2009-05-12, 09:24 | Link #21 |
ひきこもりアイドル
IT Support
Join Date: Feb 2009
Location: Pennsylvania , United States
Age: 34
|
Rootkit is a program that is hidden in the system and runs in the background without the user knowing. Some of these can open a backdoor for an attacker to take control of your system. The famous example is the Sony BMG DRM rootkit that happened in 2005. Not all rootkits are malicious in nature and required for a program to operate, such as Daemon Tools which is a virtual cd manager.
If want to know more, I suggest reading this article about rootkits: http://en.wikipedia.org/wiki/Rootkit
__________________
|
2009-05-12, 09:57 | Link #22 |
NYAAAAHAAANNNNN~
Join Date: Nov 2007
Age: 35
|
Spoiler for too long:
EDIT : Sorry for not reading through, but from these 4 which I can see, mswsock.dll - It is the Windows socket service provider. Should be harmless. But you can try typing netsh winsock reset and netsh int ip reset to reset the config to default. WS2_32.dll This contains the Windows Sockets API. Whatever you do, DO NOT DELETE/ALTER THIS AND ITS RELATED REGISTRY KEYS. I don't know how to fix this corruption, other than the generic "reinstall Windows" procedure. svchost.exe How many instances of these are running in your system on tasklist? It is used to run your DLL files, and each of them can mean a different process. kerne132.dll I don't think that is a typo (L and 1 are too far away from each other on the keyboard). Could be a trojan masquerading as a kernel32.dll. Go to C:\Windows\System see if it is there. Kernel32.dll should be in C:\Windows\System32, possible masquerades don't install there. If it is in C:\Windows\System do the following : 1. Delete that file. If it is indicated as a running process and you can't turn it off, I suggest you corrupt it withSimple File Shredder. 2. Go Start > Run > regedit. Find kerne132.dll SPECIFICALLY and wipe that registry key. But remember to back up your registry first. 3. Restart your computer and see if it is still there. I suggest you download Hijackthis and post your log here. I think I still can read the logs after a few years of not using that program. If I can't, one of the pros here can do more with that than an amateur like me. Last edited by SaintessHeart; 2009-05-12 at 10:20. |
2009-05-12, 11:46 | Link #23 |
Senior Member
Author
Join Date: Oct 2007
Location: Philippines
Age: 47
|
Also, since some RBN squatters seem to have taken secret residence in the hard disk, there's RootkitRevealer from Windows Sysinternals. Tool might help you find where the buggers are.
__________________
|
2009-05-12, 12:21 | Link #24 |
(。☉౪ ⊙。)
Author
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 36
|
I did a step by step procedure on Bullguard and it seems everything has been solved, I am still hoping someone would check out my logs to see if it is truly clean. I'll put them up here as well since the people at Bullguard removed my topic, probably because I am not one of their customers
Upon viewing the results from combofix when it comes to this rootkit the kit was located in my drivers of my usb D: all of them starting with ovfsth with more numbers and either .dll or .dat at the end, they have been removed by combofix as well as several other spam spreading files But everything is working again, no errors nothing I installed all my software afterwards (3ds Max, Office and Adobe) and they all work fine, but just in case I'l post all 3 logs up (malwarebytes, combofix and lastly a hijack this) another miracle D: my usb station returned omg! seems liek the deletion of the rootkit made my usb device station visible again, ever since the last attack 3 weeks ago I had been unable to even see these things AND ANOTHER OMG! Jinto should remember this, in my disc management my pc was still un able to read and recognize my discs but they are listed now as well! both my C:/ and D:/ are now listed D: a miracle has happened! I guess my pc wasn't perfectly clean after I reformatted it 3 weeks ago, because then those stations had been visible for like a day before vanishing again as well as my usb station under My Computer Spoiler for malware bytes:
I had scanned malware bytes first, then combofix and lastly did the hijack this log Spoiler for combofix:
Spoiler for hijack this:
|
2009-05-12, 12:25 | Link #25 |
NYAAAAHAAANNNNN~
Join Date: Nov 2007
Age: 35
|
Screw Norton Ghost. Erase everything.
Did you do a quick format or a thorough one? Also after formatting remember to shut down and discharge your PC as a safeguard, some viruses store themselves in the RAM during the format, then rewrite into the HD after it is done. Either that or your disk has a bad sector, which means it isn't a virus after all.
__________________
|
2009-05-12, 13:06 | Link #26 |
(。☉౪ ⊙。)
Author
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 36
|
I think it was a quick one, I don't know much about reformatting
basically inserted windows CD and reinstalled windows but kept all my data save except what was stored in my documents etc. after that installed drivers of my graphics card etc. and reinstalled my software that was it there is one entry that I am still concerned about: O2 - BHO: (no name) - {C97FDF20-78B1-410F-9E8F-A5EF2A1326E1} - C:\WINDOWS\system32\atmf.dll combofix and malwarebytes have been unable to delete it and when I try and remove it with hijack this it returns the next time I scan, when I google I only get virus warnings etc. but never a clear notice on how I can remove it or what process name it hides under so I can terminate it and then remove it manual, I also read that it can be related to Adobe Fonts though I upped it to Jotti which can scan individual files and the result is that out of 20 scanners 3 say it is malware: A Squarred: Trojan.Trash!IK Antivir: TR/Trash.Gen and Ikarus: Trojan.Trash also upped it to Virus Total: again 3 out of 20 says it is malware AhnLab-V3 - - - AntiVir - - TR/Trash.Gen Antiy-AVL - - - Authentium - - - Avast - - - AVG - - - BitDefender - - - CAT-QuickHeal - - - ClamAV - - - Comodo - - - DrWeb - - - eSafe - - - eTrust-Vet - - - F-Prot - - - F-Secure - - - Fortinet - - - GData - - - Ikarus - - Trojan.Trash K7AntiVirus - - - Kaspersky - - - McAfee - - - McAfee+Artemis - - - McAfee-GW-Edition - - Trojan.Trash.Gen Microsoft - - - NOD32 - - - Norman - - - nProtect - - - Panda - - - PCTools - - - Prevx1 - - - Rising - - - Sophos - - - Sunbelt - - - Symantec - - - TheHacker - - - TrendMicro - - - VBA32 - - - ViRobot - - - VirusBuster |
2009-05-12, 13:06 | Link #27 |
Asuki-tan Kairin ↓
Join Date: Feb 2004
Location: Fürth (GER)
Age: 43
|
Ah and btw... Try to use just legit software on your system (you never know what sort of wicked set of trojans is installed with pirated software). I mean you can wipe your system as much as you want, but it won't make things better if you later just re-install the virii and trojans.
