And I still got nailed.

[Hugger]

I have XP Pro w/SP3 with all current patches.
I use Defensewall, Avira Premium set with Heuristics at high, Mamutu set to Paranoid,PC Tools Firewall + and Shadow Protect Desktop. I use Returnil Beta sometimes too.
With all of this I still got nailed by 'fssfltr_tdi.sys'.
It appears to be a Rootkit. Whatever it is I got the blue screen of misery from it.
If it weren't for Shadow Protect the pc would have gone right out the window.
So what else do I have to do to be safe from this crap.
Neither my wife nor I are risky surfers, though she goes to Facebook a lot.
I'm really getting tired of spending money and time to be able to use my computer.
Thanks.
Hugger

[jmonge]

i bet that malware defender will block this litle bugger
note:add the sys file to the block list and problem solve

[firzen771]

Quote:

Originally Posted by jmonge

i bet that malware defender will block this litle bugger
note:add the sys file to the block list and problem solve

DriveSentry protects by default against .sys files with both its HIPS and its scanner. u culd give it a shot and its free (if ur happy with Avira, just disbale DS realtime scanning, which is what i do).

[Lucy]

Were you under LUA? I guess no as you seem to be talking abour a driver. So you run with admin rights and you come back crying when you got slapped?

Well...

Second, you have DW and this driver installed You did something wrong (install it as trusted or downloaded it with a trusted program...)

Who said you have to pay to be safe? Don't listen too much to these fans who have x+ security applications and end up putting their computer to a crawl or not worse with incompatibilities or competition between programs.

Have a limited user account for you or your wife going to facebook. Have DW nstalled and protecting your browsers, don't forget to have Windows firewall protecting inbound. Keep the pssword protected admin account strictly for updates and maintenance.

[jmonge]

Quote:

Originally Posted by firzen771

DriveSentry protects by default against .sys files with both its HIPS and its scanner. u culd give it a shot and its free (if ur happy with Avira, just disbale DS realtime scanning, which is what i do).

ah avira?hey buddy i do not have avira hahahahaha
anyway i will love to test it

[sded]

I think imaging programs like Shadow Protect should be part of every security profile-I use Acronis for the same thing. And you have a lot of other well regarded anti-malware tools, although I don't see a classical HIPS. One program I have been trying out is Prevx Edge, which says/shows it is quite the thing for rootkits as well as having some other interesting anti-malware features. Still pretty new, although the company has been around for a while. You can demo it for free, but need to buy it to actually remove the malware. Thread here at http://www.wilderssecurity.com/showthread.php?t=225190 is quite interesting. Others probably will have good suggestions, but sometimes "stuff happens". Facebook seems to be a handy target for lots of bad people.

[jmonge]

Quote:

Originally Posted by Hugger

I have XP Pro w/SP3 with all current patches.
I use Defensewall, Avira Premium set with Heuristics at high, Mamutu set to Paranoid,PC Tools Firewall + and Shadow Protect Desktop. I use Returnil Beta sometimes too.
With all of this I still got nailed by 'fssfltr_tdi.sys'.
It appears to be a Rootkit. Whatever it is I got the blue screen of misery from it.
If it weren't for Shadow Protect the pc would have gone right out the window.
So what else do I have to do to be safe from this crap.
Neither my wife nor I are risky surfers, though she goes to Facebook a lot.
I'm really getting tired of spending money and time to be able to use my computer.
Thanks.
Hugger

any hips is able to block rootkits very easilly and even more malware defender is very at it according to xiolin(developer)

[firzen771]

Quote:

Originally Posted by jmonge

ah avira?hey buddy i do not have avira hahahahaha
anyway i will love to test it

sorry, the avira part was meant towards Hugger i just quoted u for adding that DS also protect that.

[jmonge]

Quote:

Originally Posted by firzen771

sorry, the avira part was meant towards Hugger i just quoted u for adding that DS also protect that.

ah i forgive you

[jmonge]

some times i think that are getting the correct tool for the rigth job i think that by combining a hips program and maybe a good solid antivirus will be close to be enough what do you guys think?

[firzen771]

Quote:

Originally Posted by jmonge

some times i think that are getting the correct tool for the rigth job i think that by combining a hips program and maybe a good solid antivirus will be close to be enough what do you guys think?

that would probly solve an issue like this. it wuld cover most angles.

[BlueZannetti]

Quote:

Originally Posted by Hugger

...
So what else do I have to do to be safe from this crap.
Neither my wife nor I are risky surfers, though she goes to Facebook a lot.
I'm really getting tired of spending money and time to be able to use my computer.

Hugger,

If you're getting infected with all that installed (and used....)...., almost by definition whatever you're doing really cannot be considered safe surfing.

To tell you the truth, I have a hard time seeing how this could occur unless, at some point, an explicit user based approval of something was not given.

What I'd recommend is either (a) run with Returnil on under all circumstances (i.e. remove user based decision to enter virtualization) or (b) run under LUA/SuRun. Neither involve an expenditure of any additional money.

