Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Grokster


  • Please log in to reply
9 replies to this topic

#1 afodd1

afodd1

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 24 March 2007 - 04:29 PM

Hi,
I ran a free scan by e-trust pest patrol and it found a supposedly infected registry key under title Grokster. The item is described as "high threat" and tells me I need to purchase the full pest patrol to correct it. The registry key description is given as

hkey_current_user\software\appconf

I've run several antivirus (panda total, trend micro, bitdefender) and spyware (spy sweeper, adaware, spybot) programs but they don't find this problem. I checked out what Grokster is, it seems to be a P2P sharing program which I've never downloaded- is this something to worry about or is pest patrol mistaken?

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,195 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:13 PM

Posted 24 March 2007 - 04:45 PM

If that file is actually on your computer, it is malware.
Big If. Can you actually find that reference in your registry? If not, I would consider it a false positive since none of the other programs are finding it. Are you having any symptoms of malware?

http://www.bleepingcomputer.com/startups/a....exe-10329.html
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 afodd1

afodd1
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 24 March 2007 - 05:06 PM

Thanks for the quick reply!

I've looked up the registry, it contains two entries. I'm not sure what they mean, so maybe you could help interpret?

The entries are

1. Name: (Default) Type: REG_SZ Data: (value not set)

2. Name: confset Type: REG_DWORD Data: 0x00000001 (1)

These entries are contained in a folder appconf which is a subfolder of Alps


I've done a search on my computer for appconf, but I can't find it. Any suggestions?

#4 afodd1

afodd1
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 24 March 2007 - 05:10 PM

My mistake it is not a subdirectory of Alps, it has its own entry

Thanks!

#5 afodd1

afodd1
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 24 March 2007 - 05:14 PM

In answer to am I experiencing symptoms of malware, not sure, there are times when my internet connection is v. slow, but could by just ISP. I'll keep an eye out for any other unusual activity.

#6 mz30

mz30

  • Members
  • 828 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:liverpool,england
  • Local time:11:13 PM

Posted 24 March 2007 - 05:17 PM

go to the malware section on this site and follow tthe directions someone from hjt team will help you out thats your best bet :thumbsup:
god my head hurts.
if you don't ask ,you don't know



Posted Image

#7 buddy215

buddy215

  • Moderator
  • 13,195 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:13 PM

Posted 24 March 2007 - 05:46 PM

When you looked at the info for "appconf" in the link above, did you notice that it would show as a "04" entry in Hijack This? If it was on your comp.

Edited by buddy215, 24 March 2007 - 05:47 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#8 afodd1

afodd1
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 25 March 2007 - 10:37 PM

Ok,
sorry about the delay.
don't see any reference to appconf.exe in the Hijackthis scan, so should I just delete the registry key entry?
or should I post the Hijack this log as suggested by the Liverpool fan?
I appreciate all help provided......

#9 buddy215

buddy215

  • Moderator
  • 13,195 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:13 PM

Posted 26 March 2007 - 06:54 AM

No, do not delete it. There are several references to appconf in Google search that are not malware related. One is appconf.dll that is part of Windows OS. I would say chalk it up to a false positive.
If you would like, you can certainly post in the Hijack Forum.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#10 afodd1

afodd1
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 26 March 2007 - 07:57 AM

ok thanks!! :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users