topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Tuesday October 8, 2024, 6:40 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Possible rootkit attack  (Read 10574 times)

bit

  • Supporting Member
  • Joined in 2013
  • **
  • Posts: 686
    • View Profile
    • Donate to Member
Possible rootkit attack
« on: April 22, 2014, 10:15 PM »
I ran the newest update of TOR Vidalia, and it shows no control panel console, and no icon in the lower right corner when in operation; this gives me no way to change identities at will.
As a temporary 'fix', I uninstalled the newest version, and reinstalled the older one that gives me the control panel.
Then I have Firefox set up to connect through it, and keep Firefox updated instead.
« Last Edit: September 27, 2015, 06:02 PM by bit, Reason: Renamed thread: was TOR Vidalia - cannot connect »

SeraphimLabs

  • Participant
  • Joined in 2012
  • *
  • Posts: 497
  • Be Ready
    • View Profile
    • SeraphimLabs
    • Donate to Member
Re: TOR Vidalia - newest update has no control panel
« Reply #1 on: April 23, 2014, 12:01 PM »
Isn't Tor kind of pointless with heartbleed?

It too was affected by the OpenSSL issue.

bit

  • Supporting Member
  • Joined in 2013
  • **
  • Posts: 686
    • View Profile
    • Donate to Member
Re: TOR Vidalia - newest update has no control panel
« Reply #2 on: April 26, 2014, 12:22 AM »
I don't totally understand heartbleed (nowhere near it), but I see no reason to discard TOR Vidalia just on a whim or a hunch, when it stops my ISP and the scumsuckers where I live from tracking me.
And while I realize using an older version of TOR Vidalia may not be logical, and perhaps the newest version may contain updates making it immune to heartbleed, I do have other protections in the form of Norton 360, Adwcleaner, Desinstaller, JRT.exe, Malwarebytes, Hitman Pro, and CryptoPrevent, and at least the slightly older TOR Vidalia still allows me to have a TOR control panel so I can switch identities at will.

I have to be able to switch identities for times when youtube says "This video is not available in your country" (will they never learn their 'region/country' cherade makes them look like idiots?).
I mean, Google/YouTube's entire mighty multi billion-dollar globe-spanning empire presumes to block me, and one click on freeware little TOR Vidalia's control panel to change identities has them changing their tune with about as much AI as a compass with a magnet stuck to it.

I only posted here in case anyone might have an idea what's going on with the new TOR Vidalia not having a control panel window so I can change identies as needed; the newest version shows a 5-second pop-up on Desktop and connects faster, but doesn't even show an icon in the lower right system tray when active, so I don't know what the deal is with it.
« Last Edit: April 27, 2014, 11:15 AM by bit »

bit

  • Supporting Member
  • Joined in 2013
  • **
  • Posts: 686
    • View Profile
    • Donate to Member
Re: TOR Vidalia - newest update has no control panel
« Reply #3 on: September 23, 2015, 07:50 PM »
I installed the newest TOR Vidalia, but it is unable to connect.
Since switching to free AVG, I don't know if it is excluding TOR or how to make it allow it, but when I disabled AVG for a moment, TOR still could not connect.
Any help would be greatly appreciated.

edit: I added TOR connect and TOR.exe to my Firewall permissions, and still no success connecting.
« Last Edit: September 23, 2015, 08:29 PM by bit »

4wd

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 5,644
    • View Profile
    • Donate to Member
Re: TOR Vidalia - cannot connect
« Reply #4 on: September 23, 2015, 09:13 PM »
Hasn't TOR Vidalia ceased to exist?

Now it's either TorBrowser or the main gateway/relay program.

TorBrowser 5.5a3 (latest alpha) connected OK after about a minute the first time I started it, thereafter it connected in about 10 seconds.

Only needed to allow tor.exe through the firewall.

bit

  • Supporting Member
  • Joined in 2013
  • **
  • Posts: 686
    • View Profile
    • Donate to Member
Re: TOR Vidalia - cannot connect
« Reply #5 on: September 23, 2015, 09:38 PM »
Hasn't TOR Vidalia ceased to exist?

Now it's either TorBrowser or the main gateway/relay program.

TorBrowser 5.5a3 (latest alpha) connected OK after about a minute the first time I started it, thereafter it connected in about 10 seconds.

Only needed to allow tor.exe through the firewall.
Now you mention it, yes, I see I've actually installed torbrowser-install-5.0.3_en-US.exe.
I tried basic connect option, and it 'starts', but never 'connects'.
I tried various 'provided bridges'; no success.
I entered Firewall and set a rule to 'allow' TOR connect & TOR exe; no success.
I entered Advanced Firewall, set a rule to allow 'domain', 'private', & 'public' (i.e. 'all'); no success.

