Monthly Archives: December 2009

Rootkit Kryptik.ABX in atapi.sys ( CsimPlayer.exe )

Published by:

On Friday, December 11 a trojan horse got it’s way into my Windows.

It all started with AVAST trowing these warnings:

11/12/2009 23:08:51 xxx 412 Sign of “Win32:Malware-gen” has been found in “C:\WINDOWS\TEMP\~TM1F1A.tmp” file.

I told AVAST to delete ~TM1F1A.tmp, but avast apparently didn’t delete the file. Shortly after AVAST complained about a system file:

11/12/2009 23:10:08 xxx 412 Sign of “Win32:Cutwail-AD [Trj]” has been found in “C:\WINDOWS\system32\drivers\atapi.sys” file.
11/12/2009 23:10:37 xxx 412 Sign of “Win32:Cutwail-AD [Trj]” has been found in “C:\WINDOWS\system32\dllcache\atapi.sys” file.

Then I looked at the running processes.

A process called CsimPlayer.exe was running and had two child processes svchost.exe attached to it.

Running a SHA Hash comparison between CsimPlayer.exe and the tmp-file confirmed that CsimPlayer.exe was indeed ~TM1F1A.tmp, the file AVAST identified as malware. The same CsimPlayer was added to the startup registry tree : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ( C:\\WINDOWS\\system32\\CsimPlayer.exe” )

In the meantime a CMD (command prompt) process was eagerly active tunning a batch called fjhdyfhsn.bat. The batch command file contained following statements (a loop trying to delete firefox… ):

The BAT file was dropped on my system at 11 december 23:08, moments before the ~temp files.
troj1

Another file called siszyd32.exe was dropped in the StartUp folder.

I still don’t know what it was and why Avast isn’t detecting it. I will keep you posted if more info is available.

At the mean time try following:

Removal Instructions

You’ve got this malware probably because java, flash or acrobat aren’t up to date. Older versions are insecure and potentially exposes your system to security threats! Scan your system with this online scanner.

Removal:

Get Malwarebytes’ Anti-Malware

Computer Shuts Off without any warning….Why?

Published by:

Why does my computer just shut off without warning?

Well, It’s having some major failure (soft or hardware) and reboots. You will need to figure out what error was involved. For that, you should tell you computer not to reboot, but to show you the error. Here is how:

  1. press Windows Key + Pause/Break
  2. Click the tab named ADVANCED
  3. Click the SETTINGS button in the Startup and Recovery section
  4. UN-check AUTOMATICALLY RESTART

Now, next time your computer crashes, it will give you a “blue screen” telling you what’s wrong. Now.. sort of. Look here for a blue screen example:
 
bluescreen
 
Look for the STOP error, something like STOP 0x000000D1 , forget the numbers between brackets. Go to google and look for “STOP 0x000000D1”. It may give you clues about what is happening.

Also note the filename (in the screenshot it is gv3.sys). Look in Google what that file does. It may reveal clues to what piece of hardware or software is failing.

If you find for example that your sound card is the culprit, go to the manufacturer site (of the card) and download the latest drivers.

And a last (but not least) tip. Try to remember when the problem began and what software you installed just before that. Uninstall that software. It may return your system to normal again.

How do i know what graphics card i have?

Published by:

You want to know what video graphics card you have. So, besides opening your pc and looking at the card, there are two more ways for finding out plenty details about your videocard.

    Way 1:

  1. press windows key + R
    vid01
  2. type dxdiag and press enter ( The Direct X diagnose window will open )
  3. Click on the tab named DISPLAY
    vid02

 
Way 2:

  1. download GPUZ from http://www.techpowerup.com/gpuz/
  2. run GPUZ ( it gives you tons of information about your graphics card )
    vid03

Help! My download does not start? Is my ISP blocking torrent?

Published by:

Help! My download won’t start? Is my ISP blocking torrent?
Yes, that is quite possible. You are probably behind a NAT and maybe (on top) a firewall.
Let’s find out:
First, go get your internet IP number: Click on http://www.whatismyip.com/ and note (copy) the IP number it returns. (you’ll need it later).

Now go to a dos box and enter IPCONFIG /ALL
If the IP number of you network-adapter is the same as the one whatismyip reports, then you are directly connected to the internet.

If your whatismyip IP address is the same as your local address, then you can still be firewalled. To check this follow these steps:

Go to http://www.auditmypc.com/firewall-test.asp
Enter your IP number (the one you copied from whatismyip), press Enter.
Choose standard security scan.
Click Start Scan

If you see no open ports, or at least no torrent ports, then you are firewalled. But before you go out flaming your ISP, DO CHECK if you didn’t enable the Firewall on your windows XP!! If it’s enabled, disable it. ( Better: ad an exception for your torrent ports…)

If all tests tell you that nobody can access your PC from outside (no open ports), then you’ll need a VPN to access the internet. ( http://en.wikipedia.org/wiki/Vpn ) It will act as a separate network-adapter that is connected to the internet on the other side of a “tunnel”. The tunnel is created trough your normal internet connection by the VPN software and uses only one outgoing connection. The NAT (router at the campus) should normally not block this.

This is a free VPN service: http://www.openvpn.net/

If you want some more “speed” you should look for a paid VPN service. (free VPNs are overloaded and slow). I used ACEVPN and was satisfied with the service. They also have a free service, but that doesn’t allow torrents. As a matter of fact, look closely if the VPN service allows P2P and Torrent and how it should be configured.
Here is a list of VPN providers (in 2008). http://filesharefreak.com/2008/10/18/total-anonymity-a-list-of-vpn-service-providers/

If there is a firewall installed, there could be a problem. When it is configured to block VPN connections. Some VPN software can be configured to use port 80, fooling the firewall into thinking you are browsing websites. But advanced firewalls can now determine what kind of packets are send through any port and can block anything that looks suspicious. In that case you are screwed.

You may talk to the network administrator. Maybe he likes presents?

This may also interest you: Anonymous BitTorrent Through a VPN – The Speed Tests

Bad Behavior has blocked 1016 access attempts in the last 7 days.