Thread: tough little trojan
View Single Post
Old 09-13-2008, 03:38 AM   #6 (permalink)
jkyprodigy
Bronze Member
 
jkyprodigy's Avatar
 
Join Date: Sep 2007
Location: Cal Poly San Luis Obispo
Age: 21
Posts: 28
Default i killed it
For all those interested, I finally got the bugger.

ComboFix was not living up to it's reputation. Rather than helping (not that I honestly know what it was supposed to do) Rootkit would produce an angry message saying "Evidence of rootkit activity. Must restart" and an "OK" button, which deceptively gave me the idea that I had a choice in the matter. This was followed by my motherboard screaming for mercy and the saddest harmony in the world (my fan and my hard disk drive abruptly powering down).

After a little bit of crying and some help from the Google web crawlers, I happened upon an obscure forum that taught me how to use RootkitRevealer. This divine set of binary told me this on a modest notepad file:

HKLM\SECURITY\Policy\Secrets\SAC* 8/17/2005 2:14 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 8/17/2005 2:14 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.2\MSSQLServer\uptime_time_utc 9/3/2008 7:33 PM 8 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata 9/3/2008 6:00 PM 0 bytes Hidden from Windows API.
HKLM\SOFTWARE\tdss 9/3/2008 6:15 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal \tdssserv.sys 8/20/2008 9:27 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network \tdssserv.sys 8/20/2008 9:27 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg 6/12/2007 8:30 PM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet001\Services\tdssserv 9/3/2008 7:08 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Control\SafeBoot\Minimal \tdssserv.sys 8/20/2008 9:27 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Control\SafeBoot\Network \tdssserv.sys 8/20/2008 9:27 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\tdssserv 9/3/2008 7:08 PM 0 bytes Hidden from Windows API.

tdssserv.sys was the problem. It had been hiding, all cloak and dagger like, from my registry.
After some tears of joy and more help from the google web crawlers, I came upon my solution: Malwarebytes' Anti-Malware. First hit, home run.

So to summarize:
Symptoms:
changed desktop
lack of tabs in system properties
redirected hyperlinks
antiviruses couldn't be updated
Diagnoses:
tdssserv.sys
Treatment:
Malwarebytes' Anti-Malware (Free Trial)
__________________
First build
Vista
AMD 3.2 Ghz x2 6400 Windsor
2x G.Skill 1 GB PC 800
ASUS M2-SLI Delux
ATI RADEON X850 XT - just died
(2) 250 GB & 500GB Western Digital
jkyprodigy is offline   Reply With Quote