Win32:rootkit-gen[Rtk]

Posted 8/3/2009 11:40 AM
#75658
User avatar

rjmsmith Valued member

Date Joined Nov 2016
Total Posts: 18
Hi guys, <br/> <br/>I was sent some photographs which contained this virus. <br/>Is there any way I can trace the perpetrator? <br/>I run a hotmail site for residents in Goa, India, and I need this information. <br/>Whoever the perpetrator is, he/she knows the resident names, the password, the email addresses, and he has used this information to load the virus into an email. He has used the Hotmail online screen (not Outlook) as the information is only partly updated on this screen - two messages bounced. <br/> <br/>I can attach the actual email he/she sent if this is any use to you. How do I attach emails? <br/> <br/>Regards, Roger. <br/> <br/>12:21:50 PM Fotos 27/07 : <br/> <br/>Imagens anexadas: DSC_0442.jpg - DSC_0443.jpg - DSC_0444.jpg <br/> <br/> <br/> <br/>Videos Hotmail.com: www.hotmail.com/videos <br/> <br/>--------------------------------------------------------------------------------
Posted 8/3/2009 12:08 PM
#75660
User avatar

Jintan Advanced member

Date Joined Nov 2016
Total Posts: 1049
Hello rjmsmith, <br/> <br/>Given all the data the email sender has it suggests the site is compromised in some way. Have you changed your own secure logins (from a computer that has not been involved with the site in an way), and also checked your computer(s) for malware? Tracking the source is usually impossible, due to the email header info being "spoofed" or faked. Stopping it from being repeated should be highest on your agenda of things to do, though.
Posted 8/3/2009 12:22 PM
#75661
User avatar

rjmsmith Valued member

Date Joined Nov 2016
Total Posts: 18
Hi Jintan, <br/> <br/>The problem is that several people have access to the Hotmail site, same Username, and that they all use the same password. <br/>I don't think it is Malware. The site has DEFINITELY been compromised, and I would like to find out who. <br/>The sender of the virus has access to all the information, possibly legitimately. He/she may be a resident. <br/>Without blaming the residents, I would still like to get my hands on the culprit. <br/> <br/>Regards, Roger.
Posted 8/3/2009 6:52 PM
#75669
User avatar

Jintan Advanced member

Date Joined Nov 2016
Total Posts: 1049
I can't picture what site file or control panel accesses you might use, but many have raw logs that can be looked through. Not really sure what else I might recommend. But instead of thinking this is a purposeful act of a member, consider it may be a member's infected system, with some mailer worm or other infection involved.
Posted 8/4/2009 3:36 AM
#75677
User avatar

rjmsmith Valued member

Date Joined Nov 2016
Total Posts: 18
Hi Jintan, <br/> <br/>I use Hotmail. All members have the same username and password. We log in to Hotmail, and communicate. <br/>Unlikely it's a mailer worm, as my machine wasn't infected. What about TRACERT? How do I run it? Not sure what else I can do. <br/>Anyway, thanks for your help. <br/> <br/>Regards, Roger.
Posted 8/4/2009 12:18 PM
#75689
User avatar

Jintan Advanced member

Date Joined Nov 2016
Total Posts: 1049
No, I don't see tracert doing much in that situation. But I am unclear how all users use one name and one password. What keeps them separated, as far as their emails are concerned? The type of email you are talking about is often either sent like spam, using some existing spam list and often spoofing the sender's address and email routes, or sent by one user's infected computer, using the information they have stored on their computer. Does any one computer have all the information you feel was compromised - user names etc.?
Posted 8/4/2009 12:26 PM
#75691
User avatar

Jintan Advanced member

Date Joined Nov 2016
Total Posts: 1049
I used some information you first posted and web researched, and yes, this is a known emailer infection that is sent using information from an infected computer. So back to the question of whose computer is infected. That is the one we should be checking here in this forum thread.
Posted 8/5/2009 3:05 AM
#75712
User avatar

rjmsmith Valued member

Date Joined Nov 2016
Total Posts: 18
Hi Jintan, <br/>It's easy to set-up a multiple account, by setting the account name to (eg) colonia@hotmail.com, and the password to XXXXXXXX. Just give all the users the username and the password, and set their email addresses into the address book. <br/>OK about tracert. <br/>We have found the computer in question: it was a resident's computer that was propagating the virus (currently in the uk), and I have advised him accordingly. I have suggested that he use AVAST! which is the same one that I use, and which got rid of the infection. <br/>Thanks for all your help. <br/> <br/>Regards, Roger.
Posted 8/5/2009 3:01 PM
#75716
User avatar

Jintan Advanced member

Date Joined Nov 2016
Total Posts: 1049
If any one computer can be identified and the owner is comfortable with doing their own repairs, they can surely start a request here in the forum. Although Avast is a known and good antivirus software, just scans with it may not be sufficient to remove all infection issues.
Posted 8/6/2009 2:38 AM
#75749
User avatar

rjmsmith Valued member

Date Joined Nov 2016
Total Posts: 18
Hi Jintan, <br/> <br/>AVAST! is a good program, and it does more than scan the computer. When it finds a virus, gives several options as to what to do with it: the options are Move to Chest, Delete, Repair etc., When it finds a virus such as rootkit, you have to reboot the computer, and an MSDOS program takes over and cleans the virus. I am more than satisfied with Avast!. <br/> <br/>The computer has been identified, and the residents are now more aware of the risks. Most of the residents are computer-illiterate! <br/> <br/>Thanks for all your help. <br/> <br/>Regards, Roger.
Posted 8/6/2009 12:00 PM
#75757
User avatar

Jintan Advanced member

Date Joined Nov 2016
Total Posts: 1049
Not a discussion of the merits of Avast though rjmsmith. As just an antivirus program, it will not locate and remove all types of infection. If one security software did we would just post a link to that and not provide the help we do in all the requests here. :smile:
Posted 8/6/2009 12:05 PM
#75759
User avatar

Jintan Advanced member

Date Joined Nov 2016
Total Posts: 1049
Here, this person also has and uses Avast, and had some tough infection issues that needed to be solved. Having and using a good antivirus software is very important, but it is not a cure-all for all malicious activities.
Posted 8/6/2009 1:49 PM
#75761
User avatar

rjmsmith Valued member

Date Joined Nov 2016
Total Posts: 18
Hi Jintan, <br/> <br/>Wow! I see what you mean. I've just read beeshan's report and it does take a while to get rid of a virus! <br/>I didn't mean to praise AVAST! unnecessarily, but it's the program I use. <br/>Apart from using multiple virus checkers, I don't know what to do. Perhaps you can suggest something. <br/> <br/>Thanks for all your help. <br/> <br/>Regards, Roger.
Posted 8/6/2009 11:24 PM
#75771
User avatar

Jintan Advanced member

Date Joined Nov 2016
Total Posts: 1049
Do what the other BG forum member did, and post analysis logs to check. If more than one computer, they will need to each have a separate request thread, but in each a note should be posted saying they are related to this thread. Let me know if you would like to check perhaps your system now, as well as what others might need checking. Sorry, but experience has proven it is a bad idea to try to do more than one system in one thread - turns into a bunch of confusion.
  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Thursday, December 8, 2016, 9:12 PM (GMT +1)
There are a total of 61,163 posts in 13,450 threads.
In the last 3 days there were 1 new threads and 3 reply posts.

Who's online

This forum has 37,968 registered members. Please welcome our newest member, Crawlerz.
There are currently no users on-line.