Jump to content
Sign in to follow this  
EvanJM

Rootkit

Recommended Posts

Hi, I've been using SAS for a few years now and I think it's a wonderful program. A while ago my laptop got infected with Rootkit TDSServ malware things (not sure what they are) and everytime I do a scan they pop up. I need help to remove them or help finding the infected files so I can delete the infected files manually. Any help would be appreciated.

Share this post


Link to post
Share on other sites

Hi, I've been using SAS for a few years now and I think it's a wonderful program. A while ago my laptop got infected with Rootkit TDSServ malware things (not sure what they are) and everytime I do a scan they pop up. I need help to remove them or help finding the infected files so I can delete the infected files manually. Any help would be appreciated.

Submit a Customer Service Request ticket and let the SAS gurus assist you. They will run special diagnostics to identify/fix the problem rootkit.

https://www.superantispyware.com/precreateticket.html

Have you rebooted your laptop into SAFE MODE, scanned and disinfected with SAS while in SAFE MODE?

Share this post


Link to post
Share on other sites

Are you certain you are scanning with our latest version and latest definitions? Can you post a scan log here so we can see what is being detected?

Share this post


Link to post
Share on other sites

How exactly do I start my computer in safe mode? And how do I get out of safe mode afterwards? I only have my laptop so I dont want to mess up anything accidently.

Heres my latest scan log. The same viruses keep appearing everytime I do a scan even though I reboot my laptop to remove them when prompted by SAS. I stopped the scan after it finished with the registry items because I have over one hundred thousand files which usually come up clean.

