given to me by Ad-Aware SE in their report of Trojan Horse
traces. I don't know where Nass got that from.

I'll go back now to your original post. I hope I answered your questions,
and I certainly hope you're right about not needing to completely wipe out my
computer and start "from scratch" again. Even DatabaseBen just suggested
going back to July when we solved my last problem, not a complete format.

Thanks for your interest.
 
G

Guest

It is by NOD32, but it is Dumador Trojan as you mentioned (I may eaten the
*A* ),for the specific Report posted by the OP for *WIN32.TROJAN.DOWNLOADER*
by Her Adaware scan.
Since the OP had the Problem long ago and it has been detected by Adaware,
my guess the problem still present and which interesting now she is saying
she does have a second HDD, which could harbour the Virus/Trojan or the Hide
away for It.
If she try to access this HDD which ever file infected will start the whole
cycle again, I don't mean to scare the OP, if you have a machine that
infected and you can't clean it up your only way is Clean install.
HTH.
Regards,
nass
 
D

DatabaseBen

ok,
it sounds like you did pretty good
at finding some oddities. I would go ahead
and "disable" that proxycomm as well and
if you can. (I'll check this one out on the net.)

The ie browser will work without
it and disabling that proxy...-thing won't
uninstall it. So it is a safe option to disable
it at this time.

If it is related to your
real time player, then the player will let
you know of the problem. But i don't think
it is.

another place to look in is
your startups.

In your startups
there may have be a program that was
added and is set to automatically
launch each time windows is launched.
Badwares like to take advantage of this
basic feature.

go to "start", then to "run" then type
in and click afterwards "msconfig"

a dialog will open and there will be a
tab called startups. Inside of startups you
will see the names of the programs
that are set to start automatically, like your
adaware se and others that you know of.

You should also find something like realshed
which is a program that updates your realmusic
player. You can disable this and anything else that you do not
recognize or know it is not needed to run
automatically. Then close the dialog, then disconnect your computer
from the internet and reboot.

i'll take a look at the info you have
provided and will be happy to let you
know something.

have you recenty done a scan
of your system again? See what
the results are after you disable those
things mentioned above.

If no errors show up again,
then connect to the net and let us know...


"MtnLadyinBlackHills1986"
 
G

Guest

Sue, I didn't say go to Clean Install Direct if you did read my phrase saying
* You *may* need to do a ( Clean Install )*.
I didn't like the way in the past you have to cure the problem with a
registry Fixer, that's not the way to get rid of a virus if you have one.
If all fail with the help of *Glee & Databasben* and please trust Both and
anyone here, no one will allow or let anybody here to give you a misleading
Info.
So don't ask behind me or behind glee or Behind databaseben, always wait
don't take an answer for sure unless you are sure this will do it and it is
easy for you to do, always wait for second opinion as sometimes can help you
see the clear picture of your situation.
If all fail try run the HijackThis and send the report to the forum.
http://www.aumha.org/free.htm

HTH.
Good luck.
nass
 
G

Guest

Wow! Have I ever opened a "can of worms" now! I know everyone means well
and I honestly do appreciate your efforts to help.

But now I'm getting all kind of suggestions from all directions.

I have one question for everyone: Does a Trojan Horse attach to any
particular type of file? Does it attach just to program files or can it
attach to data files? If it doesn't use data files, one poster's concern
that my other back-up hard drive could also be infected wouldn't be a
problem. When my C drive was copied over, I was having no trouble with the
machine at all.

I think I might have confused one of the posters when I mentioned working
with DatabaseBen in the past. The problem we worked on was NOT a Trojan
Horse. I apologize if I implied that in the way I worded my sentence.

I would even be willing to copy my data onto CD's (if I knew that the Trojan
Horse doesn't use them) and wipe both drives clean again. But if my data is
corrupted, I'm totally screwed. And I certainly don't want to re-install
Windows, Office, etc. and spend months and months getting all the updates.
I'm a dial-up and I don't know if I could handle going through all that again.

