Is This a trojan horse? "Yogi Bear" <yogi[ at ]theearth.org> 12/25/2008 5:05:59 PM Hi all, I found there is a ssdt hook to ntconnectport function (0x1f) in my windows xp sp2, the function address was changed to 0x86xxxxxx (which was changed after reboot) and not within any module(RootkitRevealer and RkUnhooker show "unknown module filename"). maybe it's a trojan horse? sorry for my english and TIA

Re: Is This a trojan horse? "Allan" <mu8ja0i[ at ]earthlink.net> 12/27/2008 12:39:11 AM "Yogi Bear" <yogi[ at ]theearth.org> wrote in message news:eKVHMMrZJHA.256[ at ]TK2MSFTNGP06.phx.gbl... Hi all, I found there is a ssdt hook to ntconnectport function (0x1f) in my windows xp sp2, the function address was changed to 0x86xxxxxx (which was changed after reboot) and not within any module(RootkitRevealer and RkUnhooker show "unknown module filename"). maybe it's a trojan horse? sorry for my english and TIA Try running F-Secure Rescue CD : http://www.f-secure.com/linux-weblog/files/f-secure-rescue-cd-release-3.01-14505.zip . It will scan for rootkits as well as virae. You need a USB stick to copy the downloaded definitions which will be used after booting from the CD. -- Allan

Re: Is This a trojan horse? "David H. Lipman" <DLipman~nospam~[ at ]Verizon.Net> 12/27/2008 1:15:50 AM From: "Allan" mu8ja0i[ at ]earthlink.net | Try running F-Secure Rescue CD : | | http://www.f-secure.com/linux-weblog/files/f-secure-rescue-cd-release-3.01-14505.zip . | | It will scan for rootkits as well as virae. You need a USB stick to copy the | | downloaded definitions which will be used after booting from the CD. | -- | Allan No it won't. There is no such thing as; virae, viri, or virii. The plural for virus is viruses. http://homepages.tesco.net/~J.deBoynePollard/FGA/plural-of-virus.html http://linuxmafia.com/~rick/faq/plural-of-virus.html -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Re: Is This a trojan horse? "Yogi Bear" <yogi[ at ]theearth.org> 12/27/2008 8:43:12 AM "Allan" <mu8ja0i[ at ]earthlink.net> дÈëÏûÏ¢ÐÂÎÅ:uL9MKu7ZJHA.5488[ at ]TK2MSFTNGP03.phx.gbl... [Quoted Text] > Try running F-Secure Rescue CD : > http://www.f-secure.com/linux-weblog/files/f-secure-rescue-cd-release-3.01-14505.zip . > It will scan for rootkits as well as virae. You need a USB stick to copy the > downloaded definitions which will be used after booting from the CD. > > -- > Allan > Thank you. but RootkitRevealer, RkUnhooker, f-secure, NAV, KAV etc. donot identify the ssdt hook as a rootkit. maybe one of windows update patch did it. could you please check your windows whether or not exists such as a ssdt hook to ntconnectport function? thank you again

Re: Is This a trojan horse? "David H. Lipman" <DLipman~nospam~[ at ]Verizon.Net> 12/27/2008 12:28:54 PM From: "Yogi Bear" <yogi[ at ]theearth.org> | Thank you. | but RootkitRevealer, RkUnhooker, f-secure, NAV, KAV etc. donot identify the ssdt hook | as a rootkit. | maybe one of windows update patch did it. could you please check your windows whether | or not exists | such as a ssdt hook to ntconnectport function? | thank you again http://www.avertlabs.com/research/blog/index.php/2007/05/04/a-new-rootkid-on-the-block/ Please try Gmer. http://www.gmer.net/index.php -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Re: Is This a trojan horse? "David H. Lipman" <DLipman~nospam~[ at ]Verizon.Net> 12/27/2008 3:23:07 PM From: "Yogi Bear" <yogi[ at ]theearth.org> | Thank you. | but RootkitRevealer, RkUnhooker, f-secure, NAV, KAV etc. donot identify the ssdt hook | as a rootkit. | maybe one of windows update patch did it. could you please check your windows whether | or not exists | such as a ssdt hook to ntconnectport function? | thank you again After I contacted Gmer, Gmer pointed out the following URL... http://www.gmer.net/rootkits.php Specifically at the end of the page find the example; "RioDrvs.sys". -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Re: Is This a trojan horse? "Yogi Bear" <yogi[ at ]theearth.org> 12/28/2008 7:15:54 AM "David H. Lipman" <DLipman~nospam~[ at ]Verizon.Net> дÈëÏûÏ¢ÐÂÎÅ:%23gMUGcDaJHA.4852[ at ]TK2MSFTNGP04.phx.gbl... [Quoted Text] > From: "Yogi Bear" <yogi[ at ]theearth.org> > > | Thank you. > > | but RootkitRevealer, RkUnhooker, f-secure, NAV, KAV etc. donot identify the ssdt hook > | as a rootkit. > | maybe one of windows update patch did it. could you please check your windows whether > | or not exists > | such as a ssdt hook to ntconnectport function? > > | thank you again > > After I contacted Gmer, Gmer pointed out the following URL... > http://www.gmer.net/rootkits.php > > Specifically at the end of the page find the example; "RioDrvs.sys". > > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > > Thank you, the information is great. There is a linkinfo.dll in \WINDOWS\system32\, file description is "Windows Volume Tracking" but there isn't a RioDrvs.sys in \WINDOWS\system32\drivers\, there are two files rio8drv.sys and riodrv.sys which file description both are "S3/Diamond Multimedia Systems". Specifically gmer didn't report linkinfo.dll as a rootkit. I'm confused. :(

Re: Is This a trojan horse? "David H. Lipman" <DLipman~nospam~[ at ]Verizon.Net> 12/28/2008 12:40:44 PM From: "Yogi Bear" <yogi[ at ]theearth.org> | Thank you, the information is great. | There is a linkinfo.dll in \WINDOWS\system32\, file description is "Windows Volume | Tracking" | but there isn't a RioDrvs.sys in \WINDOWS\system32\drivers\, there are two files | rio8drv.sys and riodrv.sys | which file description both are "S3/Diamond Multimedia Systems". | Specifically gmer didn't report linkinfo.dll as a rootkit. | I'm confused. :( The McAfee Blog URL was only an example basd upon your query. It wasn't to to suggest you had ithe Trojan mentioned in it. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp