Jump to content
EliteKiller

TDSServ & Seneka Rootkit

Recommended Posts

This is a nasty rootkit that has been making its rounds. I think this rootkit part of the Rootkit.TDSServ/Fake family that piggybacks with Antivirus XP 2008 or 2009. I'm sure Nick or fcukdat could supply more accurate information. I was miffed for a while until I disabled/reboot/deleted the hidden Seneka driver in the device manager (view > show hidden devices > non-plug and play). Once you disable the driver you'll find a lot of the senekaxxx files in the system32 and one in the system32\drivers directory, plus a crapload of registry entries. SAS and SDFix were the only tools to detect and remove most of the traces related to Seneka.

* Follow the advice at your own risk *

1. Open up Device Manager

2. Click 'View' and select 'Show Hidden Devices'

3. Expand the 'Non-Plug and Play' Drivers category

4. Right-click and 'Disable' clbdriver.sys, tdsserv.sys (or tdssxyz.sys where xyz.sys are random characters), and/or seneka.sys

5. Restart computer to Safe Mode

6. After restart, go back to Device Manager and right-click 'Uninstall' the above drivers

7. Reboot to Normal mode, install SUPERAntiSpyware (SAS), update, and run a quick scan. If SAS fails to install or run look here.

8. Run an ESET (NOD32) and/or F-Secure online malware scan.

* If you still have signs of infection you may want to consider running SDFIX and Combofix in Safe Mode. You can also contact SAS for a custom diagnostic.

Share this post


Link to post
Share on other sites

What address (e-mail) would they have been from? You can PM me if you like.I will track down the samples and ensure they are processed today. Due to the enormous number of samples we receive, it's hard to be able to e-mail back on each submission - we do process all samples received.

Share this post


Link to post
Share on other sites

I followed the instructions posted by EliteKiller (found tdsserv.sys in step 4) but am still unable to run SDFIX, Combfox, or any other malware apps I have. Any thoughts?

Share this post


Link to post
Share on other sites

Looks like it installed some stuff to c:\documents and settings\[user name]\application data\google, after I deleted that folder and ran through the steps again, it seems to have worked.

Share this post


Link to post
Share on other sites

try running malwarebytes (malwarebytes.org)

if it will not install rename the downloaded installer but make sure you leave the .exe

once it is installed go to update tab and try to update it

then go to scanner and run a Quick Scan first and allow MBAM fix anything found.

Reboot the computer and then rename the file to see if it got rid of the nasties

If not rename it again and then run a full scan.

robin

Share this post


Link to post
Share on other sites
try running malwarebytes (malwarebytes.org)

if it will not install rename the downloaded installer but make sure you leave the .exe

once it is installed go to update tab and try to update it

then go to scanner and run a Quick Scan first and allow MBAM fix anything found.

Reboot the computer and then rename the file to see if it got rid of the nasties

If not rename it again and then run a full scan.

robin

SUPERAntiSpyware completely removes the TDSS infection.....

Share this post


Link to post
Share on other sites
I only suggested this because I thought superantispyware did not remove it.

btw again how did you find you were infected?

robin

:| Popups, pc running slow, BSOD's, fake alerts, anti-malware tools unable to install/run, etc......

Share this post


Link to post
Share on other sites

new release? when will it become released? and how come we ain't a testing it?

also you can't just put this in an update? it has to become a new version?

just curious

robin

Share this post


Link to post
Share on other sites
new release? when will it become released? and how come we ain't a testing it?

also you can't just put this in an update? it has to become a new version?

just curious

robin

It will be released after it's done with pre-release. We just did a public pre-release as we need a large group of testers immediately - and it wasn't a huge change.

We always bump the version so we know what people are using and people can identify what they have vs what is released.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×