AnimeSuki Forums

Register Forum Rules FAQ Members List Social Groups Search Today's Posts Mark Forums Read

Go Back   AnimeSuki Forum > AnimeSuki & Technology > Tech Support

Reply
 
Thread Tools
Old 2009-05-12, 09:24   Link #21
chikorita157
ひきこもりアイドル
*IT Support
 
 
Join Date: Feb 2009
Location: New Jersey, United States
Age: 24
Send a message via Skype™ to chikorita157
Rootkit is a program that is hidden in the system and runs in the background without the user knowing. Some of these can open a backdoor for an attacker to take control of your system. The famous example is the Sony BMG DRM rootkit that happened in 2005. Not all rootkits are malicious in nature and required for a program to operate, such as Daemon Tools which is a virtual cd manager.

If want to know more, I suggest reading this article about rootkits: http://en.wikipedia.org/wiki/Rootkit
__________________
chikorita157 is offline   Reply With Quote
Old 2009-05-12, 09:57   Link #22
SaintessHeart
Ehh? EEEEHHHHHH?
 
 
Join Date: Nov 2007
Age: 25
Spoiler for too long:


EDIT : Sorry for not reading through, but from these 4 which I can see,

mswsock.dll - It is the Windows socket service provider. Should be harmless. But you can try typing

netsh winsock reset

and

netsh int ip reset

to reset the config to default.

WS2_32.dll

This contains the Windows Sockets API. Whatever you do, DO NOT DELETE/ALTER THIS AND ITS RELATED REGISTRY KEYS. I don't know how to fix this corruption, other than the generic "reinstall Windows" procedure.

svchost.exe

How many instances of these are running in your system on tasklist? It is used to run your DLL files, and each of them can mean a different process.

kerne132.dll

I don't think that is a typo (L and 1 are too far away from each other on the keyboard). Could be a trojan masquerading as a kernel32.dll. Go to C:\Windows\System see if it is there. Kernel32.dll should be in C:\Windows\System32, possible masquerades don't install there. If it is in C:\Windows\System do the following :

1. Delete that file. If it is indicated as a running process and you can't turn it off, I suggest you corrupt it withSimple File Shredder.

2. Go Start > Run > regedit. Find kerne132.dll SPECIFICALLY and wipe that registry key. But remember to back up your registry first.

3. Restart your computer and see if it is still there.

I suggest you download Hijackthis and post your log here. I think I still can read the logs after a few years of not using that program. If I can't, one of the pros here can do more with that than an amateur like me.

Last edited by SaintessHeart; 2009-05-12 at 10:20.
SaintessHeart is offline   Reply With Quote
Old 2009-05-12, 11:46   Link #23
sa547
Senior Member
*Author
 
 
Join Date: Oct 2007
Location: Philippines
Age: 37
Also, since some RBN squatters seem to have taken secret residence in the hard disk, there's RootkitRevealer from Windows Sysinternals. Tool might help you find where the buggers are.
__________________
sa547 is offline   Reply With Quote
Old 2009-05-12, 12:21   Link #24
-KarumA-
(。☉౪ ⊙。)
*Author
 
 
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 26
I did a step by step procedure on Bullguard and it seems everything has been solved, I am still hoping someone would check out my logs to see if it is truly clean. I'll put them up here as well since the people at Bullguard removed my topic, probably because I am not one of their customers

Upon viewing the results from combofix when it comes to this rootkit the kit was located in my drivers of my usb D: all of them starting with ovfsth with more numbers and either .dll or .dat at the end, they have been removed by combofix as well as several other spam spreading files

But everything is working again, no errors nothing I installed all my software afterwards (3ds Max, Office and Adobe) and they all work fine, but just in case I'l post all 3 logs up (malwarebytes, combofix and lastly a hijack this)

another miracle D: my usb station returned omg! seems liek the deletion of the rootkit made my usb device station visible again, ever since the last attack 3 weeks ago I had been unable to even see these things

AND ANOTHER OMG! Jinto should remember this, in my disc management my pc was still un able to read and recognize my discs but they are listed now as well! both my C:/ and D:/ are now listed D: a miracle has happened! I guess my pc wasn't perfectly clean after I reformatted it 3 weeks ago, because then those stations had been visible for like a day before vanishing again as well as my usb station under My Computer

Spoiler for malware bytes:


I had scanned malware bytes first, then combofix and lastly did the hijack this log

Spoiler for combofix:


Spoiler for hijack this:
-KarumA- is offline   Reply With Quote
Old 2009-05-12, 12:25   Link #25
SaintessHeart
Ehh? EEEEHHHHHH?
 
 
Join Date: Nov 2007
Age: 25
Screw Norton Ghost. Erase everything.

Did you do a quick format or a thorough one? Also after formatting remember to shut down and discharge your PC as a safeguard, some viruses store themselves in the RAM during the format, then rewrite into the HD after it is done.

Either that or your disk has a bad sector, which means it isn't a virus after all.
__________________

When three puppygirls named after pastries are on top of each other, it is called Eclair a'la menthe et Biscotti aux fraises avec beaucoup de Ricotta sur le dessus.
Most of all, you have to be disciplined and you have to save, even if you hate our current financial system. Because if you don't save, then you're guaranteed to end up with nothing.
SaintessHeart is offline   Reply With Quote
Old 2009-05-12, 13:06   Link #26
-KarumA-
(。☉౪ ⊙。)
*Author
 
 
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 26
I think it was a quick one, I don't know much about reformatting
basically inserted windows CD and reinstalled windows but kept all my data save except what was stored in my documents etc.

after that installed drivers of my graphics card etc. and reinstalled my software that was it

there is one entry that I am still concerned about:

O2 - BHO: (no name) - {C97FDF20-78B1-410F-9E8F-A5EF2A1326E1} - C:\WINDOWS\system32\atmf.dll

combofix and malwarebytes have been unable to delete it and when I try and remove it with hijack this it returns the next time I scan, when I google I only get virus warnings etc. but never a clear notice on how I can remove it or what process name it hides under so I can terminate it and then remove it manual, I also read that it can be related to Adobe Fonts though

I upped it to Jotti which can scan individual files and the result is that out of 20 scanners 3 say it is malware:
A Squarred: Trojan.Trash!IK
Antivir: TR/Trash.Gen
and Ikarus: Trojan.Trash

also upped it to Virus Total:
again 3 out of 20 says it is malware

AhnLab-V3 - - -
AntiVir - - TR/Trash.Gen
Antiy-AVL - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
Comodo - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
F-Prot - - -
F-Secure - - -
Fortinet - - -
GData - - -
Ikarus - - Trojan.Trash
K7AntiVirus - - -
Kaspersky - - -
McAfee - - -
McAfee+Artemis - - -
McAfee-GW-Edition - - Trojan.Trash.Gen
Microsoft - - -
NOD32 - - -
Norman - - -
nProtect - - -
Panda - - -
PCTools - - -
Prevx1 - - -
Rising - - -
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
TrendMicro - - -
VBA32 - - -
ViRobot - - -
VirusBuster
-KarumA- is offline   Reply With Quote
Old 2009-05-12, 13:06   Link #27
Jinto
Asuki-tan Kairin ↓
 
 
Join Date: Feb 2004
Location: Fürth (GER)
Age: 33
Ah and btw... Try to use just legit software on your system (you never know what sort of wicked set of trojans is installed with pirated software). I mean you can wipe your system as much as you want, but it won't make things better if you later just re-install the virii and trojans.
Jinto is offline   Reply With Quote
Old 2009-05-12, 13:15   Link #28
-KarumA-
(。☉౪ ⊙。)
*Author
 
 
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 26
Quote:
Originally Posted by Jinto View Post
Ah and btw... Try to use just legit software on your system (you never know what sort of wicked set of trojans is installed with pirated software). I mean you can wipe your system as much as you want, but it won't make things better if you later just re-install the virii and trojans.
thanks for the warning
Jinto what are your thoughts on atmf.dll
Read it is also used for fonts by Adobe but malware bytes and combofix both want it to have a no go
-KarumA- is offline   Reply With Quote
Old 2009-05-12, 14:35   Link #29
mechabao
Senior Member
 
Join Date: Sep 2008
Quote:
Originally Posted by -KarumA- View Post
I think it was a quick one, I don't know much about reformatting
basically inserted windows CD and reinstalled windows but kept all my data save except what was stored in my documents etc.

snip...
Then it means that the malware was hiding in your personal data and was merely waiting for you to open something in order to reinfect your system. The best way to avoid this is to do a complete format and get rid of everything on the Windows partition and then, before accessing your personal data, do a full system update, install antivirus and antimalware software and do a thorough scan of said personal data.
mechabao is offline   Reply With Quote
Old 2009-05-12, 15:27   Link #30
Jinto
Asuki-tan Kairin ↓
 
 
Join Date: Feb 2004
Location: Fürth (GER)
Age: 33
Quote:
Originally Posted by -KarumA- View Post
thanks for the warning
Jinto what are your thoughts on atmf.dll
Read it is also used for fonts by Adobe but malware bytes and combofix both want it to have a no go
Could be a false positive. But there is no way I can tell you from here if this dll was somehow infected/injected. AntiVir and McAfee (and some others) use some generic routines to detect transmorphing virii. Polymorph virii as well as scrambled/runtime ecrypted virii are extremely difficult to detect. If you have one of these, reliable detection will be almost impossible. Since anti virus software is not always reliable - There are false positives as well as false negatives with this - it is up to you if you want to trust these 3 or beliefe into the results of the others.

