AnimeSuki Forums

Register Forum Rules FAQ Members List Social Groups Search Today's Posts Mark Forums Read

Go Back   AnimeSuki Forum > Support > Tech Support

Notices

Reply
 
Thread Tools
Old 2007-05-02, 20:02   Link #41
toru310
Senior Member
 
Join Date: Apr 2006
Location: Philippines
Since everyone(partially including me) is suffering from minor injuries I suggest that all of you should download mozilla with an additional ad -on of adblock plus and siteAdvisor atleast so that you can see if the site your surfing is bad or not. Or if you want to be so protected with anything java and flash thingy then go with this settings with those ad-ons you can manually allow sites that you want to get through.

Adblock Plus
NoScript
Flashblock
Remove it Permanently
McAfee SiteAdvisor

P.S. they are all free and those saved my ass from surfing in google!
Hope this helps...Still a minor though XD

Last edited by toru310; 2007-05-02 at 20:45.
toru310 is offline   Reply With Quote
Old 2007-05-02, 21:04   Link #42
Ledgem
Love Yourself
 
 
Join Date: Mar 2003
Location: Northeast USA
Age: 38
Does Knoppix come with ClamWinAV and any other tools?
__________________
Ledgem is offline   Reply With Quote
Old 2007-05-03, 01:15   Link #43
Phantom-Takaya
INTJ
*IT Support
 
Join Date: Feb 2007
Location: Alaska
Age: 40
Send a message via AIM to Phantom-Takaya Send a message via MSN to Phantom-Takaya Send a message via Yahoo to Phantom-Takaya
Alright. Here's what Rootkit Revealer has scanned so far:

HKLM\S-1-5-21-860800232-1097640657-3834557708-1009\Software\Microsoft\Windows\CurrentVersion\Exp lorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG 5/2/2007 9:35 PM 16 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-860800232-1097640657-3834557708-1009\Software\Microsoft\Windows\CurrentVersion\Exp lorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU 5/2/2007 9:35 PM 16 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-860800232-1097640657-3834557708-1009\Software\Microsoft\Windows\CurrentVersion\Exp lorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:Qbjaybnq.yax 5/2/2007 9:35 PM 16 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-860800232-1097640657-3834557708-1009\Software\Microsoft\Windows\ShellNoRoam\BagMRU \0\MRUListEx 5/2/2007 9:29 PM 36 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-860800232-1097640657-3834557708-1009\Software\Microsoft\Windows\ShellNoRoam\BagMRU \0\2\MRUListEx 5/2/2007 7:25 AM 40 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Classes\CLSID\{7B9E7C92-A677-11d7-A773-00C04F68F44E}\Pins\Input\Types\{c7aed331-0000-0348-120c-8d56b23e9ae6}\22 9/19/2006 11:54 AM 91 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Classes\CLSID\{7B9E7C92-A677-11d7-A773-00C04F68F44E}\Pins\Input\Types\{c7aed331-0000-0348-29a0-8d56b23e9a26}\22 9/19/2006 11:54 AM 91 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg 6/5/2006 10:39 PM 0 bytes Access is denied.

Of course, it's still scanning, so I'll display the rest once it's finished. The strange part is that now, I can go online with any program on normal mode, though I don't think all the problems have been resolved. Now, when I try to play video files of any format, they come out the exact opposite of what they're suppose to be. This is really becoming a pain in the rear to the point that I've chosen to dual-boot with Ubuntu Linux after I resolve this miss so I don't have to deal with virii, adware and any other troublesome codes so much.
Phantom-Takaya is offline   Reply With Quote
Old 2007-05-03, 02:14   Link #44
Phantom-Takaya
INTJ
*IT Support
 
