Rootkit: TDSS****.sys Sucks worse than a 2 dollar whore. Remove it!

October 29, 2008

Well I’ve been in rootkit hell today with this stupid nasty ass virus/malware. And it’s been a bitch to get rid of but I’ve finally knocked it out of the park with the help of a few good apps.

Here’s a list of what I used to help me get rid of this sucker.

TCPVIEW: Great app usually this one app will let you know if you got some suspicious connections happening. If you see things things that should be there usually you are infected.

AutoRuns: Probably the best app you can use to find out what’s starting up at boot time. And it will let you disable or delete a start up entry. Most malware and viruses live in fear of this program and won’t even let this program run unless you rename it to something else. If you install this and it doesn’t run. You have an infection.

Ultimate Boot CD for Windows: Yeah if Samuel L. Jackson was a CD this would be him. This is probably the best thing you can use to help you get rid of a ROOTKIT! Because much like Samuel L. Jackson is tired of these mother fucking snakes on this mother fucking plane. ROOTKITS can’t hide from the UBCD4WIN! They become visible files that you can just delete from your system.  And when I say delete. I mean pimp slap the shit out of them.

Originally I got that lame ass malware that lives in your system tray trying to get you to buy that infection cleaner aka beep.sys. And I thought I had gotten rid of this particular nasty problem when I ran some of the different online virus scanners. Boy was I wrong. After a day or two I got hit with a BSOD Stop: c0000218 unknown hard error. Boy did this frost my ass. I was able to get into safe mode and spent most of the day running scans, chkdsk, fixboot and a whole mess of other crap that didn’t work at all. And to top it off some process was running that I could not find that was hijacking my google search results. So after a little digging I finally came to the realization that it was a root kit.

In comes UBCD4WIN. The beauty here is that the UBCD4WIN has it’s own shell and pretty much boots off of the cd. This has the pleasent effect of bypassing the rootkit and letting you see things that you wouldn’t normally see. Finally i was able to see the file tdSSpqxt.sys along with like 20 other tdss****.sys files floating around in my system32 folder. I was finally able to delete them and get my system back into something other than safe mode.

 

I’d like to give an honorable mention to the Bleeping Computer Forums. The guys on there are pretty knowledgeable and I was able to glean some useful information from their site from other users that are having the same issue I had. The recomendation of Malware Bytes was very useful. They also recommend the program Combo Fix, I didn’t use this program. However they do recommend it so I imagine that it gets the job done. And I’d also recommend going to Bleeping Computer Forums for help with an infection.

If you find this post useful. Make a donation. I know that over 1,000 visitors a month come to view this post. So help a brother out.





Setting up a Pligg RSS feed tutorial Part 1.

October 23, 2008

For those of you that have come across this page and don’t know what Pligg is.

Pligg is an open source Content Management System (CMS) available to download for free. Pligg has perfected content management in a unique way that encourages users to participate and control the content on the site. This makes the site user-moderated and allows for “social publishing” where the stories are created and promoted by members not website editors. Pligg CMS is based on PHP and MySQL technologies that allow it to be installed on almost any web host on a relatively small budget. For support please visit the Pligg Forum where you can find help 24 hours a day thanks to our excellent development team and contributors. Pligg is free software, but you are welcome to donate any amount by clicking the button below.

In a nutshell Pligg is trying to do what Digg does however Open Source.

In this tutorial I’m going to explain how to setup the RSS feed importer. So we are going to assume that your Pligg site is setup and raring to go.

Now let head on over to the admin area. More than likely the RSS module is not active so we need to activate that. Click the Module Management link and go to that page. Look for RSS Importer and if it’s not active please activate it. Once active it should show towards the top of the page as an active module.

Next step is to head on back to the admin and in the admin panel there should be a link for the RSS Importer. Click that and it will take you to the RSS Import admin area. Lets add a new feed so click Add a new feed. The page should refresh and have some options. First thing you will want to do is name the feed. Second you hopefully have the location of your rss feed. I’m goign to use http://sports.yahoo.com/top/rss.xml as my example. Once you’ve entered and saved those two items. You will see some other options that are pretty self explanitory.

Feed Frequency (hours): 36 — how often to check for new items.

Feed Order: 1 — Do we start with the last items first? 0 = no, 1 = yes

Feed Random Votes: 0 — Do we use a random number of votes? 0 = no, 1 = yes

Feed Votes (if not random): 1 — how many votes new items recieve (limit 200)

Feed Votes Minimum (if random): 2 — how many votes new items recieve (limit 200)
Feed Votes Maximum (if random): 4 — how many votes new items recieve (limit 200)

Feed Items Limit: 1 — how many new items to take from the feed when it’s checked
Feed URL Dupes: 0 — Allow duplicate URL’s 0=No, 1=Yes, Allow
Feed Title Dupes: 0 — Allow duplicate Title’s 0=No, 1=Yes, Allow
Feed Submitter Id (number): 62 — The ID of the person who will be listed as the submitter
Feed Category Id (number): 61 — The ID of the category to place these items into

Maybe except for the feed submitter id and feed category id this section should be easy to figure out. To find out the feed submitter id and category id you might want to look in your database. 

Now here comes the important part. The add a new field link. You must add at least 3 new fields in order for this to work. You must match up your feed and pliggs Title, Link and content in order for the feed to work. Otherwise you’ll just get an error. It should look something like this.

— feed field name: title — pligg field name: link_title — Remove this link
— feed field name: link — pligg field name: link_url — Remove this link
— feed field name: description — pligg field name: link_content — Remove this link

Now hopefully you’ve done all this right and if you go to the Import the feeds link up top and click it. You should see a successful import of your feed and when you go to your site you should see a new story or stories added.

If there is enough interest shown I’ll write a part two to this tutorial on how to automate the import process.

Hasselhoffian Recursion

October 21, 2008

Warning. This could quite possibly be the most revolting thing you will ever see on the internet.
But you’ll look at it anyways. Much like you looked at all of 2 girls 1 cup.

will make your eyes bleed

will make your eyes bleed