Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSS Killer found suspicious hidden service.


  • Please log in to reply
3 replies to this topic

#1 RichardPacino

RichardPacino

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:45 AM

Posted 01 February 2018 - 01:17 AM

Hello Bleeping Computer team,

 

I was running a few scans on my computer and all but Kaspersky TDSS Killer came clean. I ran TDSS Killer a couple times and both times it found a suspicious hidden services although each time it was a different detection. Both of them consist only from numbers followed by sys. Although I have checked show hidden items I can't find the files with Files Explorer or upload them to VirusTotal. I put them in quarantine. Below I attached two files from quarantine and TDSS Killer scan report. 

 

Are those files FP or do I have a rootkit?

 

Thank you for your help.

 

 

[InfectedObject]
Type: Service
Name: 16548239
Type: File system driver (0x2)
Start: Boot (0x0)
ImagePath: system32\drivers\36143059.sys
Suspicious states: Hidden service; 
 
[InfectedObject]
Type: Service
Name: 71294312
Type: File system driver (0x2)
Start: Boot (0x0)
ImagePath: system32\drivers\47654382.sys
Suspicious states: Hidden service; 


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,900 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:45 AM

Posted 08 April 2018 - 08:29 PM

Sorry your topic was overlooked.

Not all rootkits/hidden components detected by anti-rootkit (ARK) scanners and security tools are malicious. Most ARK tools check for rookit-like behavior which is not always indicative of a malware infection. It is normal for a Firewall, anti-virus and anti-malware software, CD Emulators, virtual machines, sandboxes and Host based Intrusion Prevention Systems (HIPS) to exhibit rootkit-like behavior or hook into the OS kernal/SSDT (System Service Descriptor Table) in order to protect your system. SSDT is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both Legitimate programs and rootkits can hook into and alter this table.

If you are are using a CD Emulator (Daemon Tools, Alchohol 120%, Astroburn, AnyDVD) be aware they use hidden drivers (.sys files) with rootkit-like techniques to hide from other applications. When dealing with a malware infection, CD Emulators can interfere with investigative tools producing misleading or inaccurate scan results, false detection of legitimate files, cause unexpected crashes, BSODs, and general 'dross' which often makes it hard to differentiate between malicious rootkits and the legitimate drivers used by CM Emulators.

CD Emulators typically utilize system drivers with names consisting of random alpha-numeric characters which can change after rebooting the computer. Other legitimate programs may use system drivers with names consisting only of random numerical characters which too can change after reboot.

Usually when a computer is infected with malware there most likely will be obvious indications (signs of infection and malware symptoms) that something is wrong.

If you want a more comprehensive look at your system for possible malware by our experts, there are advanced tools which can be used to investigate but they are not permitted in this forum. Please follow the instructions in the Malware Removal and Log Section Preparation Guide. When you have done that, start a new topic and post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team. If HelpBot replies to your topic, please follow Step One and CLICK the link so it will report your topic to the team members.

If you choose to post a log, please reply back in this thread with a link to the new topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 RichardPacino

RichardPacino
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:45 AM

Posted 09 April 2018 - 07:53 PM

Bleepin' Janitor, thank you for your thorough reply. I do not have any obvious symptoms of infection but I do have a few pieces of security software on my laptop so I assume one of them is causing this FP.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,900 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:45 AM

Posted 10 April 2018 - 06:48 AM

No way to confirm without further investigation.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users