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 07/19/2010 at 01:03 AM

Application Version : 4.40.1002

Core Rules Database Version : 5226

Trace Rules Database Version: 3038

Scan type : Complete Scan

Total Scan Time : 00:06:46

Memory items scanned : 567

Memory threats detected : 0

Registry items scanned : 7213

Registry threats detected : 54

File items scanned : 113

File threats detected : 0

Rootkit.TDSServ

HKLM\SOFTWARE\TDSS

HKLM\SOFTWARE\TDSS\connections

HKLM\SOFTWARE\TDSS\connections#7e72e91c

HKLM\SOFTWARE\TDSS\disallowed

HKLM\SOFTWARE\TDSS\disallowed#trsetup.exe

HKLM\SOFTWARE\TDSS\disallowed#ViewpointService.exe

HKLM\SOFTWARE\TDSS\disallowed#ViewMgr.exe

HKLM\SOFTWARE\TDSS\disallowed#SpySweeper.exe

HKLM\SOFTWARE\TDSS\disallowed#SUPERAntiSpyware.exe

HKLM\SOFTWARE\TDSS\disallowed#SpySub.exe

HKLM\SOFTWARE\TDSS\disallowed#SpywareTerminatorShield.exe

HKLM\SOFTWARE\TDSS\disallowed#SpyHunter3.exe

HKLM\SOFTWARE\TDSS\disallowed#XoftSpy.exe

HKLM\SOFTWARE\TDSS\disallowed#SpyEraser.exe

HKLM\SOFTWARE\TDSS\disallowed#combofix.exe

HKLM\SOFTWARE\TDSS\disallowed#otscanit.exe

HKLM\SOFTWARE\TDSS\disallowed#mbam.exe

HKLM\SOFTWARE\TDSS\disallowed#mbam-setup.exe

HKLM\SOFTWARE\TDSS\disallowed#flash_disinfector.exe

HKLM\SOFTWARE\TDSS\disallowed#otmoveit2.exe

HKLM\SOFTWARE\TDSS\disallowed#smitfraudfix.exe

HKLM\SOFTWARE\TDSS\disallowed#prevxcsifree.exe

HKLM\SOFTWARE\TDSS\disallowed#download_mbam-setup.exe

HKLM\SOFTWARE\TDSS\disallowed#cbo_setup.exe

HKLM\SOFTWARE\TDSS\disallowed#spywareblastersetup.exe

HKLM\SOFTWARE\TDSS\disallowed#rminstall.exe

HKLM\SOFTWARE\TDSS\disallowed#sdsetup.exe

HKLM\SOFTWARE\TDSS\disallowed#vundofixsvc.exe

HKLM\SOFTWARE\TDSS\disallowed#daft.exe

HKLM\SOFTWARE\TDSS\disallowed#gmer.exe

HKLM\SOFTWARE\TDSS\disallowed#catchme.exe

HKLM\SOFTWARE\TDSS\disallowed#mcpr.exe

HKLM\SOFTWARE\TDSS\disallowed#sdfix.exe

HKLM\SOFTWARE\TDSS\disallowed#hjtinstall.exe

HKLM\SOFTWARE\TDSS\disallowed#fixpolicies.exe

HKLM\SOFTWARE\TDSS\disallowed#emergencyutil.exe

HKLM\SOFTWARE\TDSS\disallowed#techweb.exe

HKLM\SOFTWARE\TDSS\disallowed#GoogleUpdate.exe

HKLM\SOFTWARE\TDSS\disallowed#windowsdefender.exe

HKLM\SOFTWARE\TDSS\disallowed#spybotsd.exe

HKLM\SOFTWARE\TDSS\injector

HKLM\SOFTWARE\TDSS\injector#*

HKLM\SOFTWARE\TDSS\versions

HKLM\SOFTWARE\TDSS\versions#/tdss2/crcmds/init

HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys

HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys#start

HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys#type

HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys#imagepath

HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys#group

HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum

HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum#0

HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum#Count

HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum#NextInstance

HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum#INITSTARTFAILED

Share this post


Link to post
Share on other sites

I am going to have to agree with EvanJM. I have been using SAS for years and am actually a reseller. I think the one thing that bothers me the most about SAS is the lack of rootkit detection. I get infected computers in all the time and the first thing I do is put SAS Pro on them and do a full scan. It doesn't fix the infection. It says it has removed all the infections but the computer is still infected. FakeAV.

The fix has always been Combofix. Combofix immediately pops up with a message that it has detected a rootkit and in-turn cleans it. SAS missed it completely. This has happened on several occassions. In looking through the SAS options rootlits are not mentioned. Was SAS designed to detect rootkits?

Please don't get me wrong. I love SAS and wouldn't trade it for the universe. It just needs to detect rootkits...

Share this post


Link to post
Share on other sites

Combofix immediately pops up with a message that it has detected a rootkit

The term "rootkit" is meaningless. It's all just malware.

CF showing a rootkit infection is normal.

Share this post


Link to post
Share on other sites

The term "rootkit" is meaningless. It's all just malware.

CF showing a rootkit infection is normal.

The term "rootkit" is not meaningless. It is a completely different subset of malware in itself.

"A rootkit is a software system that consists of one or more programs designed to obscure the fact that the system has been compromised. ..." and CF showing a rootkit infection is not notmal. It does not pop up unless a true rootkit is detected on the computer.

Rootkits are hidden from everything. One way or the other SAS has a real problem with rootkits. SAS will report the computer being clean even though these rootkits still exist and the system is still infected. SAS misses the rootkits completely.

Share this post


Link to post
Share on other sites

The term "rootkit" is not meaningless. It is a completely different subset of malware in itself.

"A rootkit is a software system that consists of one or more programs designed to obscure the fact that the system has been compromised. ..." and CF showing a rootkit infection is not notmal. It does not pop up unless a true rootkit is detected on the computer.

Rootkits are hidden from everything. One way or the other SAS has a real problem with rootkits. SAS will report the computer being clean even though these rootkits still exist and the system is still infected. SAS misses the rootkits completely.

You are completely incorrect in your statement regarding "SAS misses the rootkits completely". We detect thousands of rootkits including the TDSS ones being circulated today. If have something we are not detecting let us know, we can run a diagnostic and see what's going on. Also tools such as HiJackThis and ComboFix use the Windows API and will not see MANY rootkits at all.

