EvanJM Report post Posted July 18, 2010 Hi, I've been using SAS for a few years now and I think it's a wonderful program. A while ago my laptop got infected with Rootkit TDSServ malware things (not sure what they are) and everytime I do a scan they pop up. I need help to remove them or help finding the infected files so I can delete the infected files manually. Any help would be appreciated. Share this post Link to post Share on other sites
siliconman01 Report post Posted July 19, 2010 Hi, I've been using SAS for a few years now and I think it's a wonderful program. A while ago my laptop got infected with Rootkit TDSServ malware things (not sure what they are) and everytime I do a scan they pop up. I need help to remove them or help finding the infected files so I can delete the infected files manually. Any help would be appreciated. Submit a Customer Service Request ticket and let the SAS gurus assist you. They will run special diagnostics to identify/fix the problem rootkit. https://www.superantispyware.com/precreateticket.html Have you rebooted your laptop into SAFE MODE, scanned and disinfected with SAS while in SAFE MODE? Share this post Link to post Share on other sites
SUPERAntiSpy Report post Posted July 19, 2010 Are you certain you are scanning with our latest version and latest definitions? Can you post a scan log here so we can see what is being detected? Share this post Link to post Share on other sites
EvanJM Report post Posted July 19, 2010 How exactly do I start my computer in safe mode? And how do I get out of safe mode afterwards? I only have my laptop so I dont want to mess up anything accidently. Heres my latest scan log. The same viruses keep appearing everytime I do a scan even though I reboot my laptop to remove them when prompted by SAS. I stopped the scan after it finished with the registry items because I have over one hundred thousand files which usually come up clean. SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 07/19/2010 at 01:03 AM Application Version : 4.40.1002 Core Rules Database Version : 5226 Trace Rules Database Version: 3038 Scan type : Complete Scan Total Scan Time : 00:06:46 Memory items scanned : 567 Memory threats detected : 0 Registry items scanned : 7213 Registry threats detected : 54 File items scanned : 113 File threats detected : 0 Rootkit.TDSServ HKLM\SOFTWARE\TDSS HKLM\SOFTWARE\TDSS\connections HKLM\SOFTWARE\TDSS\connections#7e72e91c HKLM\SOFTWARE\TDSS\disallowed HKLM\SOFTWARE\TDSS\disallowed#trsetup.exe HKLM\SOFTWARE\TDSS\disallowed#ViewpointService.exe HKLM\SOFTWARE\TDSS\disallowed#ViewMgr.exe HKLM\SOFTWARE\TDSS\disallowed#SpySweeper.exe HKLM\SOFTWARE\TDSS\disallowed#SUPERAntiSpyware.exe HKLM\SOFTWARE\TDSS\disallowed#SpySub.exe HKLM\SOFTWARE\TDSS\disallowed#SpywareTerminatorShield.exe HKLM\SOFTWARE\TDSS\disallowed#SpyHunter3.exe HKLM\SOFTWARE\TDSS\disallowed#XoftSpy.exe HKLM\SOFTWARE\TDSS\disallowed#SpyEraser.exe HKLM\SOFTWARE\TDSS\disallowed#combofix.exe HKLM\SOFTWARE\TDSS\disallowed#otscanit.exe HKLM\SOFTWARE\TDSS\disallowed#mbam.exe HKLM\SOFTWARE\TDSS\disallowed#mbam-setup.exe HKLM\SOFTWARE\TDSS\disallowed#flash_disinfector.exe HKLM\SOFTWARE\TDSS\disallowed#otmoveit2.exe HKLM\SOFTWARE\TDSS\disallowed#smitfraudfix.exe HKLM\SOFTWARE\TDSS\disallowed#prevxcsifree.exe HKLM\SOFTWARE\TDSS\disallowed#download_mbam-setup.exe HKLM\SOFTWARE\TDSS\disallowed#cbo_setup.exe HKLM\SOFTWARE\TDSS\disallowed#spywareblastersetup.exe HKLM\SOFTWARE\TDSS\disallowed#rminstall.exe HKLM\SOFTWARE\TDSS\disallowed#sdsetup.exe HKLM\SOFTWARE\TDSS\disallowed#vundofixsvc.exe HKLM\SOFTWARE\TDSS\disallowed#daft.exe HKLM\SOFTWARE\TDSS\disallowed#gmer.exe HKLM\SOFTWARE\TDSS\disallowed#catchme.exe HKLM\SOFTWARE\TDSS\disallowed#mcpr.exe HKLM\SOFTWARE\TDSS\disallowed#sdfix.exe HKLM\SOFTWARE\TDSS\disallowed#hjtinstall.exe HKLM\SOFTWARE\TDSS\disallowed#fixpolicies.exe HKLM\SOFTWARE\TDSS\disallowed#emergencyutil.exe HKLM\SOFTWARE\TDSS\disallowed#techweb.exe HKLM\SOFTWARE\TDSS\disallowed#GoogleUpdate.exe HKLM\SOFTWARE\TDSS\disallowed#windowsdefender.exe HKLM\SOFTWARE\TDSS\disallowed#spybotsd.exe HKLM\SOFTWARE\TDSS\injector HKLM\SOFTWARE\TDSS\injector#* HKLM\SOFTWARE\TDSS\versions HKLM\SOFTWARE\TDSS\versions#/tdss2/crcmds/init HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys#start HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys#type HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys#imagepath HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys#group HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum#0 HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum#Count HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum#NextInstance HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum#INITSTARTFAILED Share this post Link to post Share on other sites