I'm getting the entire spectrum of answers to my post - from "I have no
Trojan Horse at all" to "my entire system is screwed up". I'm sorry for
whining, but please look at this from a layman's point of view.... What do
you do?
 
G

Guest

Sue, Please follow the * Databaseben * he will get you out to the safety for
your issue with respect for Glee.
You looks like will listen to everybody and your Thread will get busy and
you will get confused!.
We will watch and if we can help or learn something it will be a pleasure.

Good luck.
nass
 
D

DatabaseBen

thats great!

youre doing really good at
figuring out some of these things.

i looked up that proxyconn service
your mentioned. It is designed to boost
your internet speed.

The question is was it provided to you
by your internet service provider or
you downloaded it manually or
you clicked an ok button somewhere and it
was automaticallyinstalled with another software.

If it was provided by your internet service
provider than it is likely to be safe and may
even be required-depending on your service.

But if it wasn't provided by your ISP
and it came from some internet site
as somekind of freeware it may
not be safe.

There are different methods to boost internet
speed.

But what this particular program is likely do is
to download and store your favorite webpages
onto your harddrive automatically and without your
knowledge.

It would do this so that when you visit a site,
that webpage would pop up on your screen "instantly"
since it has been stored on your harddrive.

The fact that webpages are being downloaded onto your harddrive
automatically is a problem that could become serious because
you have no control over it,.

Your not given the opportunity to decide
what you want or don't want stored on your pc .
And there are malicious webpages that are designed
to pop up 100's of other webpages, like those porn sites.
Who knows, webpages with unlawful pics could
secretly get stored on your pc and you would never know
because of these so -called web accelerators.

without going into too much detail take
a look at the source of this proxyconn software and
uninstall it if it was not provided to you by
your internet service provider.

If you have DSL you really
don't need it.

But if you still use regular
internet, it may be required for you to use by
your ISP as some kind of turbo charger between
your modem and their servers.

Let me know....


"MtnLadyinBlackHills1986"
 
G

Guest

First, I'd like to thank everyone for being so understanding when I sent my
distress message that too many people were trying to help and I was
hopelessly confused. Wouldn't it be a nice world if everyone could be that
way in all walks of life?

Anyway, DatabaseBen, I actually do have some good news to tell you. We do
indeed have dial-up, and our ISP offered a package of Internet tools which
included an "Internet Accelerator" (as they called it). And as I look at the
icon in my toolbar, it appears to be shut off. So I think it is safe, and I
will just reactivate that one item.

BTW, you mentioned earlier about cutting down my start menu. Well,
surprise, I did find out about that awhile back. I have de-activated
everything that I don't think is necessary. The one that does bother me is
one called (Startup Item) realsched (Command) "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot

I have checked and every time I turn on the computer (even if I'm not using
Real Player), this comes up, even though I disabled it the time before. None
of the other start-up commands I disabled do that. I believe it was Nass who
suggested it might be an advertiser on Real Player. The fact that it keeps
reactivating itself seems suspicious to me. What do you think? Is there a
way to permanently disable that command?

Can I dare hope that there might be a "light at the end of the tunnel"?
I've got to get off and leave for a little while, but I will definitely be
back to see what you have to say!

Thanks again, DatabaseBen (I assume your name is Ben?)

Sue
 
G

Guest

Just a quick note... A surprise development (for me, anyway!). Earlier when
I had changed msconfig, I left without rebooting. I reactivated the ISP's
Internet tool and bingo! Up jumped a Real Player pop-up about some music
artist. I looked at msconfig and the Real Player command was still disabled.
Now where did that pop-up come from?

More for you to ponder, DatabaseBen.

Sue
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Danger warning! to the public and note to Databaseben 27
A big "Thank you" to databaseben, Richard and Cliff 6
Missed Opportunity 3
I'm stuck a little 3
I can't believe it's been 5 years... hello! (again) 9
I'm new here 9
message not sent 3
Just installed Windows XP and I am getting the message below when 3

Top