Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help create a list of common fake hidden devices


  • Please log in to reply
4 replies to this topic

#1 jerger

jerger

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 09 November 2009 - 12:44 PM

I'd like to start keeping a tally on these, if anyone else has ideas please share! Often hidden devices and services block malwarebytes and other .exe tools like hijackthis.

example:
Please begin by clicking Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices
• Scroll down to Non-plug and Play Drivers and click the plus icon to open those drivers.
• Then search for TDSSserv.sys
• Others: legacy_gaopdxserv.sys, legacy_msqpdxserv.sys
• Let us know if you find this or not.
• If you do find it, right click on it, and select Disable. Do not try to uninstall it.
• Also if TDSSserv.sys is found and you disable it, then you must reboot immediately.
• After reboot continue on with other cleaning instructions you may have been having problems running.

my list so far from various posts and experiences:
Then search for TDSSserv.sys
• Others: legacy_gaopdxserv.sys, legacy_msqpdxserv.sys
tdss(other random characters) - variant of tdssserv.sys
uac(other random characters) - I have seen this on winxp machines which is a red flag.
SKYNET(other random characters)
ab56sy26 (or similar 8 character random name)
dda7731a
kbiwkmqowtskqw
UACrgwrubqhol


goodlist?
1394 ARP Client Protocol, AFD, ASCTRM, ASPI32, Bepp, dmboot, dmload, EABFiltr, Fips, Generic Packet Classifier, HTTP, IP Netowrk Address Translator, IPSEC driver, ksecdd, MBAMSwissArmy, mdmxsdk, mnmdd, mountmgr, NDIS Sytem Driver, NDIS Usermode I/O Protocol, NDProxy, NetBios over TCIP, Null, Parport, PartMgr, ParVdm, RDPCDD, Remote Access Auto Conntection Driver, Remote Access IP ARP Driver, Remote Access NDIS TAPI Driver, SBRE,Secdrv, Serial, sptd, Symantec Eraser Control Driver, TCIP/IP Protocol Driver, VgaSave, VolSnao, Windows Driver Foundation, Windows Socket 2.0

Edited by jerger, 10 November 2009 - 12:26 AM.

for what its worth

BC AdBot (Login to Remove)

 


#2 jerger

jerger
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 10 November 2009 - 05:21 PM

is it common for the fake ones to have a yellow flag near/issue flag?

also is it a good idea to create a whitelist/goodlist or will that lead to more issues (viruses using legit names)


added:
"serial" to the bad list
for what its worth

#3 jerger

jerger
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 12 November 2009 - 11:32 AM

sorry i can not edit my posts.

anyone else seeing "serial" with koobface machines?
for what its worth

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:56 PM

Posted 12 November 2009 - 04:31 PM

Hello jerger.

Although the older TDSS variants could be disabled using the Device Manager, I believe the newer ones have the disable option... disabled.

I don't feel that such a list in public will be very beneficial, as specific methods are required to remove rootkits.

However, thanks for the efforts.

With Regards,
The Panda

#5 jerger

jerger
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 12 November 2009 - 05:54 PM

yike's!!!

thanks panda
for what its worth




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users