Join Date: Feb 2007
Location: Alaska
Age: 40
Send a message via AIM to Phantom-Takaya Send a message via MSN to Phantom-Takaya Send a message via Yahoo to Phantom-Takaya
Nevermind. It seems my computer's still not close to being in the clear. It seems only mIRC and Internet Explorer are the only programs that can go online. Any other program still indicates that there is no internet connection detected. On top of that, Internet Explorer is quite limited to websites I'm able to go on to. It seems any site I manually type in the address bar or link I click that leads to a login point won't load. Then there's the inverted color for any video files I play. I've tried several type of players and I've still got nothing.
Phantom-Takaya is offline   Reply With Quote
Old 2007-05-03, 04:33   Link #45
Jinto
Asuki-tan Kairin ↓
 
 
Join Date: Feb 2004
Location: Fürth (GER)
Age: 43
The stuff you've scanned with root kit revealer is very... uhm strange imo. Very many API mismatches in API functions of explorer. Thats not typical for normal systems. I assume you have a root kit on your system. Sorry but if it is what I think it is, you will have a hard time getting rid of that.

That means wait, this is start menu related... I first have to decode the stuff *sigh*

HKLM\S-1-5-21-860800232-1097640657-3834557708-1009\Software\Microsoft\Windows\CurrentVersion\Exp lorer\UserAssist\{large number}\Count\

the first key is UEME_UISCUT
the second key is UEME_RUNPATH
the third key is UEME_RUNPATH: Download.lnk

still looks suspicious to me...

HKLM\Software\Microsoft\Windows\CurrentVersion\
Explorer\UserAssist
It should be safe to delete the subkeys... if there is anything important it will be recreated by windows (use regedit)
the Software\Microsoft\Windows\ShellNoRoam\BagMRU \0\MRUListEx entries seem okay to me.
so do the Pins\Input\Types\ entries and the last one as well.


In your first hijackthis scan I found these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY... io&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY... io&pf=desktop

You fixed them... was that a default value (was your PC shipped with that setting?)

if you run these 2 commands in cmd.exe and post the result... maybe its lsass that got infected.
dir C:\WINDOWS\system32\lsass.exe /a h > files.txt
notepad files.txt
__________________
Folding@Home, Team Animesuki

Last edited by Jinto; 2007-05-03 at 05:38.
Jinto is offline   Reply With Quote
Old 2007-05-03, 07:34   Link #46
SeijiSensei
AS Oji-kun
 
 
Join Date: Nov 2006
Age: 74
Quote:
Originally Posted by Ledgem View Post
Does Knoppix come with ClamWinAV and any other tools?
Yes, since 4.0.

See: http://www.oreillynet.com/sysadmin/b..._kid_in_a.html

I don't know if it's included on the CD version. I tried mounting my 5.0.1 ISO image (using -o loop; very handy!), but the actual software is all stored in big compressed file that I couldn't unpack easily.

The easiest way to answer these questions is to burn a copy, toss it into the CD drive, and reboot. Like all live-CD versions of Linux it won't change anything on your hard drives without your telling it to do so.

"ClamWin" is just a wrapper around the command-line tools found in ClamAV. It adds a couple of GUI screens for configuration, but essentially all the work is done by the programs like clamscan.
SeijiSensei is offline   Reply With Quote
Old 2007-05-05, 23:30   Link #47
Phantom-Takaya
INTJ
*IT Support
 
Join Date: Feb 2007
Location: Alaska
Age: 40
Send a message via AIM to Phantom-Takaya Send a message via MSN to Phantom-Takaya Send a message via Yahoo to Phantom-Takaya
Quote:
Originally Posted by Jinto Lin View Post
In your first hijackthis scan I found these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY... io&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY... io&pf=desktop

You fixed them... was that a default value (was your PC shipped with that setting?)
Yes. That's the default value.

As for everything else, it seems running hijack this had taken care of the virus problem, but the virus had left such a mess that it was hard to recover the computer to the way it was. Unfortunately, by the time I managed to repair the computer to its functional state, I didn't realise that the hard drive was badly fragmented. So, when I attempted to partition the hard drive so that I can install Unbuntu Linux for a dual boot, the partition failed and caused the hard drive to further fall apart. Now, the problem is that the computer would restart automatically once it attempted to load Windows, Normal Mode or Safe Mode. I've tried several tools I have that does not rely on Windows to start up to repair the hard drive, but to no avail. So, I'm going to take the hard drive and place it in an enclosure to take to a friend's computer and possibly attempt to at least recover the important files I had on it before formatting, partitioning and reinstalling Windows to it.

