Category Archives: Troubleshoot

Rootkit Kryptik.ABX in atapi.sys ( CsimPlayer.exe )

Published by:

On Friday, December 11 a trojan horse got it’s way into my Windows.

It all started with AVAST trowing these warnings:

11/12/2009 23:08:51 xxx 412 Sign of “Win32:Malware-gen” has been found in “C:\WINDOWS\TEMP\~TM1F1A.tmp” file.

I told AVAST to delete ~TM1F1A.tmp, but avast apparently didn’t delete the file. Shortly after AVAST complained about a system file:

11/12/2009 23:10:08 xxx 412 Sign of “Win32:Cutwail-AD [Trj]” has been found in “C:\WINDOWS\system32\drivers\atapi.sys” file.
11/12/2009 23:10:37 xxx 412 Sign of “Win32:Cutwail-AD [Trj]” has been found in “C:\WINDOWS\system32\dllcache\atapi.sys” file.

Then I looked at the running processes.

A process called CsimPlayer.exe was running and had two child processes svchost.exe attached to it.

Running a SHA Hash comparison between CsimPlayer.exe and the tmp-file confirmed that CsimPlayer.exe was indeed ~TM1F1A.tmp, the file AVAST identified as malware. The same CsimPlayer was added to the startup registry tree : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ( C:\\WINDOWS\\system32\\CsimPlayer.exe” )

In the meantime a CMD (command prompt) process was eagerly active tunning a batch called fjhdyfhsn.bat. The batch command file contained following statements (a loop trying to delete firefox… ):

The BAT file was dropped on my system at 11 december 23:08, moments before the ~temp files.
troj1

Another file called siszyd32.exe was dropped in the StartUp folder.

I still don’t know what it was and why Avast isn’t detecting it. I will keep you posted if more info is available.

At the mean time try following:

Removal Instructions

You’ve got this malware probably because java, flash or acrobat aren’t up to date. Older versions are insecure and potentially exposes your system to security threats! Scan your system with this online scanner.

Removal:

Get Malwarebytes’ Anti-Malware

Computer Shuts Off without any warning….Why?

Published by:

Why does my computer just shut off without warning?

Well, It’s having some major failure (soft or hardware) and reboots. You will need to figure out what error was involved. For that, you should tell you computer not to reboot, but to show you the error. Here is how:

  1. press Windows Key + Pause/Break
  2. Click the tab named ADVANCED
  3. Click the SETTINGS button in the Startup and Recovery section
  4. UN-check AUTOMATICALLY RESTART

Now, next time your computer crashes, it will give you a “blue screen” telling you what’s wrong. Now.. sort of. Look here for a blue screen example:
 
bluescreen
 
Look for the STOP error, something like STOP 0x000000D1 , forget the numbers between brackets. Go to google and look for “STOP 0x000000D1”. It may give you clues about what is happening.

Also note the filename (in the screenshot it is gv3.sys). Look in Google what that file does. It may reveal clues to what piece of hardware or software is failing.

If you find for example that your sound card is the culprit, go to the manufacturer site (of the card) and download the latest drivers.

And a last (but not least) tip. Try to remember when the problem began and what software you installed just before that. Uninstall that software. It may return your system to normal again.

Help! My download does not start? Is my ISP blocking torrent?

Published by:

Help! My download won’t start? Is my ISP blocking torrent?
Yes, that is quite possible. You are probably behind a NAT and maybe (on top) a firewall.
Let’s find out:
First, go get your internet IP number: Click on http://www.whatismyip.com/ and note (copy) the IP number it returns. (you’ll need it later).

Now go to a dos box and enter IPCONFIG /ALL
If the IP number of you network-adapter is the same as the one whatismyip reports, then you are directly connected to the internet.

If your whatismyip IP address is the same as your local address, then you can still be firewalled. To check this follow these steps:

Go to http://www.auditmypc.com/firewall-test.asp
Enter your IP number (the one you copied from whatismyip), press Enter.
Choose standard security scan.
Click Start Scan

If you see no open ports, or at least no torrent ports, then you are firewalled. But before you go out flaming your ISP, DO CHECK if you didn’t enable the Firewall on your windows XP!! If it’s enabled, disable it. ( Better: ad an exception for your torrent ports…)

If all tests tell you that nobody can access your PC from outside (no open ports), then you’ll need a VPN to access the internet. ( http://en.wikipedia.org/wiki/Vpn ) It will act as a separate network-adapter that is connected to the internet on the other side of a “tunnel”. The tunnel is created trough your normal internet connection by the VPN software and uses only one outgoing connection. The NAT (router at the campus) should normally not block this.