siliconman01 Report post Posted July 19, 2010 From looking at your SAS scan log, I urge you to create a Customer Service Request and let the SAS gurus work you through the removal of the rootkit. It can be quite tricky to remove. https://www.superantispyware.com/precreateticket.html Share this post Link to post Share on other sites
EvanJM Report post Posted July 19, 2010 From looking at your SAS scan log, I urge you to create a Customer Service Request and let the SAS gurus work you through the removal of the rootkit. It can be quite tricky to remove. https://www.superantispyware.com/precreateticket.html Thanks for the help. I just submitted the Customer Support Request and I will post the results. Share this post Link to post Share on other sites
ZiggyStardust Report post Posted July 25, 2010 I am going to have to agree with EvanJM. I have been using SAS for years and am actually a reseller. I think the one thing that bothers me the most about SAS is the lack of rootkit detection. I get infected computers in all the time and the first thing I do is put SAS Pro on them and do a full scan. It doesn't fix the infection. It says it has removed all the infections but the computer is still infected. FakeAV. The fix has always been Combofix. Combofix immediately pops up with a message that it has detected a rootkit and in-turn cleans it. SAS missed it completely. This has happened on several occassions. In looking through the SAS options rootlits are not mentioned. Was SAS designed to detect rootkits? Please don't get me wrong. I love SAS and wouldn't trade it for the universe. It just needs to detect rootkits... Share this post Link to post Share on other sites
Seth Report post Posted July 26, 2010 Combofix immediately pops up with a message that it has detected a rootkit The term "rootkit" is meaningless. It's all just malware. CF showing a rootkit infection is normal. Share this post Link to post Share on other sites
ZiggyStardust Report post Posted July 26, 2010 The term "rootkit" is meaningless. It's all just malware. CF showing a rootkit infection is normal. The term "rootkit" is not meaningless. It is a completely different subset of malware in itself. "A rootkit is a software system that consists of one or more programs designed to obscure the fact that the system has been compromised. ..." and CF showing a rootkit infection is not notmal. It does not pop up unless a true rootkit is detected on the computer. Rootkits are hidden from everything. One way or the other SAS has a real problem with rootkits. SAS will report the computer being clean even though these rootkits still exist and the system is still infected. SAS misses the rootkits completely. Share this post Link to post Share on other sites
SUPERAntiSpy Report post Posted July 26, 2010 The term "rootkit" is not meaningless. It is a completely different subset of malware in itself. "A rootkit is a software system that consists of one or more programs designed to obscure the fact that the system has been compromised. ..." and CF showing a rootkit infection is not notmal. It does not pop up unless a true rootkit is detected on the computer. Rootkits are hidden from everything. One way or the other SAS has a real problem with rootkits. SAS will report the computer being clean even though these rootkits still exist and the system is still infected. SAS misses the rootkits completely. You are completely incorrect in your statement regarding "SAS misses the rootkits completely". We detect thousands of rootkits including the TDSS ones being circulated today. If have something we are not detecting let us know, we can run a diagnostic and see what's going on. Also tools such as HiJackThis and ComboFix use the Windows API and will not see MANY rootkits at all. Share this post Link to post Share on other sites
