Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Rootkit.Win32.TDSS.eyj

Hybrid View

  1. #1
    louis_m Guest

    Default Rootkit.Win32.TDSS.eyj

    keyed in the address to go to
    ticketmaster.com website on friday and immediately after hitting enter,
    in the background up popped a blank pdf file.
    I got an alert from zonealarm telling me that it tried to fix a file and couldn't so it quarantined it.
    It said the file was infected with Rootkit.Win32.TDSS.eyj.
    the path of the file was for a file
    in my temporary internet files folder so i know it wasn't an existing file because I always file clear my cached files at least 2 or 3 times a day.

    I ran a complete virus/spyware scan and nothing was found (although I was not in safe mode).
    My question is...Do I need to be worried about being infected or did zonealarm catch everything before any damage was done?



    ZoneAlarm Internt Security Suite version 7.0.483.000Windows XP Pro - Service Pack 2

  2. #2
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Rootkit.Win32.TDSS.eyj


    <blockquote><hr>Louis_M wrote:
    keyed in the address to go to
    ticketmaster.com website on friday and immediately after hitting enter,
    in the background up popped a blank pdf file.
    I got an alert from zonealarm telling me that it tried to fix a file and couldn't so it quarantined it.
    It said the file was infected with Rootkit.Win32.TDSS.eyj.
    the path of the file was for a file
    in my temporary internet files folder so i know it wasn't an existing file because I always file clear my cached files at least 2 or 3 times a day.

    I ran a complete virus/spyware scan and nothing was found (although I was not in safe mode).
    My question is...Do I need to be worried about being infected or did zonealarm catch everything before any damage was done?



    ZoneAlarm Internt Security Suite version 7.0.483.000Windows XP Pro - Service Pack 2

    <hr></blockquote>
    See http://forums.zonealarm.org/zonelabs...essage.id=5372 so this could be a false positive.

    But the opening of a blank pdf does point to some javascript exploit with the pdf reader within the browser and a possible infection by a buffer overflow exploit of the reader via some rogue javascripts.

    Oldsod.
    Best regards.
    oldsod

  3. #3
    louis_m Guest

    Default Re: Rootkit.Win32.TDSS.eyj

    I'm not real computer savvy, so are you saying that if this is not a false positive, my computer could still be infected even though Zonealarm quarantined the file
    In the thread you pointed me to, MBAM is mentioned.
    I read some other threads and downloaded that software.
    When I installed it, I got an alert from Zonealarm about it wanting to set a registry setting so it would always run at startup.
    I canceled the install.
    Should I have allowed that and let it continue
    Will this software tell me if my computer is infected and fix it
    Thanks for your help

  4. #4
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Rootkit.Win32.TDSS.eyj


    <blockquote><hr>Louis_M wrote:
    I'm not real computer savvy, so are you saying that if this is not a false positive, my computer could still be infected even though Zonealarm quarantined the file
    In the thread you pointed me to, MBAM is mentioned.
    I read some other threads and downloaded that software.
    When I installed it, I got an alert from Zonealarm about it wanting to set a registry setting so it would always run at startup.
    I canceled the install.
    Should I have allowed that and let it continue
    Will this software tell me if my computer is infected and fix it
    Thanks for your help

    <hr></blockquote>


    Yes ZA nailed the one malware but there is a strong chance there were maybe two malwares working at the same time (and maybe not).

    Yes you should allow the MBAM to be entered into the registry by the ZA controls - probably a startup or run entry for the main executible was being initialized or maybe a new service entry for the MBAM scanner.
    Allow it and any others for the MBAM and then use the MBAM scanner to see if there is anything missed by the ZA.

    Oldsod.
    Best regards.
    oldsod

  5. #5
    naivemelody Guest

    Default Re:Beware of PDF - new Adobe on the way

    There is a new Adobe version to fix a 'vulnerability.' This may be it?? Click here &gt; http://www.pcworld.com/businesscente...y_january.htmlWhen you read this link, look to the 'right' at

    &quot;People who read this also read:&quot; articles.



