Is This a trojan horse?

Y

Yogi Bear

Hi all,

I found there is a ssdt hook to ntconnectport function (0x1f) in my windows xp sp2,
the function address was changed to 0x86xxxxxx (which was changed after reboot) and
not within any module(RootkitRevealer and RkUnhooker show "unknown module filename").
maybe it's a trojan horse?

sorry for my english and TIA
 
A

Allan

Hi all,

I found there is a ssdt hook to ntconnectport function (0x1f) in my
windows xp sp2,
the function address was changed to 0x86xxxxxx (which was changed after
reboot) and
not within any module(RootkitRevealer and RkUnhooker show "unknown module
filename").
maybe it's a trojan horse?

sorry for my english and TIA
Try running F-Secure Rescue CD :
http://www.f-secure.com/linux-weblog/files/f-secure-rescue-cd-release-3.01-14505.zip .
It will scan for rootkits as well as virae. You need a USB stick to copy the
downloaded definitions which will be used after booting from the CD.
 
D

David H. Lipman

From: "Allan" (e-mail address removed)



| Try running F-Secure Rescue CD :
|
| http://www.f-secure.com/linux-weblog/files/f-secure-rescue-cd-release-3.01-14505.zip .
|
| It will scan for rootkits as well as virae. You need a USB stick to copy the
|
| downloaded definitions which will be used after booting from the CD.

| --
| Allan


No it won't. There is no such thing as; virae, viri, or virii.
The plural for virus is viruses.

http://homepages.tesco.net/~J.deBoynePollard/FGA/plural-of-virus.html
http://linuxmafia.com/~rick/faq/plural-of-virus.html
 
Y

Yogi Bear

Allan said:
Try running F-Secure Rescue CD :
http://www.f-secure.com/linux-weblog/files/f-secure-rescue-cd-release-3.01-14505.zip .
It will scan for rootkits as well as virae. You need a USB stick to copy the
downloaded definitions which will be used after booting from the CD.
Click to expand...

Thank you.

but RootkitRevealer, RkUnhooker, f-secure, NAV, KAV etc. donot identify the ssdt hook as a rootkit.
maybe one of windows update patch did it. could you please check your windows whether or not exists
such as a ssdt hook to ntconnectport function?

thank you again
 
D

David H. Lipman

D

David H. Lipman

From: "Yogi Bear" <[email protected]>

| Thank you.

| but RootkitRevealer, RkUnhooker, f-secure, NAV, KAV etc. donot identify the ssdt hook
| as a rootkit.
| maybe one of windows update patch did it. could you please check your windows whether
| or not exists
| such as a ssdt hook to ntconnectport function?

| thank you again

After I contacted Gmer, Gmer pointed out the following URL...
http://www.gmer.net/rootkits.php

Specifically at the end of the page find the example; "RioDrvs.sys".
 
Y

Yogi Bear

David H. Lipman said:
From: "Yogi Bear" <[email protected]>

| Thank you.

| but RootkitRevealer, RkUnhooker, f-secure, NAV, KAV etc. donot identify the ssdt hook
| as a rootkit.
| maybe one of windows update patch did it. could you please check your windows whether
| or not exists
| such as a ssdt hook to ntconnectport function?

| thank you again

After I contacted Gmer, Gmer pointed out the following URL...
http://www.gmer.net/rootkits.php

Specifically at the end of the page find the example; "RioDrvs.sys".
Click to expand...

Thank you, the information is great.
There is a linkinfo.dll in \WINDOWS\system32\, file description is "Windows Volume Tracking"
but there isn't a RioDrvs.sys in \WINDOWS\system32\drivers\, there are two files rio8drv.sys and riodrv.sys
which file description both are "S3/Diamond Multimedia Systems".
Specifically gmer didn't report linkinfo.dll as a rootkit.
I'm confused. :(
 
D

David H. Lipman

From: "Yogi Bear" <[email protected]>


| Thank you, the information is great.
| There is a linkinfo.dll in \WINDOWS\system32\, file description is "Windows Volume
| Tracking"
| but there isn't a RioDrvs.sys in \WINDOWS\system32\drivers\, there are two files
| rio8drv.sys and riodrv.sys
| which file description both are "S3/Diamond Multimedia Systems".
| Specifically gmer didn't report linkinfo.dll as a rootkit.
| I'm confused. :(

The McAfee Blog URL was only an example basd upon your query. It wasn't to to suggest you
had ithe Trojan mentioned in it.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Trojan Horse 3
lsass.exe is a trojan virus??? 1
Trojan Horse has hijacked my Administrator Account 1
Need Help with possible Trojan Horse 3
Does this sound like a virus infection? 3
AVG Free AntiVirus -some problems lately- anyone else? 8
Is this a virus / trojan / worm ? 3
Boot failure after AVG removed trojan horse: invalid BOOT.INI 0

Top