I've seen some reports that if your PC clock is off by even a few minutes it can fail to connect, but I just reset my clock to check automatically with correct zone Internet time last night and it should be good.
« Last Edit: September 23, 2015, 10:39 PM by bit »

4wd

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 5,644
    • View Profile
    • Donate to Member
Re: TOR Vidalia - cannot connect
« Reply #6 on: September 23, 2015, 10:27 PM »
Try the alpha version: https://www.torproje...tall-5.5a3_en-US.exe

All I did was run it to extract, then run the Start Tor Browser shortcut, clicking Connect on the next window.

Just tried again, took 35 seconds for connection on first run, 5 seconds for subsequent runs.

Copy the folder to a flash drive and try it on another computer.

I entered Firewall and set a rule to 'allow' TOR connect & TOR exe; no success.

What TOR Connect ?

bit

  • Supporting Member
  • Joined in 2013
  • **
  • Posts: 686
    • View Profile
    • Donate to Member
Re: TOR Vidalia - cannot connect
« Reply #7 on: September 23, 2015, 10:41 PM »
Try the alpha version: https://www.torproje...tall-5.5a3_en-US.exe

All I did was run it to extract, then run the Start Tor Browser shortcut, clicking Connect on the next window.

Just tried again, took 35 seconds for connection on first run, 5 seconds for subsequent runs.

Copy the folder to a flash drive and try it on another computer.

I entered Firewall and set a rule to 'allow' TOR connect & TOR exe; no success.

What TOR Connect ?
re: [What TOR Connect ?]: I meant 'Start Tor Browser'.
^I'll give it a try, and tnx.
PS - My PC clock keeps resetting itself 2 hours ahead, and just did it again.
When I first right click on the clock to correct it, the first thing I always get (and didn't used to) is a pop-up mssg;
"A restricted .CPL program has been blocked:
C:\Windows\System32\timedate.cpl
Allow program to run?"

I discovered some setting that should be checked to maintain the clock, wasn't checkmarked, and just reset it again.

bit

  • Supporting Member
  • Joined in 2013
  • **
  • Posts: 686
    • View Profile
    • Donate to Member
Re: TOR Vidalia - cannot connect
« Reply #8 on: September 23, 2015, 11:11 PM »
I installed it where it wants to install, to Desktop\Tor Browser.
On a one-time basis, after each fresh uninstall, reg check, and reinstall, it starts and progresses all the way to 'Loading authority certificates', then hangs.
On all subsequent restarts, it only progresses to 'Loading network status' and hangs.

I have contacted their help email address.
I think they may show me how to access and send them the log, for troubleshooting.
If so, I'll confirm success or failure here. Tnx.  :up:
« Last Edit: September 23, 2015, 11:43 PM by bit »

bit

  • Supporting Member
  • Joined in 2013
  • **
  • Posts: 686
    • View Profile
    • Donate to Member
Re: TOR Vidalia - cannot connect
« Reply #9 on: September 24, 2015, 11:57 PM »
I seemed to have a rootkit which was causing startup to go directly into BIOS and give me a pop-up that used poor English and flawed grammar, informing me that 'something intruded' and asking me to click on OK.
I didn't click on 'OK', I hit 'reset' button, which rebooted successfully to Desktop.
Every so often, the weird BIOS pop-up would reappear, and 'reset' got me past it.
I have [FoolishIT], which I'm guessing was partially blocking a full-blown rootkit takeover.
So I did a backup restore of my entire OS from an older backup HD which was saved about April 2015.
Among a plethora of other actions, I ditched free AVG and updated Norton 360 Premier (which was never uninstalled from the backup), and I reinstalled Malwarebytes, which used to delay all folder & file openings for 10 to 20 seconds, and the MWB-related folder & file opening delays are gone. :)
A MWB scan found 6 threats and killed them.
I also ran updates and scans with Adwcleaner (which killed a few baddies), Desinstaller, and JRT.exe.
Then I spent a couple hours searching for vital up-to-date files on the goofed up HD that needed to be copied to the backup outdated HD.
Then I ran Glary reg-check, then CCleaner cleaner & reg-check, then ChkDskAssist on the backup HD.
Finally, I ran a [EaseUS Todo Backup Free 4.0] clone HD restore from the good but outdated HD to the goofed up-to-date HD.
AFAICT, all threats are gone, everything is up-to-date on both HDs, the backup HD is updated & disconnected again for 'the next time', and everything seems to be running smoothly.
On top of all this, I also discovered my vintage TOR Vidalia works fine now. :)
« Last Edit: September 25, 2015, 01:35 AM by bit »

bit

  • Supporting Member
  • Joined in 2013
  • **
  • Posts: 686
    • View Profile
    • Donate to Member
Re: TOR Vidalia - cannot connect
« Reply #10 on: September 26, 2015, 02:42 PM »
This is all just guesswork, and I only have procedural ability (push this button, insert this disk, etc.), not tech.
This morning, none of my HDs would boot.
The Fix:
Hit del on boot, had to reset CMOS/BIOS device boot priority to DVD first.
(no bogus BIOS popups appeared).
Tried various boot disks......FINALLY tried Lazesoft bootable recovery CD, hit basic 'bootfix'.
Fixed & rebooted from HD successfully.
So I'm back......thinking of running Malwarebytes full scan, maybe Norton full scan, not sure what else.

