EliteKiller Posted October 8, 2008 This is a nasty rootkit that has been making its rounds. I think this rootkit part of the Rootkit.TDSServ/Fake family that piggybacks with Antivirus XP 2008 or 2009. I'm sure Nick or fcukdat could supply more accurate information. I was miffed for a while until I disabled/reboot/deleted the hidden Seneka driver in the device manager (view > show hidden devices > non-plug and play). Once you disable the driver you'll find a lot of the senekaxxx files in the system32 and one in the system32\drivers directory, plus a crapload of registry entries. SAS and SDFix were the only tools to detect and remove most of the traces related to Seneka. * Follow the advice at your own risk * 1. Open up Device Manager 2. Click 'View' and select 'Show Hidden Devices' 3. Expand the 'Non-Plug and Play' Drivers category 4. Right-click and 'Disable' clbdriver.sys, tdsserv.sys (or tdssxyz.sys where xyz.sys are random characters), and/or seneka.sys 5. Restart computer to Safe Mode 6. After restart, go back to Device Manager and right-click 'Uninstall' the above drivers 7. Reboot to Normal mode, install SUPERAntiSpyware (SAS), update, and run a quick scan. If SAS fails to install or run look here. 8. Run an ESET (NOD32) and/or F-Secure online malware scan. * If you still have signs of infection you may want to consider running SDFIX and Combofix in Safe Mode. You can also contact SAS for a custom diagnostic. Share this post Link to post Share on other sites
SUPERAntiSpy Posted October 8, 2008 Did you submit the samples to samples AT superantispyware.com? If not, would you please do so? Share this post Link to post Share on other sites
EliteKiller Posted October 8, 2008 I've emailed samples to samples(.at.)superantispyware.com on a few occasions over the past week or two but never receive a reply. Is this the norm nowadays? Share this post Link to post Share on other sites
SUPERAntiSpy Posted October 8, 2008 What address (e-mail) would they have been from? You can PM me if you like.I will track down the samples and ensure they are processed today. Due to the enormous number of samples we receive, it's hard to be able to e-mail back on each submission - we do process all samples received. Share this post Link to post Share on other sites
Xiphias Posted December 3, 2008 I followed the instructions posted by EliteKiller (found tdsserv.sys in step 4) but am still unable to run SDFIX, Combfox, or any other malware apps I have. Any thoughts? Share this post Link to post Share on other sites
Xiphias Posted December 3, 2008 Looks like it installed some stuff to c:\documents and settings\[user name]\application data\google, after I deleted that folder and ran through the steps again, it seems to have worked. Share this post Link to post Share on other sites
robinb9 Posted December 4, 2008 try running malwarebytes (malwarebytes.org) if it will not install rename the downloaded installer but make sure you leave the .exe once it is installed go to update tab and try to update it then go to scanner and run a Quick Scan first and allow MBAM fix anything found. Reboot the computer and then rename the file to see if it got rid of the nasties If not rename it again and then run a full scan. robin Share this post Link to post Share on other sites
robinb9 Posted December 4, 2008 btw how did you figure out you had it? robin Share this post Link to post Share on other sites
SUPERAntiSpy Posted December 4, 2008 try running malwarebytes (malwarebytes.org)if it will not install rename the downloaded installer but make sure you leave the .exe once it is installed go to update tab and try to update it then go to scanner and run a Quick Scan first and allow MBAM fix anything found. Reboot the computer and then rename the file to see if it got rid of the nasties If not rename it again and then run a full scan. robin SUPERAntiSpyware completely removes the TDSS infection..... Share this post Link to post Share on other sites
robinb9 Posted December 4, 2008 I only suggested this because I thought superantispyware did not remove it. btw again how did you find you were infected? robin Share this post Link to post Share on other sites
EliteKiller Posted December 4, 2008 I only suggested this because I thought superantispyware did not remove it.btw again how did you find you were infected? robin Popups, pc running slow, BSOD's, fake alerts, anti-malware tools unable to install/run, etc...... Share this post Link to post Share on other sites
robinb9 Posted December 5, 2008 where have you been going elite? you know you are not suppose to go those p*rn sites robin Share this post Link to post Share on other sites
SUPERAntiSpy Posted December 5, 2008 Use our new pre-release here, it will remove it no problem: https://www.superantispyware.com/prerelease.html Share this post Link to post Share on other sites
robinb9 Posted December 5, 2008 new release? when will it become released? and how come we ain't a testing it? also you can't just put this in an update? it has to become a new version? just curious robin Share this post Link to post Share on other sites
SUPERAntiSpy Posted December 5, 2008 new release? when will it become released? and how come we ain't a testing it?also you can't just put this in an update? it has to become a new version? just curious robin It will be released after it's done with pre-release. We just did a public pre-release as we need a large group of testers immediately - and it wasn't a huge change. We always bump the version so we know what people are using and people can identify what they have vs what is released. Share this post Link to post Share on other sites