Share this post


Link to post
Share on other sites

I am going to have to agree with EvanJM. I have been using SAS for years and am actually a reseller. I think the one thing that bothers me the most about SAS is the lack of rootkit detection. I get infected computers in all the time and the first thing I do is put SAS Pro on them and do a full scan. It doesn't fix the infection. It says it has removed all the infections but the computer is still infected. FakeAV.

The fix has always been Combofix. Combofix immediately pops up with a message that it has detected a rootkit and in-turn cleans it. SAS missed it completely. This has happened on several occassions. In looking through the SAS options rootlits are not mentioned. Was SAS designed to detect rootkits?

Please don't get me wrong. I love SAS and wouldn't trade it for the universe. It just needs to detect rootkits...

The next time you have one of these systems, contact us and we can run a diagnostic to see EXACTLY what is on the system - we detect thousands of rootkits.

Share this post


Link to post
Share on other sites

ziggystardust, listen to what "superantispyware" is saying: if you have an infection that SAS is not properly removing, contact their "support" so that they can run diagnostics and see what the problem is.. then they can add the routine for properly removing the malware once they see what needs to be done.. maybe that seems like a lot of trouble to you and if you don't want to do that, that is fine.. but it would benefit everyone who uses SAS if you would do that..

Share this post


Link to post
Share on other sites

OK I will give that a try next one I get in and you are right it is just a matter of inconvience. The simple fix has been to hit it with ComboFix to clean it up. It only takes a couple of minutes. I am very glad to hear SAS does rootkits. It is the fact that it continually misses this one that gave me a concern.

Share this post


Link to post
Share on other sites

The term "rootkit" is not meaningless. It is a completely different subset of malware in itself.

"A rootkit is a software system that consists of one or more programs designed to obscure the fact that the system has been compromised. ..." and CF showing a rootkit infection is not notmal. It does not pop up unless a true rootkit is detected on the computer.

Malware is short for Malicious Software, and includes numerous forms. Thing is, malware has become so generalized, that it's often difficult to specifically label any form of malware with a particular title. That's why infections are often classified differently from one antimalware company to another.

http://en.wikipedia.org/wiki/Malware

In regards to CF:

About 6 months ago, I started to become skeptical of CF's rootkit detection. As such, I did some testing, and I'm not convinced that its rootkit detection is accurate. Anyway, I use CF a lot, and overall think it's a great program.

Share this post


Link to post
Share on other sites

Malware is short for Malicious Software, and includes numerous forms. Thing is, malware has become so generalized, that it's often difficult to specifically label any form of malware with a particular title. That's why infections are often classified differently from one antimalware company to another.

http://en.wikipedia.org/wiki/Malware

In regards to CF:

About 6 months ago, I started to become skeptical of CF's rootkit detection. As such, I did some testing, and I'm not convinced that its rootkit detection is accurate. Anyway, I use CF a lot, and overall think it's a great program.

Unfortunately I have had to clean this one remotely with ComboFix but the rootkit/malware has a name. Antimalware Doctor.

Share this post


Link to post
Share on other sites

Unfortunately I have had to clean this one remotely with ComboFix but the rootkit/malware has a name. Antimalware Doctor.

Antimalware Doctor isn't a "rootkit". It's a rogue antimalware program that's best classified as "Scareware".

Share this post


Link to post
Share on other sites

Correct. I said nothing about it being a rootkit. The purpose behine that post was to point out SAS missed it completely. In the order of fairness so did combofix. Anyone know how to remove it?

Share this post


Link to post
Share on other sites

Correct. I said nothing about it being a rootkit. The purpose behine that post was to point out SAS missed it completely. In the order of fairness so did combofix. Anyone know how to remove it?

Try TDSS Killer. Follow the screen prompts.

http://support.kaspersky.com/downloads/utils/tdsskiller.exe

Also, I am new here so this may be curse words on this forum but, Antimalware Doctor can be removed using Malwarebytes.

http://www.malwarebytes.org/

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...