Blue

[Boost]

Quote:

Originally Posted by Hugger

I have XP Pro w/SP3 with all current patches.
I use Defensewall, Avira Premium set with Heuristics at high, Mamutu set to Paranoid,PC Tools Firewall + and Shadow Protect Desktop. I use Returnil Beta sometimes too.
With all of this I still got nailed by 'fssfltr_tdi.sys'.
It appears to be a Rootkit. Whatever it is I got the blue screen of misery from it.
If it weren't for Shadow Protect the pc would have gone right out the window.
So what else do I have to do to be safe from this crap.
Neither my wife nor I are risky surfers, though she goes to Facebook a lot.
I'm really getting tired of spending money and time to be able to use my computer.
Thanks.
Hugger

Just curious here..

When you got the blue screen, and say if you were using Returnil, it should have been possible to just power off the PC and restart to a clean state?

Just wondering how strong of malware this is / was.

[virtumonde]

Hugger this is an unfortunnate situation.
But as you've seen not all your money ware badly spent.Your back-up program proved it's worth.
As no one can tell what happened on your PC ,if possible and only if (HOpE NoT)something similar happens again you should spent a few minutes getting all the logs from your security applications to get a clue of what happened,to not make the same mistake twice.

How do you know 'fssfltr_tdi.sys' is a rootkit or any kind of malware for that matter? It appears to be a driver and probably caused the bsod, but it doesn't necessarily mean it's a malicious file. Do you have information on it? I found nothing to suggest it's malware. You have way too many security applications on your pc, though i'd advocate any one or a combo of two (okay, maybe three) of them. ShadowProtect is a definite keeper in my books for backup/restore.

[jmonge]

Quote:

Originally Posted by Hugger

I have XP Pro w/SP3 with all current patches.
I use Defensewall, Avira Premium set with Heuristics at high, Mamutu set to Paranoid,PC Tools Firewall + and Shadow Protect Desktop. I use Returnil Beta sometimes too.
With all of this I still got nailed by 'fssfltr_tdi.sys'.
It appears to be a Rootkit. Whatever it is I got the blue screen of misery from it.
If it weren't for Shadow Protect the pc would have gone right out the window.
So what else do I have to do to be safe from this crap.
Neither my wife nor I are risky surfers, though she goes to Facebook a lot.
I'm really getting tired of spending money and time to be able to use my computer.
Thanks.
Hugger

hugger did you get the bluescreen when you closed the attack within defensewall?cause some times it may not be the malware causing the bluescreen but a war between security apps why did i say that cause i just got a bluescreen when i delete the sandbox with sandboxie and appranger on i delete drivesentry and try to delete the sandbox nothing happen

[Boost]

Quote:

Originally Posted by BlueZannetti

Hugger,

If you're getting infected with all that installed (and used....)...., almost by definition whatever you're doing really cannot be considered safe surfing.

To tell you the truth, I have a hard time seeing how this could occur unless, at some point, an explicit user based approval of something was not given.

What I'd recommend is either (a) run with Returnil on under all circumstances (i.e. remove user based decision to enter virtualization) or (b) run under LUA/SuRun. Neither involve an expenditure of any additional money.

Blue

You beat me to it,but I was thinking the same. I dont see how this could be a problem,with Returnil always on as you mentioned as well.

[SystemJunkie]

Hugger switch to 64 bit nt 6.x, ring0 rootkits are then past.

[Ed_H]

I can't see how this happened. Have you posted at the DefenseWall forum? I am sure Ilya would like to plug any holes in DW.

[andyman35]

After googling this file it's a Microsoft family safety filter driver.

http://www.runscanner.net/fileinfo/fssfltr_tdi.sys.html

Edit:It should be in the system32 folder,anywhere else could be malware.

[mvdu]

Quote:

Originally Posted by andyman35

After googling this file it's a Microsoft family safety filter driver.

http://www.runscanner.net/fileinfo/fssfltr_tdi.sys.html

That's good news. I found it hard to believe none of those programs would alert on or block a malicious file.

[GES/POR]

something went horribly wrong and he/she paniced, happend to me before on several occasions where a signed driver would mess up things so badly i was sure it was a rootkit when infact there was no breach of security at all just mindless paranoia showing its ugly head again

[jmonge]

it can happen to anybody
note:1 thing i also want to mention is that some vendors have to work hard on the false positive cause it is causing trouble latelly

[Saraceno]

As mentioned above, just a conflict going on. Could be a driver that should have loaded during an install, for example that was blocked by say Mamutu.

Apart from your backup program, all I'd be using is DefenseWall, Avira and Returnil.

If your wife is using your computer, you could close all your security programs down, and just have Returnil running, that would be enough.

[Hugger]

Quote:

Originally Posted by jmonge

hugger did you get the bluescreen when you closed the attack within defensewall?cause some times it may not be the malware causing the bluescreen but a war between security apps why did i say that cause i just got a bluescreen when i delete the sandbox with sandboxie and appranger on i delete drivesentry and try to delete the sandbox nothing happen

jp,
I have my security apps set to permit each other and have been using most of them for awhile.
The blue screen came this morning when I went to start the pc.
The one thing that I think might be related was the update required by MS for Windows Live Messenger. The installation failed probably because of DW.
Whatever fssfltr_tdi.sys is, it gave me a problem and I am happy that I was able to revert to an image. Would have been better if this hadn't happened at all.
Hugger