If anyone's got any suggestions, I'm all ears.
Phantom-Takaya is offline   Reply With Quote
Old 2007-05-07, 02:05   Link #48
AndyTran
Over Drive!
 
Join Date: Mar 2006
Age: 33
Load Linux by CD or a USB drive
http://www.damnsmalllinux.org/
Delete stuff or partition until you have enough space for a defragment

Though actually Knoppix would be a safer bet since it's compatible with a lot more things... Just a longer download
AndyTran is offline   Reply With Quote
Old 2007-05-08, 01:19   Link #49
Furuno
Fuwaaa~~~
*IT Support
 
 
Join Date: Apr 2007
Location: Indonesia
Age: 34
Send a message via Yahoo to Furuno
Sorry been away for a while... i had my school final exam.

Thanks for all of your help. Now it's already recovered. Now it's installed with Slackware 10.2 with fluxbox just like mine.
__________________

Check my Blog / Thread / Twitter for some random stuffs...
Furuno is offline   Reply With Quote
Old 2007-05-08, 22:13   Link #50
Oujirou
イルージョン
 
 
Join Date: Aug 2004
Location: Canada
Age: 39
Send a message via MSN to Oujirou
That's good. If you still didn't have it fixed, and couldn't access system restore from the windows area, you could've tried booting up into the safe-mode menu and that gives you the option to do a restore to a previous date.
Oujirou is offline   Reply With Quote
Old 2007-05-08, 22:20   Link #51
WanderingKnight
Gregory House
*IT Support
 
 
Join Date: Jun 2006
Location: Buenos Aires, Argentina
Age: 35
Send a message via MSN to WanderingKnight
Quote:
If you still didn't have it fixed, and couldn't access system restore from the windows area, you could've tried booting up into the safe-mode menu and that gives you the option to do a restore to a previous date.
That'd hardly work in the case of a root kit, I presume. The System Restore function isn't some kind of God, you know . There's a limit to its functionality, and it's actually quite limited... It'd be stupid for virus makers to be screwed up so easily by a Windows integrated tool. They know how to handle that kind of stuff (especially if we're talking about integrated stuff...).

Remember, every security system has holes. What matters is how many people use that system to make the virus development worthwhile. If the people who use Windows (which sums up about 90% of the PC home user population) could fix it that easily, then there'd be no point in making the virus
__________________


Place them in a box until a quieter time | Lights down, you up and die.
WanderingKnight is offline   Reply With Quote
Old 2007-05-08, 23:26   Link #52
SeijiSensei
AS Oji-kun
 
 
Join Date: Nov 2006
Age: 74
Quote:
Originally Posted by WanderingKnight View Post
That'd hardly work in the case of a root kit, I presume. The System Restore function isn't some kind of God, you know . There's a limit to its functionality, and it's actually quite limited... It'd be stupid for virus makers to be screwed up so easily by a Windows integrated tool. They know how to handle that kind of stuff (especially if we're talking about integrated stuff...)
I was curious about the effectiveness of the System Restore function so i searched around a bit. The consensus was that you must turn off System Restore before removing a virus so that the virus scanner can remove any copies it find in the Restore area on the hard drive. When you turn off System Restore, all your prior restore points are removed (or so it says here; I've never done this myself since I don't use Windows). If that's true, then System Restore seems useless if you have an infected system.

I've seen stories about proof-of-concept viruses that install themselves as virtual machine managers below the operating system level, much the way Xen or VMware enable virtualization of operating systems. A virus at this level would be invisible to any scanners running in the hosted virtual machines. You may think you're running Windows, but in reality your copy of Windows is running in a VM hosted by the virus. Who knows what's running in the other VMs, but it might not be nice. Talk about a rootkit!

