rat.optixpro1.3

I found "rat.optixpro1.3" running in a live proccess memeory scan by tds.... It was running on and update32.exe file in c:\windows\system . What is this? and What can i do to clean my computer free from it?

YODA

 

Oh btw, i killed the proccess and deleted the file.

 

Check if some autostart entries point back to update32.exe and remove the entry. You can do this with the autostart explorer in TDS-3.

Do a full system scan with TDS-3 afterwards. Also change all your passwords as an intruder might already stole them.

wizard

 

Found this in the autostart explorer:

GDSetJH32 = c:\windows\system\update32.exe

in the registry.

Hey wizzard..

Could u tell me more about what this trojan does? or where can i find more info? And is there nething else i can do to check to make sure its gone?

yoda

 

Ok an update of my progress... i've just deleted that key from autostart explorer, and full scanned with tds again.... found nothing.

 

DiamondCS provided a good summary of the optix trojan. You can find it here: http://www.diamondcs.com.au/index.php?page=archive&id=analysis-optixpro

wizard




Added URL tags

 

There is a "Tutorial" for Optix Pro on the developer's site

I removed the link because of direct downloadlinks to malware on that site. Pieter

I would not treat the tutorial as definitive as it may very well contain misinformation to entrap people into using it improperly.

 

Optix Pro 1.3 is a very dangerous trojan with stealth techniques that are hacked up.. seem to only work on Windows NT 2000 XP. I assume you have 98 ? or it wasnt activated - or even not working on your setup..

You have done all you need to remove it, but was it the original trojan you somehow ran ?, was it on there long enough to have been sent more ?

BTW Because Optix Pro uses ways to stealth itself users of NT 2000 or XP machines should arm themselves with APM to assist TDS, just get it on the products page

 

What is it?

UPDATE32.EXE is a DOS program designed to search for, and remove unwanted files remaining after an upgrade from Windows 3.1/3.11 to Windows 95 or Windows NT. These files are not used under the new Windows, and if not removed, can interfere with the proper operation of 32-bit applications designed for Windows 95 and Windows NT.

Who needs it?

Anyone who has installed one of our 32-bit products under Win32s, then upgraded to Windows 95 or Windows NT.
Anyone getting a “This copy of [filename] is designed for Win32s only.” error message when running one of our 32-bit products.

 

hey gavin,

yes ur correct, i'm running windows 98se. I'm not sure if it was activated or not, but the update32.exe try to access the internet. I think i allowed it once...dumb mistake , but it was on blocked access by the firewall after that. It must of had this thing for a week. But kinda weird cuz i've been doing a lot of scanning lately that week, with tds and nav. I guess it so happen to get caught when i launched TDS to scan another file, but when TDS launched it scanned the memory and caught it.

YODA

 

I was just thinking, i guess it wasn't activated right? cuz none of my security programs were disabled. from reading that info site at tds its suppose to disable popular programs ever 60 secs. But i have question to gavin or ne one else who can answer, the removal process of optix pro at the TDS site, was for optix pro version 1.0. and the one i got effect was 1.3 ... so are the removal process the same or could there be more steps i could be missing out?

YODA

 

It cant stealth itself under Windows 98 Very buggy. So a simple delete will clean it. The removal of 1.3 is the same, just delete the trojan and its registry key. If you still have a copy, send it in if you like and I'll take a closer look at it and what settings it uses..

 

correct me if im wrong, but optix uses the madshi dll injection/api hooking component (http://xxxx.net) which is win9x compatible?

 

Yes it does..

But theres lots of problems with it..

 

sorry bout the link, wasnt sure if it considered malicious (does have some valid uses)

 

:x guess reading those helps eh?