Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Weird numeral services keep coming back


  • Please log in to reply
1 reply to this topic

#1 dnq32

dnq32

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 08 April 2018 - 05:39 PM

So, I basically have got same problem like this guy: https://www.bleepingcomputer.com/forums/t/669697/tdss-killer-found-suspicious-hidden-service/

Every reboot 2 services upon deletion keep coming back with different number sequence. Even system format didn't work. For some reason the number is everytime different in TDSS than PowerTool. Please, I really need help, I've been trying to delete this for last week. 

https://i.imgur.com/St2QwUw.png



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:38 AM

Posted 08 April 2018 - 08:25 PM

Not all rootkits/hidden components detected by anti-rootkit (ARK) scanners and security tools are malicious. Most ARK tools check for rookit-like behavior which is not always indicative of a malware infection. It is normal for a Firewall, anti-virus and anti-malware software, CD Emulators, virtual machines, sandboxes and Host based Intrusion Prevention Systems (HIPS) to exhibit rootkit-like behavior or hook into the OS kernal/SSDT (System Service Descriptor Table) in order to protect your system. SSDT is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both Legitimate programs and rootkits can hook into and alter this table.

If you are are using a CD Emulator (Daemon Tools, Alchohol 120%, Astroburn, AnyDVD) be aware they use hidden drivers (.sys files) with rootkit-like techniques to hide from other applications. When dealing with a malware infection, CD Emulators can interfere with investigative tools producing misleading or inaccurate scan results, false detection of legitimate files, cause unexpected crashes, BSODs, and general 'dross' which often makes it hard to differentiate between malicious rootkits and the legitimate drivers used by CM Emulators.

CD Emulators typically utilize system drivers with names consisting of random alpha-numeric characters which can change after rebooting the computer. Other legitimate programs may use system drivers with names consisting only of random numerical characters which too can change after reboot.

Usually when a computer is infected with malware there most likely will be obvious indications (signs of infection and malware symptoms) that something is wrong.

If you want a more comprehensive look at your system for possible malware by our experts, there are advanced tools which can be used to investigate but they are not permitted in this forum. Please follow the instructions in the Malware Removal and Log Section Preparation Guide. When you have done that, start a new topic and post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team. If HelpBot replies to your topic, please follow Step One and CLICK the link so it will report your topic to the team members.

If you choose to post a log, please reply back in this thread with a link to the new topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users