Wandering Knight, I hope I haven't created more worries for you again!
SeijiSensei is offline   Reply With Quote
Old 2007-05-11, 10:16   Link #53
Phantom-Takaya
INTJ
*IT Support
 
Join Date: Feb 2007
Location: Alaska
Age: 40
Send a message via AIM to Phantom-Takaya Send a message via MSN to Phantom-Takaya Send a message via Yahoo to Phantom-Takaya
It's true that System Restore didn't help in this situation. It was affected so I couldn't use it.

I was able to get the computer back to normal to a certain point without having to rely on a formation, partition and full OS reinstall. In safe mode, everything but the browsers work now, thus the last and final problem I may need help on. Of course, what my friend and I had noticed after we restored the hard drive in other conventional ways was that there was a lot of desktop.ini placed in a few hundred folders. Mainly the ones that would say "system" or "download." That much I could tell is a virus. I've tried going into safe mode and do a search for "desktop.ini" in the hard drives to delete each one while using hijackthis, smitfraudfix, ad-aware SE, spybot, spysweeper, anti-virus and a few other utilities I had to try and root out the problem. I even updated each program before I tried anything. Unfortunately, it was a failure.

Luckily, I have Linux installed now, which is what I'm using now, so the virus is contained in the hard drive that has Windows.

Before I switch back to Windows and go to safe mode to try and tinker around again, does anyone have a suggestion?
Phantom-Takaya is offline   Reply With Quote
Old 2007-05-11, 10:33   Link #54
Jinto
Asuki-tan Kairin ↓
 
 
Join Date: Feb 2004
Location: Fürth (GER)
Age: 43
Maybe a suggestion if everything else fails...

First you need to safe the folder WINDIR\system32\config to a secure place (using Linux or a second installation of Windows). Then you'ld delete this folder in your current Windows installation, then overinstall the current Windows in the current windows folder (so all the old 3rd party dlls and stuff should remain). Then you'ld copy back the saved config folder using Linux or a second installation of Windows. Then before you restart into that reinstalled Windows you'ld need to scan it with all your anti virus/malware tools from inside Linux or a second installation of Windows (in your case a temporary second installation of Windows will be the best option, since you can run the tools without emulation - which would be necessary from inside Linux).
Then when everything is clean, you can restart the reinstalled Windows version and update all the service packs and security updates that were previously installed (if that is done the OS might run clean then).
__________________
Folding@Home, Team Animesuki
Jinto is offline   Reply With Quote
Old 2007-05-11, 23:29   Link #55
SeijiSensei
AS Oji-kun
 
 
Join Date: Nov 2006
Age: 74
Perhaps 10% of web sites contain malicious code?!

The BBC reports that an analysis by Google of some 4.5 million web pages found that 10% of them contained malicious code.

These pages contain what are known as "drive-by" infections, malware that is downloaded to your computer in the background while you're looking at what's on-screen. From the article,

"The user is presented with links that promise access to 'interesting' pages with explicit pornographic content, copyrighted software or media. A common example are sites that display thumbnails to adult videos.

"The vast majority exploit vulnerabilities in Microsoft's Internet Explorer browser to install themselves.

"Some downloads, such as those that alter bookmarks, install unwanted toolbars or change the start page of a browser, are an annoyance. But increasingly, criminals are using drive-bys to install keyloggers that steal login and password information. "

The scale of the problem boggles the mind.

Edit: The complete paper is available here.

Last edited by SeijiSensei; 2007-05-18 at 12:47. Reason: "pages" not "sites"; added link to Usenix paper
SeijiSensei is offline   Reply With Quote
Old 2007-05-12, 00:12   Link #56
Phantom-Takaya
INTJ
*IT Support
 
Join Date: Feb 2007
Location: Alaska
Age: 40
Send a message via AIM to Phantom-Takaya Send a message via MSN to Phantom-Takaya Send a message via Yahoo to Phantom-Takaya
Ah. So that's what it is. No wonder I found a keylogger.