bit

  • Supporting Member
  • Joined in 2013
  • **
  • Posts: 686
    • View Profile
    • Donate to Member
Re: Possible rootkit attack
« Reply #11 on: September 27, 2015, 06:19 PM »
That 'weird' BIOS on boot pop-up reappeared, with a failed boot-up.
This time, the Lazesoft boot-fix disk failed to fix it.
This is what the pop-up message said (appearance simulated here with double line brackets):
============================
Message Confirmation
The system intruded, chassis opened or tempered before ,
Please check the system
[OK]

============================
It wanted me to click on the [OK]; I did not click on the [OK].
The 'weird' pop-up was green with black letters, which seems nonstandard.
Normally, legitimate BIOS pop-up mssgs are a different color.

I switched to a clean backup EIDE Maxtor HD and rebooted successfully.
My pc seems to read the CD/DVD disk drive OK on boot, but not from Desktop.
I am preparing to run a new/repeat [EASE US Todo Backup Free 4.0] HD clone backup from the EIDE Maxtor HD to the failed-boot SATA Western Digital HD, but am becoming increasingly skeptical of lasting success.

I will look into replacing the CMOS clock battery, as Shades suggests.
« Last Edit: September 27, 2015, 06:25 PM by bit »

x16wda

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 888
  • what am I doing in this handbasket?
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Possible rootkit attack
« Reply #12 on: September 27, 2015, 06:38 PM »
If you google the error message, you'll see a lot if hits (like this). Most of them blame an Asus motherboard and say you can go into the BIOS and disable the chassis intrusion setting, or check the relevant jumper on the motherboard and make sure it is jumped.
vi vi vi - editor of the beast

bit

  • Supporting Member
  • Joined in 2013
  • **
  • Posts: 686
    • View Profile
    • Donate to Member
Re: Possible rootkit attack
« Reply #13 on: September 27, 2015, 08:22 PM »
If you google the error message, you'll see a lot if hits (like this). Most of them blame an Asus motherboard and say you can go into the BIOS and disable the chassis intrusion setting, or check the relevant jumper on the motherboard and make sure it is jumped.
^Checking this out......
Yes, mine is an ASUS A8N-SLI Premium, and it was exactly as you said; I found the case open warning set to 'enabled' in BIOS and disabled it.  :Thmbsup:
Also, I swapped in a different disk in the disk drive and now it reads it just fine.
And my other SATA WD HD that had long ago stopped booting after clone backups to it, just booted perfectly. :)
« Last Edit: September 28, 2015, 03:19 AM by bit »

Shades

  • Member
  • Joined in 2006
  • **
  • Posts: 2,930
    • View Profile
    • Donate to Member
Re: Possible rootkit attack
« Reply #14 on: September 27, 2015, 09:38 PM »
Replacing the battery won't help with any rootkit.

It will help with strange time-related issues in Windows and...if your PC acts the same as mine, you won't have to fill in the time/date/whatever other boot preferences you have in your BIOS, each time your computer shuts down because of a power failure (complete power cuts, insufficient power on the three phases, only power on one phase, etc).

Rootkits can hide themselves in hardware (such as BIOS of your motherboard or hard disk). The really nasty ones do not have a problem with that. And in those cases you'd immediately start decommission the affected hardware, for your own sake, as the hardware cannot be trusted at all after it has been infected.

Now, this won't happen that quickly when you don't visit (Russian) bride sites, where you find lots of pictures and/or videos of those brides naked and being "field-tested" in ways that should never leave anyone's imagination or more traditional manners, while they whisper sensually the latest key-codes/serials of the latest software to your...eh screen.  ;)

bit

  • Supporting Member
  • Joined in 2013
  • **
  • Posts: 686
    • View Profile
    • Donate to Member
Re: Possible rootkit attack
« Reply #15 on: September 28, 2015, 12:12 AM »
^Heh.  ;D What shall we do with a drunken sailor...
The BIOS boot pop-up is found to be a legitimate ASUS mobo 'case open' mssg.
I found and disabled it, and time will tell, but I suspect now that was the problem.
OTOH, my clock continues to be goofy and I think I really need to check out a new CMOS battery.  :Thmbsup:
« Last Edit: September 28, 2015, 03:18 AM by bit »