And I still got nailed.

Discussion in 'other anti-malware software' started by Hugger, Feb 21, 2009.

Thread Status:
Not open for further replies.
  1. Hugger

    Hugger Registered Member

    I have XP Pro w/SP3 with all current patches.
    I use Defensewall, Avira Premium set with Heuristics at high, Mamutu set to Paranoid,PC Tools Firewall + and Shadow Protect Desktop. I use Returnil Beta sometimes too.
    With all of this I still got nailed by 'fssfltr_tdi.sys'.
    It appears to be a Rootkit. Whatever it is I got the blue screen of misery from it.
    If it weren't for Shadow Protect the pc would have gone right out the window.
    So what else do I have to do to be safe from this crap.
    Neither my wife nor I are risky surfers, though she goes to Facebook a lot.
    I'm really getting tired of spending money and time to be able to use my computer.
  2. jmonge

    jmonge Registered Member

    i bet that malware defender will block this litle bugger:D
    note:add the sys file to the block list and problem solve:)
  3. firzen771

    firzen771 Registered Member

    DriveSentry protects by default against .sys files with both its HIPS and its scanner. u culd give it a shot and its free (if ur happy with Avira, just disbale DS realtime scanning, which is what i do).
  4. Lucy

    Lucy Registered Member

    Were you under LUA? I guess no as you seem to be talking abour a driver. So you run with admin rights and you come back crying when you got slapped?


    Second, you have DW and this driver installedo_O You did something wrong (install it as trusted or downloaded it with a trusted program...)

    Who said you have to pay to be safe? Don't listen too much to these fans who have x+ security applications and end up putting their computer to a crawl or not worse with incompatibilities or competition between programs.

    Have a limited user account for you or your wife going to facebook. Have DW nstalled and protecting your browsers, don't forget to have Windows firewall protecting inbound. Keep the pssword protected admin account strictly for updates and maintenance.
  5. jmonge

    jmonge Registered Member

    ah avira?hey buddy i do not have avira hahahahaha:D
    anyway :) i will love to test it;)
  6. sded

    sded Registered Member

    I think imaging programs like Shadow Protect should be part of every security profile-I use Acronis for the same thing. And you have a lot of other well regarded anti-malware tools, although I don't see a classical HIPS. One program I have been trying out is Prevx Edge, which says/shows it is quite the thing for rootkits as well as having some other interesting anti-malware features. Still pretty new, although the company has been around for a while. You can demo it for free, but need to buy it to actually remove the malware. Thread here at is quite interesting. Others probably will have good suggestions, but sometimes "stuff happens". Facebook seems to be a handy target for lots of bad people. :(
  7. jmonge

    jmonge Registered Member

    any hips is able to block rootkits very easilly and even more malware defender is very at it according to xiolin(developer):D
  8. firzen771

    firzen771 Registered Member

    sorry, the avira part was meant towards Hugger :D i just quoted u for adding that DS also protect that.
  9. jmonge

    jmonge Registered Member

    ah i forgive you:D
  10. jmonge

    jmonge Registered Member

    some times i think that are getting the correct tool for the rigth jobo_O i think that by combining a hips program and maybe a good solid antivirus will be close to be enough what do you guys think?
  11. firzen771

    firzen771 Registered Member

    that would probly solve an issue like this. it wuld cover most angles.
  12. BlueZannetti

    BlueZannetti Administrator


    If you're getting infected with all that installed (and used....)...., almost by definition whatever you're doing really cannot be considered safe surfing.

    To tell you the truth, I have a hard time seeing how this could occur unless, at some point, an explicit user based approval of something was not given.

    What I'd recommend is either (a) run with Returnil on under all circumstances (i.e. remove user based decision to enter virtualization) or (b) run under LUA/SuRun. Neither involve an expenditure of any additional money.

  13. Boost

    Boost Registered Member

    Just curious here..

    When you got the blue screen, and say if you were using Returnil, it should have been possible to just power off the PC and restart to a clean state?

    Just wondering how strong of malware this is / was.
  14. virtumonde

    virtumonde Registered Member

    Hugger this is an unfortunnate situation.
    But as you've seen not all your money ware badly spent.Your back-up program proved it's worth.
    As no one can tell what happened on your PC ,if possible and only if (HOpE NoT)something similar happens again you should spent a few minutes getting all the logs from your security applications to get a clue of what happened,to not make the same mistake twice.
  15. wat0114

    wat0114 Guest

    How do you know 'fssfltr_tdi.sys' is a rootkit or any kind of malware for that matter? It appears to be a driver and probably caused the bsod, but it doesn't necessarily mean it's a malicious file. Do you have information on it? I found nothing to suggest it's malware. You have way too many security applications on your pc, though i'd advocate any one or a combo of two (okay, maybe three) of them. ShadowProtect is a definite keeper in my books for backup/restore.
  16. jmonge

    jmonge Registered Member

    hugger did you get the bluescreen when you closed the attack within defensewall?cause some times it may not be the malware causing the bluescreen but a war between security apps:) why did i say that cause i just got a bluescreen when i delete the sandbox with sandboxie:D and appranger on:D i delete drivesentry and try to delete the sandbox nothing happen:eek:
  17. Boost

    Boost Registered Member

    You beat me to it,but I was thinking the same. I dont see how this could be a problem,with Returnil always on as you mentioned as well.
  18. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Hugger switch to 64 bit nt 6.x, ring0 rootkits are then past.
  19. Ed_H

    Ed_H Registered Member

    I can't see how this happened. Have you posted at the DefenseWall forum? I am sure Ilya would like to plug any holes in DW.
  20. andyman35

    andyman35 Registered Member

    Last edited: Feb 21, 2009
  21. mvdu

    mvdu Registered Member

    That's good news. I found it hard to believe none of those programs would alert on or block a malicious file.
  22. GES/POR

    GES/POR Registered Member

    something went horribly wrong and he/she paniced, happend to me before on several occasions where a signed driver would mess up things so badly i was sure it was a rootkit when infact there was no breach of security at all just mindless paranoia showing its ugly head again
  23. jmonge

    jmonge Registered Member

    it can happen to anybody
    note:1 thing i also want to mention is that some vendors have to work hard on the false positive cause it is causing trouble latelly:)
  24. Saraceno

    Saraceno Registered Member

    As mentioned above, just a conflict going on. Could be a driver that should have loaded during an install, for example that was blocked by say Mamutu.

    Apart from your backup program, all I'd be using is DefenseWall, Avira and Returnil.

    If your wife is using your computer, you could close all your security programs down, and just have Returnil running, that would be enough.
  25. Hugger

    Hugger Registered Member

    I have my security apps set to permit each other and have been using most of them for awhile.
    The blue screen came this morning when I went to start the pc.
    The one thing that I think might be related was the update required by MS for Windows Live Messenger. The installation failed probably because of DW.
    Whatever fssfltr_tdi.sys is, it gave me a problem and I am happy that I was able to revert to an image. Would have been better if this hadn't happened at all.
Thread Status:
Not open for further replies.