sneaky trojan startup process

Damn these guys never give up.
I was scanning for trojans ...found one and removed it. No biggie.
Good news is I run a few different scanners, because some remove this, some
find that, etc....
Then I seen it. A friggen registry entry in two places:
\safeboot\minimal\tdssserv.sys \safeboot\network\tdssserv.sys
Damn, that's even low for a trojan.
Here's a tool that will remove anything, providing you know what to type in.
avenger It scans for rootkits, but also has the ability to remove anything if you tell it to.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Vinny, great info! Where did you download it from? Just to make things interesting, there is a virus called avenger ...
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
wrote:

Vinny, great info! Where did you download it from? Just to make things interesting, there is a virus called avenger ... ===================================This site has a link, also good info. text-search on avenger, about 2/3 down iirc. http://www.antirootkit.com/articles/gromozo/The-strange-case-of-Dr-Rootkit-and-Mr-Adware.htm
There is shit that apparently disables Avenger (mebbe the avenger virus?) as well.
I use Trend Micro, which updates, like, every 4 g-d hours. I wonder if it handles rootkits?
There was a thread here about 6 mos-1 yr ago, that proclaimed Norton itself was a virus. Symantec sucks. I posted my goodbye letter to Symantec here, *which I had to fax*, so insulated are these muthafuckas from the public. No response, of course.
--

PV'd



Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
wrote:

http://www.antirootkit.com/articles/gromozo/The-strange-case-of-Dr-Rootkit-and-Mr-Adware.htm
Remember the good old days of having just virus's? Jeesh, now there's virii, malware, spyware, rootkits, and good old fashioned haxoring, and yes..the creded norton clustervirus.
Thing about a rootkit is how devistating it is. Removal of one is best done using fdisk and format. I removed one a year ago from my box, a month later I reformatted, it just corrupted all kinds of stuff, I coudn't take it anymore. But the damage can be controlled. First...turn off system restore. It spreads virii faster than you can delete it.
Here's 2 program's I use for rootkits: rootkit revealer...been using that one for years. Wont fix anything, but it is great at telling you what is infected. The new one I found is "gmer". It kicks, tells you tons of info. Havn't been rooted since so I don't know if it can see a rootkit, but it sure does see everything running on my box.
What I like about avenger is it does it before bootup. I dont know if its any good, havn't had anything to test it on yet.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

=============>
The hard part is even knowing what software to trust ... I looked at some reviews of GMER and they aren't good!
http://www.pcworld.com/downloads/file/fid,64192-order,2-page,11/fileTabs
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
wrote:

The hard part is even knowing what software to trust ... I looked at some reviews of GMER and they aren't good!
http://www.pcworld.com/downloads/file/fid,64192-order,2-page,11/fileTabs
There's only 2 reviews. One said it made their computer reboot...but then said it made their computer send an error message to microsoft. In my opinion the person has no credibility because they didn't even turn off error reporting, prolly the first thing people kill, and then told us about it..no shame.lol
The one I'm using is clean, but like I said, havnt been rooted so I dont know if it works.
However...rootkit revealer does work, I say that from experience.
Neat thing is after running rootkitrevealer I run gmer, and it says...warning rootkitreaveler.sys is in memory. So who knows whats going on. lol
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

=============>
To be fair the other detectors don't have a much better user review. I downloaded AVG Anti-Rootkit Free simply because I know that it's a real company, not a couple of guys somewhere in South America.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
wrote:

To be fair the other detectors don't have a much better user review. I downloaded AVG Anti-Rootkit Free simply because I know that it's a real company, not a couple of guys somewhere in South America.
Problem is..the definition of rootkit is "your fuxored". It's the worst of the worst. More like being hacked than virased. When I got it a while back, I had to fix it manually. First I printed out the list of files rootkit revealer made, then in safe mode went delete crazy. had to break out the widows cd and recopy all kinds of stuff back in. Being on service pack 2 really made it a pain. The last straw was when calc wouldn't even work.
My boring point is this: Rootkit revealer has the perfect name, it basically reveals if you have been rooted. Once rooted...copy what you care about and fdisk. There's no fixing it...you can band aid it like I did, but all kinds of stuff was toast. explorer.exe was changed, iexplorer.exe calc.exe the list went on and on for 3 pages.
The only thing that let me get away with what I did was ntfs and having system restore turned off.
Too bad we can't go out and buy something that works. Seems nothing cleans with a system, they all seem to just run off a list of files and delete matches. The antivirus industry is in some sad shape. Real sad.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Proctologically Violated wrote:

http://www.antirootkit.com/articles/gromozo/The-strange-case-of-Dr-Rootkit-and-Mr-Adware.htm > There is shit that apparently disables Avenger (mebbe the avenger virus?) as

There's a rather simple solution to most of this.
Don't run your computer with administrator / root privileges and 90% of these problems immediately go away.
--
Black Dragon

He: Am I... am I your first?
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Yah...not so fun from a windowsxp box. But does stop lots of things. Definetely use the ntfs file system if on xp, things don't seem to be able to spread on their own.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
vinny wrote:

Why not so fun? After software is installed and systems are configured there's no good reason to run with admin or root privileges no different than any Unix system.

Windows XP had sensible file system permissions by default from the get go as did later versions of Windows 2000. Took Microsoft long enough of course. They were only what, some 30 odd years behind in this regard?
--
Black Dragon

Hugh Hefner is a virgin.
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
wrote:

Vinny, great info! Where did you download it from? Just to make things interesting, there is a virus called avenger ...
lol I found it on a lagit antivirus site. I think it was malwarebytes. It's been scanned by multiple proggys.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
wrote:

Vinny, great info! Where did you download it from? Just to make things interesting, there is a virus called avenger ...
http://www.myantispyware.com/2008/08/27/how-to-remove-antivirus-xp-2008 /
the same site malewarebytes comes from. Been using it for months on the trial version.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Polytechforum.com is a website by engineers for engineers. It is not affiliated with any of manufacturers or vendors discussed here. All logos and trade names are the property of their respective owners.