And thanks Jinto. I'll have to try that out. Definately will have to print out what you wrote.
Phantom-Takaya is offline   Reply With Quote
Old 2007-05-12, 00:29   Link #57
WanderingKnight
Gregory House
*IT Support
 
 
Join Date: Jun 2006
Location: Buenos Aires, Argentina
Age: 35
Send a message via MSN to WanderingKnight
Quote:
Ah. So that's what it is. No wonder I found a keylogger.
What did your friend (or you) browse for?
__________________


Place them in a box until a quieter time | Lights down, you up and die.
WanderingKnight is offline   Reply With Quote
Old 2007-05-12, 02:16   Link #58
Phantom-Takaya
INTJ
*IT Support
 
Join Date: Feb 2007
Location: Alaska
Age: 40
Send a message via AIM to Phantom-Takaya Send a message via MSN to Phantom-Takaya Send a message via Yahoo to Phantom-Takaya
Unfortunately, it was my brother. He's been getting himself into a lot of trouble lately. Without my permission nor knowledge, he used my computer while I was at work several times. He thought he was sneaky, though I found several clues such as the browser history being filled with sites I would never go to or even would have thought existed to begin with, and the firewall "freaking out" over a number of TCP intrusion attempts. Then there was the chair always being as warm as body heat and hotter than anything else within the room by the time I got home from work. Then, right before my computer started really suffering, I came home to my BitTorrent off and MSN Messenger logged on to his account when I distinctly had all messengers off and the BitTorrent the only program on. The firewall was also disabled. Whatever he did or whatever site he went to was obviously the end of it, causing my computer to suffer the list of things I wrote several posts ago.

That's why I chose to dual-boot to Linux. Not only is it more stable and a little (just a little) more secure, but he wouldn't know how to navigate through it being a typical non-computer savvy "user" he is.

And yes, I can lock the computer, but being that I take off for work early in the morning, locking the computer isn't the first thing in my mind.
Phantom-Takaya is offline   Reply With Quote
Old 2007-05-12, 02:36   Link #59
Ledgem
Love Yourself
 
 
Join Date: Mar 2003
Location: Northeast USA
Age: 38
Quote:
Originally Posted by Phantom-Takaya View Post
Then there was the chair always being as warm as body heat and hotter than anything else within the room by the time I got home from work.
I feel guilty about what went through my mind, trying to imagine just what your brother was doing. I apologize.

The security business is getting pretty frightening. If you're comfortable with Linux, I recommend using it as your primary OS and using VMWare to run Windows XP when necessary (assuming it'll work nicely with your hardware). VMWare made their server edition free a month or two back; you just need to register some information and tell them how many serial keys you want. This is my ideal setup, but Linux is still a bit inaccessible to me (probably because I keep attempting to perform modifications that are still too advanced for me) and my desktop hardware will probably choke on virtualization. Works out nicely for me on my dual core laptop, though - just pop in and out of Windows to access Office (I've already replaced a good chunk of the other software I would normally use).
__________________
Ledgem is offline   Reply With Quote
Old 2007-05-12, 02:38   Link #60
WanderingKnight
Gregory House
*IT Support
 
 
Join Date: Jun 2006
Location: Buenos Aires, Argentina
Age: 35
Send a message via MSN to WanderingKnight
Haha, I've had my share of trouble with my sister about that, but it was enough to lock my PC for a couple of weeks, and then she forgot about it altogether. I never broke it to her that I had found out she had sneaked in (in my case I casually clicked on Firefox's history tab--it was terribly coincidental since I was always using lolifox. I don't know for what random reason did I open Firefox and check the history tab, but it was full of sites I'd never expect to visit), but I guess that from the bad mood she went into the immediate following days, she got the message. Now that I'm running Linux, it's even less of a hassle.

Quote:
Then there was the chair always being as warm as body heat and hotter than anything else within the room by the time I got home from work.
That made me spill my 4:30 AM tea .

I'll be curious, but...

Quote:
Originally Posted by Ledgem
just pop in and out of Windows to access Office
Why don't you use Open Office? O_o
__________________


Place them in a box until a quieter time | Lights down, you up and die.
WanderingKnight is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 15:02.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.
We use Silk.