This is a free VPN service: http://www.openvpn.net/

If you want some more “speed” you should look for a paid VPN service. (free VPNs are overloaded and slow). I used ACEVPN and was satisfied with the service. They also have a free service, but that doesn’t allow torrents. As a matter of fact, look closely if the VPN service allows P2P and Torrent and how it should be configured.
Here is a list of VPN providers (in 2008). http://filesharefreak.com/2008/10/18/total-anonymity-a-list-of-vpn-service-providers/

If there is a firewall installed, there could be a problem. When it is configured to block VPN connections. Some VPN software can be configured to use port 80, fooling the firewall into thinking you are browsing websites. But advanced firewalls can now determine what kind of packets are send through any port and can block anything that looks suspicious. In that case you are screwed.

You may talk to the network administrator. Maybe he likes presents?

This may also interest you: Anonymous BitTorrent Through a VPN – The Speed Tests

False positives after update Avast (fixed!)

Published by:

UPDATE: THE ISSUE IS RESOLVED / FIXED : updated version: 091203-1
Continue reading at the bottom of this post for info on the fix

What was going on:

The latest Avast virusdatabase update came with a serious bug. In version 091203-0 various files* are being marked as “Win32:Delf-MZG (Trj)”. These are all false positives and should
be ignored. (* rumors say the affected files are written in Delphi )

Apart from falsely marking files as this virus some say it can hinder the windows operating system’s boot, so if you happen to suffer from these symptoms, under no circumstance reboot your system. If you would reboot, Avast could block certain services from starting.

To disable Avast (temporarily) follow these instructions: (continue reading at the bottom for the fix)

  1. Right mouse clicking the Avast icon near your clock.
  2. Choose Stop On-access scanning tasks

If you got stuck and need to reboot your system, follow these instructions first. ( In any other case, just disabling Avast. ): (continue reading at the bottom for the fix)

  1. Reboot in safe mode: Hold down F8.
  2. Log in as Admin
  3. Uninstall AVAST & DO NOT SCAN YOUR COMPUTER!!
  4. Wait until Avast fixes the bug or install another virus scanner.

Disable AVAST for the time being.
Wait for another iAVS update and click NO ACTION when action is required.

Quote from: zone12 on Today at 02:05:26 AM

The recent avast! VPS update has a serious flaw inside it, various files are being marked as “Win32:Delf-MZG (Trj)”. Some of the common files being marked as this false positive include Skype and Spybot S&D.

Apart from marking various files as this virus, the new update brought a crippling threat to the windows operating system. Accounts are vague but some are reporting that the new update may hinder the windows operating system’s boot.If you have updated avast during the last 48 hours do not restart your computer!This is caused by avast scanning the starting files, during this process it will mark a file as hazardous and will not allow you proceed without aknowledgement, being that this is happening during the time in which windows loads there is no possable way to give aknowledgement to the program therefore putting the computer at a standstill.

The problem started a few hours ago. In an attempt to find out what is happening, thousands of users went to Avast’s forum, immediately overloading it. In the mean time, “avast” is trending on twitter.

UPDATE: It is finally fixed. ( Thursday 7:05 CET )

Information about current update:
Total time: 39 s

– Vps: Updated
(previous version: 091203-0, updated version: 091203-1)

Server: download650.avast.com (209.62.90.50)
Downloaded files: 6 (1,78 KB)
Download time: 9 s

To UPDATE Avast follow these instructions:

  1. Right mouse clicking the Avast icon near your clock.
  2. Choose UPDATE
  3. Choose iAVS update

EXTRA:

How to restore files from the chest:

The Virus Chest can be accessed directly from the options menu in the Avast program window. To get there right click the Avast icon near your clock and choose Start Avast!. Cancel any starting scans!!! (important) Then click on the chest icon. A window containing a list of files will open. Right clicking on any file will produce the following options we can use:

  • Refresh all files: Select this option if you want to make sure you are looking at the complete list of files. The program refreshes the list automatically but you can use this option if you do not want to wait.
  • Restore file: The file will be restored to its original location and at the same time removed from the Chest.
  • Extract file: The file will be copied to the selected folder.

I suggest restoring.

(taken from the manual: http://download787.avast.com/files/manuals/user-manual-home-eng.pdf )

update: Official statement of AVAST (Alwil) http://forum.avast.com/index.php?topic=51647