SUPERAntiSpy Report post Posted July 26, 2010 I am going to have to agree with EvanJM. I have been using SAS for years and am actually a reseller. I think the one thing that bothers me the most about SAS is the lack of rootkit detection. I get infected computers in all the time and the first thing I do is put SAS Pro on them and do a full scan. It doesn't fix the infection. It says it has removed all the infections but the computer is still infected. FakeAV. The fix has always been Combofix. Combofix immediately pops up with a message that it has detected a rootkit and in-turn cleans it. SAS missed it completely. This has happened on several occassions. In looking through the SAS options rootlits are not mentioned. Was SAS designed to detect rootkits? Please don't get me wrong. I love SAS and wouldn't trade it for the universe. It just needs to detect rootkits... The next time you have one of these systems, contact us and we can run a diagnostic to see EXACTLY what is on the system - we detect thousands of rootkits. Share this post Link to post Share on other sites
redwolfe_98 Report post Posted July 27, 2010 ziggystardust, listen to what "superantispyware" is saying: if you have an infection that SAS is not properly removing, contact their "support" so that they can run diagnostics and see what the problem is.. then they can add the routine for properly removing the malware once they see what needs to be done.. maybe that seems like a lot of trouble to you and if you don't want to do that, that is fine.. but it would benefit everyone who uses SAS if you would do that.. Share this post Link to post Share on other sites
ZiggyStardust Report post Posted July 27, 2010 OK I will give that a try next one I get in and you are right it is just a matter of inconvience. The simple fix has been to hit it with ComboFix to clean it up. It only takes a couple of minutes. I am very glad to hear SAS does rootkits. It is the fact that it continually misses this one that gave me a concern. Share this post Link to post Share on other sites
Seth Report post Posted July 28, 2010 The term "rootkit" is not meaningless. It is a completely different subset of malware in itself. "A rootkit is a software system that consists of one or more programs designed to obscure the fact that the system has been compromised. ..." and CF showing a rootkit infection is not notmal. It does not pop up unless a true rootkit is detected on the computer. Malware is short for Malicious Software, and includes numerous forms. Thing is, malware has become so generalized, that it's often difficult to specifically label any form of malware with a particular title. That's why infections are often classified differently from one antimalware company to another. http://en.wikipedia.org/wiki/Malware In regards to CF: About 6 months ago, I started to become skeptical of CF's rootkit detection. As such, I did some testing, and I'm not convinced that its rootkit detection is accurate. Anyway, I use CF a lot, and overall think it's a great program. Share this post Link to post Share on other sites
ZiggyStardust Report post Posted July 29, 2010 Malware is short for Malicious Software, and includes numerous forms. Thing is, malware has become so generalized, that it's often difficult to specifically label any form of malware with a particular title. That's why infections are often classified differently from one antimalware company to another. http://en.wikipedia.org/wiki/Malware In regards to CF: About 6 months ago, I started to become skeptical of CF's rootkit detection. As such, I did some testing, and I'm not convinced that its rootkit detection is accurate. Anyway, I use CF a lot, and overall think it's a great program. Unfortunately I have had to clean this one remotely with ComboFix but the rootkit/malware has a name. Antimalware Doctor. Share this post Link to post Share on other sites
Seth Report post Posted July 29, 2010 Unfortunately I have had to clean this one remotely with ComboFix but the rootkit/malware has a name. Antimalware Doctor. Antimalware Doctor isn't a "rootkit". It's a rogue antimalware program that's best classified as "Scareware". Share this post Link to post Share on other sites
ZiggyStardust Report post Posted July 31, 2010 Correct. I said nothing about it being a rootkit. The purpose behine that post was to point out SAS missed it completely. In the order of fairness so did combofix. Anyone know how to remove it? Share this post Link to post Share on other sites
TechGeek2 Report post Posted July 31, 2010 Correct. I said nothing about it being a rootkit. The purpose behine that post was to point out SAS missed it completely. In the order of fairness so did combofix. Anyone know how to remove it? Try TDSS Killer. Follow the screen prompts. http://support.kaspersky.com/downloads/utils/tdsskiller.exe Also, I am new here so this may be curse words on this forum but, Antimalware Doctor can be removed using Malwarebytes. http://www.malwarebytes.org/ Share this post Link to post Share on other sites