__________________
|
2009-05-12, 13:15 | Link #28 | |
(。☉౪ ⊙。)
Author
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 36
|
Quote:
Jinto what are your thoughts on atmf.dll Read it is also used for fonts by Adobe but malware bytes and combofix both want it to have a no go |
|
2009-05-12, 14:35 | Link #29 |
Senior Member
Join Date: Sep 2008
|
Then it means that the malware was hiding in your personal data and was merely waiting for you to open something in order to reinfect your system. The best way to avoid this is to do a complete format and get rid of everything on the Windows partition and then, before accessing your personal data, do a full system update, install antivirus and antimalware software and do a thorough scan of said personal data.
|
2009-05-12, 15:27 | Link #30 | |
Asuki-tan Kairin ↓
Join Date: Feb 2004
Location: Fürth (GER)
Age: 43
|
Quote:
If you want to have my honest oppinion... I would not want to share any data with your PC in a LAN... actually I would not want it to be connected to the same LAN. Btw. both PCs could be affected. So in a worst case scenario you would have to clean both machines at the same time. (now this decission is left to you... depends on what you consider to be a robust cleaning strategy).
__________________
|
|
2009-05-12, 15:56 | Link #31 | |
(。☉౪ ⊙。)
Author
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 36
|
Quote:
I think I'm going to leave it, though the guys at hijack this forums are finally helping me out now and checking my logs, goodnight folks time to catch up on the 4 hours of sleep I had yesterday, really what a day... i hate fixing computers its bad for my health I get too stressed out.. |
|
2009-05-12, 16:09 | Link #32 | ||
Asuki-tan Kairin ↓
Join Date: Feb 2004
Location: Fürth (GER)
Age: 43
|
Quote:
But you are probalby right, it should most likely be clean. Quote:
But I suggest you try to clean it with their help anyway. Best way to learn is practice. So even if the system is not clean after this, you most likely learned more about the matter.
__________________
|
||
2009-05-13, 00:12 | Link #33 | |
NYAAAAHAAANNNNN~
Join Date: Nov 2007
Age: 35
|
Quote:
If you want a full format, you can do this 1. Run in MSDOS mode. 2. Type in : format C: Follow the instructions and press Y when necessary. This should take around half an hour depending on how fast your computer are. Since you mentioned that both your computers connected to the same network might be infected, it would be best if you format both of them before reinstalling anything at all. Oh yes, and before formatting disconnect them from your central modem/router just in case of cross infection. If you can get your hands on a degausser it would be the best, but I know that those things don't come by easily. Whatever that fails, buy a new hard drive.
__________________
|
|
2009-05-13, 02:09 | Link #34 | ||
Asuki-tan Kairin ↓
Join Date: Feb 2004
Location: Fürth (GER)
Age: 43
|
Quote:
The "but be careful about the stuff they install" clause is actually very funny. How do you see if it installs a runtime encrypted trojan with the program (in the program). Often that shit is in the crack files anyway but not always. Quote:
__________________
|
||
2009-05-13, 04:06 | Link #35 | ||
NYAAAAHAAANNNNN~
Join Date: Nov 2007
Age: 35
|
Quote:
It has always been my personal belief that one should take responsibility in whatever program he/she uses, and constantly update him/herself on concurrent dangers of modern software. Quote:
__________________
|
||
2009-05-17, 18:22 | Link #36 | ||
Founder, Sprocket Hole
Fansubber
Join Date: Apr 2004
Location: Fresno or Sacramento, CA
Age: 55
|
Quote:
If anything he might try Darik's Boot and Nuke (sometimes known simply as "DBAN"). Those do a pretty good job of destroying the contents of a hard drive, especially if you want to either rid it of viruses or just want to sell the drive to someone, making sure it's completely rid of any private data. Quote:
Curious, what do you mean by this? --Ian. P.S. The plural form of "virus" is not "virii". Not to mention, the proper form of pluralizing a "-us" Latin word is "-i", not "-ii". And "virusses", as has been mentioned earlier in the thread, is also incorrect. It is, in fact, "viruses". |
||
2009-05-17, 18:45 | Link #37 | |
Senior Member
Artist
Join Date: Feb 2009
Location: Orange County, California
|
Quote:
__________________
|
|
2009-05-18, 13:36 | Link #38 | |
(。☉౪ ⊙。)
Author
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 36
|
Quote:
and was not about child porn was mere a bot spreading porn spam emails that they were concerned about |
|
2009-05-19, 02:05 | Link #40 | |
Asuki-tan Kairin ↓
Join Date: Feb 2004
Location: Fürth (GER)
Age: 43
|
Quote:
__________________
|
|
|
|