If you want to have my honest oppinion... I would not want to share any data with your PC in a LAN... actually I would not want it to be connected to the same LAN.

Btw. both PCs could be affected. So in a worst case scenario you would have to clean both machines at the same time. (now this decission is left to you... depends on what you consider to be a robust cleaning strategy).
Jinto is offline   Reply With Quote
Old 2009-05-12, 15:56   Link #31
-KarumA-
(。☉౪ ⊙。)
*Author
 
 
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 26
Quote:
Originally Posted by Jinto View Post
Could be a false positive. But there is no way I can tell you from here if this dll was somehow infected/injected. AntiVir and McAfee (and some others) use some generic routines to detect transmorphing virii. Polymorph virii as well as scrambled/runtime ecrypted virii are extremely difficult to detect. If you have one of these, reliable detection will be almost impossible. Since anti virus software is not always reliable - There are false positives as well as false negatives with this - it is up to you if you want to trust these 3 or beliefe into the results of the others.

If you want to have my honest oppinion... I would not want to share any data with your PC in a LAN... actually I would not want it to be connected to the same LAN.

Btw. both PCs could be affected. So in a worst case scenario you would have to clean both machines at the same time. (now this decission is left to you... depends on what you consider to be a robust cleaning strategy).
no the other pc is clean, took it offline and scanned it completely for malware, virusses etc. nothing showed up on the other one

I think I'm going to leave it, though the guys at hijack this forums are finally helping me out now and checking my logs, goodnight folks time to catch up on the 4 hours of sleep I had yesterday, really what a day... i hate fixing computers its bad for my health I get too stressed out..
-KarumA- is offline   Reply With Quote
Old 2009-05-12, 16:09   Link #32
Jinto
Asuki-tan Kairin ↓
 
 
Join Date: Feb 2004
Location: Fürth (GER)
Age: 33
Quote:
Originally Posted by -KarumA- View Post
no the other pc is clean, took it offline and scanned it completely for malware, virusses etc. nothing showed up on the other one
For some reason I smile when I read your statement. I would not declare my system was absolutely and with 100% certainty clean. Even if I scanned my PC with all the good virus scanners that are available on the market.
But you are probalby right, it should most likely be clean.

Quote:
Originally Posted by -KarumA- View Post
I think I'm going to leave it, though the guys at hijack this forums are finally helping me out now and checking my logs, goodnight folks time to catch up on the 4 hours of sleep I had yesterday, really what a day... i hate fixing computers its bad for my health I get too stressed out..
Your logs alone are good when it comes down to malware that can be identified by the names/locations of the files. For the real bad stuff these logs are completely useless!
But I suggest you try to clean it with their help anyway. Best way to learn is practice.
So even if the system is not clean after this, you most likely learned more about the matter.
Jinto is offline   Reply With Quote
Old 2009-05-13, 00:12   Link #33
SaintessHeart
Ehh? EEEEHHHHHH?
 
 
Join Date: Nov 2007
Age: 25
Quote:
Originally Posted by Jinto View Post
Ah and btw... Try to use just legit software on your system (you never know what sort of wicked set of trojans is installed with pirated software). I mean you can wipe your system as much as you want, but it won't make things better if you later just re-install the virii and trojans.
Legit software are not always virusfree. Just use any program, but be careful about the stuff they install.

If you want a full format, you can do this

1. Run in MSDOS mode.

2. Type in :

format C:

Follow the instructions and press Y when necessary. This should take around half an hour depending on how fast your computer are.

Since you mentioned that both your computers connected to the same network might be infected, it would be best if you format both of them before reinstalling anything at all. Oh yes, and before formatting disconnect them from your central modem/router just in case of cross infection. If you can get your hands on a degausser it would be the best, but I know that those things don't come by easily.

Whatever that fails, buy a new hard drive.
__________________

When three puppygirls named after pastries are on top of each other, it is called Eclair a'la menthe et Biscotti aux fraises avec beaucoup de Ricotta sur le dessus.
Most of all, you have to be disciplined and you have to save, even if you hate our current financial system. Because if you don't save, then you're guaranteed to end up with nothing.
SaintessHeart is offline   Reply With Quote
Old 2009-05-13, 02:09   Link #34
Jinto
Asuki-tan Kairin ↓
 
 
Join Date: Feb 2004
Location: Fürth (GER)
Age: 33
Quote:
Originally Posted by SaintessHeart View Post
Legit software are not always virusfree. Just use any program, but be careful about the stuff they install.
In contrast to pirated software, legitimate software can be regarded as generally clean (there very few exceptions and most likely it is related to freeware tools).

The "but be careful about the stuff they install" clause is actually very funny. How do you see if it installs a runtime encrypted trojan with the program (in the program). Often that shit is in the crack files anyway but not always.

Quote:
Originally Posted by SaintessHeart View Post
If you want a full format, you can do this

1. Run in MSDOS mode.

2. Type in :

format C:

Follow the instructions and press Y when necessary. This should take around half an hour depending on how fast your computer are.

Since you mentioned that both your computers connected to the same network might be infected, it would be best if you format both of them before reinstalling anything at all. Oh yes, and before formatting disconnect them from your central modem/router just in case of cross infection. If you can get your hands on a degausser it would be the best, but I know that those things don't come by easily.

Whatever that fails, buy a new hard drive.
I don't quite understand why the use of a degausser is recommended? Afaik, if it was a software (that just has this name because it does reliably overwrite old data... which is still different to degaussing) it is not relevant for the problem. If it was a strong magnet that degausses the hdd, then you can throw the hdd away after this procedure. Because the internal format of the hdd is lost. It won't find any sectors anymore.
Jinto is offline   Reply With Quote
Old 2009-05-13, 04:06   Link #35
SaintessHeart
Ehh? EEEEHHHHHH?
 
 
Join Date: Nov 2007
Age: 25
Quote:
Originally Posted by Jinto View Post
In contrast to pirated software, legitimate software can be regarded as generally clean (there very few exceptions and most likely it is related to freeware tools).

The "but be careful about the stuff they install" clause is actually very funny. How do you see if it installs a runtime encrypted trojan with the program (in the program). Often that shit is in the crack files anyway but not always.
I was talking about all software, including open source, freeware, beta etc. After I learnt how to roughly identify surreptitious programs, it became much easier for discretionary download.

It has always been my personal belief that one should take responsibility in whatever program he/she uses, and constantly update him/herself on concurrent dangers of modern software.

Quote:
Originally Posted by Jinto View Post
I don't quite understand why the use of a degausser is recommended? Afaik, if it was a software (that just has this name because it does reliably overwrite old data... which is still different to degaussing) it is not relevant for the problem. If it was a strong magnet that degausses the hdd, then you can throw the hdd away after this procedure. Because the internal format of the hdd is lost. It won't find any sectors anymore.
Sorry I misread. I thought he was dumping his hard drive.....never mind. I had caffeine OD for the past few days and my brain is busted.
__________________

When three puppygirls named after pastries are on top of each other, it is called Eclair a'la menthe et Biscotti aux fraises avec beaucoup de Ricotta sur le dessus.
Most of all, you have to be disciplined and you have to save, even if you hate our current financial system. Because if you don't save, then you're guaranteed to end up with nothing.
SaintessHeart is offline   Reply With Quote
Old 2009-05-17, 18:22   Link #36
IRJustman
Founder, Sprocket Hole
*Fansubber
 
 
Join Date: Apr 2004
Location: Fresno or Sacramento, CA
Age: 45
Quote:
If you want a full format, you can do this

1. Run in MSDOS mode.

2. Type in :

format C:
0
Follow the instructions and press Y when necessary. This should take around half an hour depending on how fast your computer are.
If this person is using Windows 2000, XP or Vista, he can't. There is no "MS-DOS mode" to boot to. These are not based on MS-DOS at all.

If anything he might try Darik's Boot and Nuke (sometimes known simply as "DBAN"). Those do a pretty good job of destroying the contents of a hard drive, especially if you want to either rid it of viruses or just want to sell the drive to someone, making sure it's completely rid of any private data.

Quote:
Originally Posted by Jinto View Post
In contrast to pirated software, legitimate software can be regarded as generally clean (there very few exceptions and most likely it is related to freeware tools).
Emphasis mine.

Curious, what do you mean by this?

--Ian.

P.S. The plural form of "virus" is not "virii". Not to mention, the proper form of pluralizing a "-us" Latin word is "-i", not "-ii". And "virusses", as has been mentioned earlier in the thread, is also incorrect. It is, in fact, "viruses".
IRJustman is offline   Reply With Quote
Old 2009-05-17, 18:45   Link #37
Justin Kim
Senior Member
*Artist
 
 
Join Date: Feb 2009
Location: Orange County, California
Quote:
Originally Posted by -KarumA- View Post
I got an email from Ziggo today, this is my internet hook on company that provides me with this yummy internet hate machine and they stated that they received a number of complaints that we were mailing about emails containing pornographic spam etc.

Now I was very confused by this, my mom was hysterical like the little tech caveman she is and she was talking to me that it was something about child porn so I went lol what ?! (lost the game lol)

Anyway here's where it gets fishy, we have 2 computers in our house and for as far as I know my pc is clean but more on that later. Both pc's have Avast installed together with Comodo and the only thing my mom/dad do on their pc is either play patience or world of warcraft, my dad plays that and my mom the standard games, they both don't visit any other sites than the ones they know and so this left me with the conclusion that it might be my pc that is causing the problem. (also scanned it and it is clean of anythign fishy)

Now here is the thing, if you scroll back a page (or 4) you can see these topics, I had a horrible virus problem going on several weeks back, in late April I think it was. Something with CSRCS.EXE and several other suddenly spawned files that messed up my pc so badly that it generally thought the only device that was inserted was my DVD burner. This was all caused thanks to a virus on our school computers and later that week @ school we had some porn problems as well, you'd be following class and shazam random porn pop up shows up (I didn't have this going on on ym pc though), I re installed windows several days after all this trouble started, but I would like to hear your opinion about this, could the so proclaimed porn emailing spam have happened when my computer was entirely infected beyond repair? It is after all less than a month ago when this happens and I don't know how long it takes before they decide to send you a warning, also for spam to be send you'd get a trojan on virus on your computer right? or be stupid enough to fill your email address on some random website.. I have Avast in this pc including the website protection and email protection function and we also have this downstairs so I should be protected right? I don't do anything stupid like open random emails from people I don't know or download random files from the web.

So Asuki what do you think about this
There are many stories like this in the news today; I am sure if you searched a similar story up, something beneficial will pop up. I remember reading an article where a high school teacher was arrested and tried on court for the possible accusation of child pornography. When the police investigated even further, (the teacher had no criminal history and was completely clean) they found out that the computer was pretty much a "bomb" that was to be set off towards the victim. You may have a similar situation. The computer that this teacher held was actually custom built, but I guess someone just had to integrate some sneaky program. You should probably get your computer checked up, or just re-install the service pack you are currently using if this continues. Although, it may be a hassle, at least the pain of falsely being accused will go away.
__________________
Signature stolen by a horde of carnivorous bunnies. It is an unscientifically proven fact that they are attracted to signatures which break the signature rules.
Justin Kim is offline   Reply With Quote
Old 2009-05-18, 13:36   Link #38
-KarumA-
(。☉౪ ⊙。)
*Author
 
 
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 26
Quote:
Originally Posted by Justin Kim View Post
There are many stories like this in the news today; I am sure if you searched a similar story up, something beneficial will pop up. I remember reading an article where a high school teacher was arrested and tried on court for the possible accusation of child pornography. When the police investigated even further, (the teacher had no criminal history and was completely clean) they found out that the computer was pretty much a "bomb" that was to be set off towards the victim. You may have a similar situation. The computer that this teacher held was actually custom built, but I guess someone just had to integrate some sneaky program. You should probably get your computer checked up, or just re-install the service pack you are currently using if this continues. Although, it may be a hassle, at least the pain of falsely being accused will go away.
problem has already been solved, bot was nested in my drivers. the re installation hadn't cleaned that out but combofix has. bot has been removed and so far so good
and was not about child porn was mere a bot spreading porn spam emails that they were concerned about
-KarumA- is offline   Reply With Quote
Old 2009-05-18, 15:01   Link #39
Vexx
Obey the Darkly Cute ...
*Author
 
 
Join Date: Dec 2005
Location: On the whole, I'd rather be in Kyoto ...
Age: 56
yay, another bot node defanged
__________________
Vexx is offline   Reply With Quote
Old 2009-05-19, 02:05   Link #40
Jinto
Asuki-tan Kairin ↓
 
 
Join Date: Feb 2004
Location: Fürth (GER)
Age: 33
Quote:
Originally Posted by -KarumA- View Post
problem has already been solved, bot was nested in my drivers. the re installation hadn't cleaned that out but combofix has. bot has been removed and so far so good
and was not about child porn was mere a bot spreading porn spam emails that they were concerned about
You could still have unknown backdoors in your PC. I would not feel very well doing online banking on it. Btw. Combofix reminds of something, I had to use it on my aunts PC once.
Jinto is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 01:40.


Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
We use Silk.