TDSServ & Seneka Rootkit

[EliteKiller]

This is a nasty rootkit that has been making its rounds. I think this rootkit part of the Rootkit.TDSServ/Fake family that piggybacks with Antivirus XP 2008 or 2009. I'm sure Nick or fcukdat could supply more accurate information. I was miffed for a while until I disabled/reboot/deleted the hidden Seneka driver in the device manager (view > show hidden devices > non-plug and play). Once you disable the driver you'll find a lot of the senekaxxx files in the system32 and one in the system32\drivers directory, plus a crapload of registry entries. SAS and SDFix were the only tools to detect and remove most of the traces related to Seneka.

* Follow the advice at your own risk *

1. Open up Device Manager

2. Click 'View' and select 'Show Hidden Devices'

3. Expand the 'Non-Plug and Play' Drivers category

4. Right-click and 'Disable' clbdriver.sys, tdsserv.sys (or tdssxyz.sys where xyz.sys are random characters), and/or seneka.sys

5. Restart computer to Safe Mode

6. After restart, go back to Device Manager and right-click 'Uninstall' the above drivers

7. Reboot to Normal mode, install SUPERAntiSpyware (SAS), update, and run a quick scan. If SAS fails to install or run look here.

8. Run an ESET (NOD32) and/or F-Secure online malware scan.

* If you still have signs of infection you may want to consider running SDFIX and Combofix in Safe Mode. You can also contact SAS for a custom diagnostic.

[SUPERAntiSpy]

Did you submit the samples to samples AT superantispyware.com? If not, would you please do so?

[EliteKiller]

I've emailed samples to samples(.at.)superantispyware.com on a few occasions over the past week or two but never receive a reply. Is this the norm nowadays?

[SUPERAntiSpy]

What address (e-mail) would they have been from? You can PM me if you like.I will track down the samples and ensure they are processed today. Due to the enormous number of samples we receive, it's hard to be able to e-mail back on each submission - we do process all samples received.

[SUPERAntiSpy]

Bump

[Xiphias]

I followed the instructions posted by EliteKiller (found tdsserv.sys in step 4) but am still unable to run SDFIX, Combfox, or any other malware apps I have. Any thoughts?

[Xiphias]

Looks like it installed some stuff to c:\documents and settings\[user name]\application data\google, after I deleted that folder and ran through the steps again, it seems to have worked.

[robinb9]

try running malwarebytes (malwarebytes.org)

if it will not install rename the downloaded installer but make sure you leave the .exe

once it is installed go to update tab and try to update it

then go to scanner and run a Quick Scan first and allow MBAM fix anything found.

Reboot the computer and then rename the file to see if it got rid of the nasties

If not rename it again and then run a full scan.

robin

[robinb9]

btw how did you figure out you had it?

robin

[SUPERAntiSpy]

try running malwarebytes (malwarebytes.org)

if it will not install rename the downloaded installer but make sure you leave the .exe

once it is installed go to update tab and try to update it

then go to scanner and run a Quick Scan first and allow MBAM fix anything found.

Reboot the computer and then rename the file to see if it got rid of the nasties

If not rename it again and then run a full scan.

robin

SUPERAntiSpyware completely removes the TDSS infection.....

[robinb9]

I only suggested this because I thought superantispyware did not remove it.

btw again how did you find you were infected?

robin

[EliteKiller]

I only suggested this because I thought superantispyware did not remove it.

btw again how did you find you were infected?

robin

Popups, pc running slow, BSOD's, fake alerts, anti-malware tools unable to install/run, etc......

[robinb9]

where have you been going elite?

you know you are not suppose to go those p*rn sites

robin

[SUPERAntiSpy]

Use our new pre-release here, it will remove it no problem:

https://www.superantispyware.com/prerelease.html

[robinb9]

new release? when will it become released? and how come we ain't a testing it?

also you can't just put this in an update? it has to become a new version?

just curious

robin

[SUPERAntiSpy]

new release? when will it become released? and how come we ain't a testing it?

also you can't just put this in an update? it has to become a new version?

just curious

robin

It will be released after it's done with pre-release. We just did a public pre-release as we need a large group of testers immediately - and it wasn't a huge change.

We always bump the version so we know what people are using and people can identify what they have vs what is released.