    <hr>Click here &gt; http://forums.zonelabs.org/zonelabs/...ssage.id=19800
    - thanks to avon - for the latest on Adobe (how does he do it)

    Message Edited by NaiveMelody on 02-24-2009 12:33 AM

  6. #6
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Re:Beware of PDF - new Adobe on the way


    <blockquote><hr>NaiveMelody wrote:
    There is a new Adobe version to fix a 'vulnerability.' This may be it?? Click here > http://www.pcworld.com/businesscente...y_january.html
    <hr>Click here > http://forums.zonelabs.org/zonelabs/...ssage.id=19800
    - thanks to avon - for the latest on Adobe (how does he do it)
    <hr></blockquote>


    The adobe reader exploit can be avoided or skirted by disabling the javascripts in the adobe's settings.

    See http://www.shadowserver.org/wiki/pmw...endar.20090219

    and formerly and previously...

    "Usually the rogue .pdf exploit works by rogue javascripts found in the .pdf, which bascially is a buffer over flow and it then crashes the .pdf reader and then is able to exploit the reader in the hard memory and then infect the windows. This is why I mentioned to make sure the Adobe reader is fully updated and the javascripts inside of it's Preferences are disabled. This will help to circumvent these types of exploits from .pdf files."

    exerpted from the post in http://forum.zonelabs.org/zonelabs/b...ssage.id=31826

    Oldsod.
    Best regards.
    oldsod

  7. #7
    snagglegrain Guest

    Default Re: Re:Beware of PDF - new Adobe on the way

    FWIW, I finally got fed up with Adobe Acrobat Reader 9.0
    yesterday and uninstalled it, opting instead for PDF XChange.
    I disabled JavaScript in this program as well, to be safe.
    I was having Runtime errors with Adobe, and it had become a headache to deal with.
    So far I am quite excited about PDF XChange.
    And the Runtime errors went away, magically, of course.

  8. #8
    riceorony Guest

    Default Re: Re:Beware of PDF - new Adobe on the way

    Naivemelody,

    This was the attack I was referring to in my previous post,

    http://forums.zonelabs.com/zonelabs/...d=55077#M55077

    about the rotating ADs on some sites hijacking your browser to open a &quot;blank&quot; PDF file.

    I hope the fix is released soon.

    Otherwise I basically disabled javascript ever since it happened.

  9. #9
    louis_m Guest

    Default Re: Rootkit.Win32.TDSS.eyj


    I installed the malware software and let it check for updates,

    i unplugged my modem and
    rebooted in safe mode with networking.

    the malware software said it found a trojan in my hosts file.
    that was the only thing it found.

    i told it to delete it.
    that file had a 2002 modified date on it.
    so now
    more questions:



    could it have actually been there since 2002?



    do you have any idea as to why Zonealarm never flagged it?



    do you think i am secure now?
    and one more question about sending the file to be checked for a false positive:


    the file that was quarantined had an extension of .exe
    so if i restore it from Zonealarm will it try to actuall execute it or will it just copy it?

  10. #10
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Rootkit.Win32.TDSS.eyj


    <blockquote><hr>Louis_M wrote:

    I installed the malware software and let it check for updates,

    i unplugged my modem and
    rebooted in safe mode with networking.

    the malware software said it found a trojan in my hosts file.
    that was the only thing it found.

    i told it to delete it.
    that file had a 2002 modified date on it.
    so now
    more questions:



    could it have actually been there since 2002?



    do you have any idea as to why Zonealarm never flagged it?



    do you think i am secure now?
    and one more question about sending the file to be checked for a false positive:


    the file that was quarantined had an extension of .exe
    so if i restore it from Zonealarm will it try to actuall execute it or will it just copy it?

    <hr></blockquote>


    Can't really comment on the host file entry - it could be a false positive or false detection as some antispyware scanners will detect even the safe '127.0.0.1 malware.example.com' entries as being malicious and needs to be removed. The antispyware scanners are not really perfect or the best contrary to what people think or believe.
    You should have the host file locked by the ZoenAlarm firewall, thus eliminating any chances for malware to stick in their bad sites.

    With out knowing what the url is in the host, I really can not comment about detections or possible threats. Just vague guessing at it does not help - I need to know the actual address involved.

    If the file is .exe and is restored will it execute?
    Depends.
    If the file was attached to the operating system or was part of the operating system and by how or which means. Or if the file is just something that attempted to install and get registered by it own influences.
    Still without knowing what the actual file was (not the scanner detection labels) and where the file was located on the drive, I really cannot comment to much about your question.

    Oldsod.
    Best regards.
    oldsod

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •