rat.optixpro1.3

Discussion in 'malware problems & news' started by yodafan, Jun 1, 2003.

Thread Status:
Not open for further replies.
  1. yodafan

    yodafan Guest

    I found "rat.optixpro1.3" running in a live proccess memeory scan by tds.... It was running on and update32.exe file in c:\windows\system . What is this? and What can i do to clean my computer free from it?

    YODA
     
  2. yodafan

    yodafan Guest

    Oh btw, i killed the proccess and deleted the file.
     
  3. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    Check if some autostart entries point back to update32.exe and remove the entry. You can do this with the autostart explorer in TDS-3.

    Do a full system scan with TDS-3 afterwards. Also change all your passwords as an intruder might already stole them.

    wizard
     
  4. yodafan

    yodafan Guest

    Found this in the autostart explorer:

    GDSetJH32 = c:\windows\system\update32.exe

    in the registry.

    Hey wizzard..

    Could u tell me more about what this trojan does? or where can i find more info? And is there nething else i can do to check to make sure its gone?

    yoda
     
  5. yodafan

    yodafan Guest

    Ok an update of my progress... i've just deleted that key from autostart explorer, and full scanned with tds again.... found nothing.
     
  6. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
  7. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    There is a "Tutorial" for Optix Pro on the developer's site

    I removed the link because of direct downloadlinks to malware on that site. Pieter

    I would not treat the tutorial as definitive as it may very well contain misinformation to entrap people into using it improperly.
     
  8. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Optix Pro 1.3 is a very dangerous trojan with stealth techniques that are hacked up.. seem to only work on Windows NT 2000 XP. I assume you have 98 ? or it wasnt activated - or even not working on your setup..

    You have done all you need to remove it, but was it the original trojan you somehow ran ?, was it on there long enough to have been sent more ?

    BTW Because Optix Pro uses ways to stealth itself users of NT 2000 or XP machines should arm themselves with APM to assist TDS, just get it on the products page :)
     
  9. controler

    controler Guest

    What is it?

    UPDATE32.EXE is a DOS program designed to search for, and remove unwanted files remaining after an upgrade from Windows 3.1/3.11 to Windows 95 or Windows NT. These files are not used under the new Windows, and if not removed, can interfere with the proper operation of 32-bit applications designed for Windows 95 and Windows NT.

    Who needs it?

    Anyone who has installed one of our 32-bit products under Win32s, then upgraded to Windows 95 or Windows NT.
    Anyone getting a “This copy of [filename] is designed for Win32s only.” error message when running one of our 32-bit products.
     
  10. yodafan

    yodafan Guest

    hey gavin,

    yes ur correct, i'm running windows 98se. I'm not sure if it was activated or not, but the update32.exe try to access the internet. I think i allowed it once...dumb mistake :doubt:, but it was on blocked access by the firewall after that. It must of had this thing for a week. But kinda weird cuz i've been doing a lot of scanning lately that week, with tds and nav. I guess it so happen to get caught when i launched TDS to scan another file, but when TDS launched it scanned the memory and caught it.

    YODA
     
  11. yodafan

    yodafan Guest

    I was just thinking, i guess it wasn't activated right? cuz none of my security programs were disabled. from reading that info site at tds its suppose to disable popular programs ever 60 secs. But i have question to gavin or ne one else who can answer, the removal process of optix pro at the TDS site, was for optix pro version 1.0. and the one i got effect was 1.3 ... so are the removal process the same or could there be more steps i could be missing out?

    YODA
     
  12. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    It cant stealth itself under Windows 98 :) Very buggy. So a simple delete will clean it. The removal of 1.3 is the same, just delete the trojan and its registry key. If you still have a copy, send it in if you like and I'll take a closer look at it and what settings it uses..
     
  13. akcom

    akcom Guest

    correct me if im wrong, but optix uses the madshi dll injection/api hooking component (http://xxxx.net) which is win9x compatible?
     
  14. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Yes it does..

    But theres lots of problems with it.. :rolleyes:
     
  15. akcom

    akcom Registered Member

    Joined:
    Jul 14, 2003
    Posts:
    9
    sorry bout the link, wasnt sure if it considered malicious (does have some valid uses)
     
  16. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    It's against our TOS. ;)

    regards.

    paul
     
  17. akcom

    akcom Registered Member

    Joined:
    Jul 14, 2003
    Posts:
    9
    :x guess reading those helps eh? ;)
     
Thread Status:
Not open for further replies.