topic Re: Seneka Rootkit with TDSServ in Norton Internet Security / Norton AntiVirus

Seneka Rootkit with TDSServ

Quads — Thu, 11 Dec 2008 14:11:19 GMT

Hi Guys

The file with the name TDSServ is used by more than one Malware under different names, The one that seems to be doing the rounds at the moment is the Variation that has the Seneka Rootkit, Can also enter on the back of "AntiVirus 2009"

This seems to be the order of removal for this nasty piece of work. The drivers are in use

1. You have to disable the drivers, Reboot, then Remove. By doing this,

Go to the "Control Panel" click on "System

Click on the "Hardware" tab.

Click on "Device Manager" to open it
Click 'View' in the menu and select 'Show Hidden Devices'
Expand the 'Non-Plug and Play' Drivers category
(If you find them, You can tell me), Right-click and 'Disable' "clbdriver.sys", "msqpdxserv.sys", "tdsserv.sys" (or tdssxyz.sys where xyz.sys are random characters), and/or "seneka.sys"

Restart computer to Safe Mode
After restart, go back to Device Manager and right-click 'Uninstall' for the above drivers

Then Use the latest Version of "SDfix", Instructions

How to use SDFix:
1. Download SDFix and save to your Desktop.
2. Install SDFix: double-click on the SDFix. If a “Security Warning window opens”, click on the Run button.
3. Follow the prompts.
4. Reboot your PC in to Safe mode.

- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
- Instead of Windows loading as normal, a menu should appear
- Select the first option, to run Windows in Safe Mode.

5. Click Start -> Run,type the following text in type box: C:\SDFix\RunThis.bat
6. Press Enter or OK button.
7. When the tool is finished, it will produce a report for you.

Notes:
If this error message is displayed when running SDFix:

The command prompt has been disabled by your administrator. Press any key to continue . . .
Please goto Start Menu > Run > then copy and paste the following line: %systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press OK then run SDFix again

If the Command Prompt window flashes on then off again on XP or Windows2000

Please goto Start Menu > Run > then copy and paste the following line: %systemdrive%\SDFix\apps\FixPath.exe /Q Reboot and then run SDFix again

Then apparently the SAS pre-release will remove the ruminants http://www.superantispyware.com/prerelease.html

Try that for the guys that are getting infected with this form that's doing the rounds.

Quads

Message Edited by Quads on 12-07-2008 08:51 AM

[edit: edit at Quads request.]

Message Edited by Allen_K on 12-11-2008 08:11 AM

Re: Seneka Rootkit with TDSServ

TrDo — Sat, 06 Dec 2008 21:04:27 GMT

Hi Quads,

Great info!Great work!Well done!

Thanks.

TrDo.

PS: Two Questions:

1)Why Pre-release SAS? The normal free edition (4.22.1014 ) will not do it?

2) SDFix from Andy Manchesta, and download from My Anti Spyware?

Message Edited by TrDo on 12-06-2008 11:04 PM

Re: Seneka Rootkit with TDSServ

Phil_D — Sat, 06 Dec 2008 20:57:59 GMT

Nice Research Quads!

I hope I never have to refer to it, but I'm going to bookmark this one.

Re: Seneka Rootkit with TDSServ

Quads — Sat, 06 Dec 2008 21:51:07 GMT

TrDo wrote:
Hi Quads,

Great info!Great work!Well done!

Thanks.

TrDo.

PS: Two Questions:

1)Why Pre-release SAS? The normal free edition (4.22.1014 ) will not do it?
2) SDFix from Andy Manchesta, and download from My Anti Spyware?
Message Edited by TrDo on 12-06-2008 11:04 PM

1. People are reporting the normal version of SAS is not doing the job at removing.

2. Yes, from here http://downloads.andymanchesta.com/RemovalTools/SDFix_ReadMe.htm

or as you say here http://www.myantispyware.com/free-programs/

Quads

Re: Seneka Rootkit with TDSServ

Tech0utsider — Sat, 06 Dec 2008 21:51:57 GMT

...you posted this because Norton is incapable of detecting this?

Re: Seneka Rootkit with TDSServ

Quads — Sat, 06 Dec 2008 22:24:53 GMT

Tech0utsider wrote:
...you posted this because Norton is incapable of detecting this?

I posted it to help people. I have I think had 5 Posters saying Norton Detects (which ever variant) but manual removal is required. Then they can't find the files or can't delete the file. Due to probably in use, or locked.

Quads

Re: Seneka Rootkit with TDSServ

TrDo — Sat, 06 Dec 2008 22:31:26 GMT

Hi Quads,

Thanks for the reply.

TrDo.

Re: Seneka Rootkit with TDSServ

TomiRed — Sun, 07 Dec 2008 00:24:36 GMT

This thread brings me to ask a question for the Symantec guys: if Early Load is enabled in NIS/NAV, are Norton's services and drivers loaded early enough to detect and remove rootkits like these before they hide themselves into the seclusion of Non Plug and Play Driver section?

And what about those rootkits that hook the network drivers and ntfs.sys to hide themselves completely, and that run in kernel mode exclusively (like the Srizbi botnet rootkit)?

Is NIS effective against those?

Re: Seneka Rootkit with TDSServ

Tech0utsider — Sun, 07 Dec 2008 01:27:31 GMT

Kind of disappointed in NIS/NAV right now, however NIS/NAV08 were the highest rated, "++" in terms of rootkit detection and cleaning.

av-test.org

Re: Seneka Rootkit with TDSServ

Quads — Sun, 07 Dec 2008 01:59:39 GMT

Hey guys

I did this tread to help the people with this type of infection NOT to start on about Norton or other Security software not removing, It is not only Norton having trouble with removing this Malware, People with this nasty piece of work on their system say others can't remove either.

Quads

Message Edited by Quads on 12-07-2008 01:59 PM

Re: Seneka Rootkit with TDSServ

Tech0utsider — Sun, 07 Dec 2008 05:50:04 GMT

Can you PM me the link to the infected file, or more specfically the Seneka Rootkit?

I have enough CPU cycles to spare =)

Message Edited by Tech0utsider on 12-07-2008 12:50 AM

Worked for me with Tidserv!inf

limejen — Tue, 09 Dec 2008 05:27:41 GMT

Thanks Quads!!!!

I am a novice at dealing with viruses, but found your instructions easy to follow.

Followed them to the letter and deleted the virus.

I will know where to go next time I need help.

Jen

Re: Worked for me with Tidserv!inf

Quads — Tue, 09 Dec 2008 05:29:08 GMT

That's good

Quads

Re: Seneka Rootkit with TDSServ

Julz — Thu, 11 Dec 2008 06:22:13 GMT

Hi, I am following your guide. However in the 'Non-Plug and Play' Drivers category, I cant find any of the devices you've listed, but I have found msqpdxserv.sys. Should I just uninstall that?

Re: Seneka Rootkit with TDSServ

Stu — Thu, 11 Dec 2008 06:28:29 GMT

Great work Quads. Good to see your passion to help out the people around the forum

Re: Seneka Rootkit with TDSServ

Quads — Thu, 11 Dec 2008 06:43:16 GMT

Hi Julz

"msqpdxserv.sys" indeed belongs to W32.Tidns,and is in the TDSS family ( Norton detects as Tidsserv!inf), It spreads by removable drives (flash Drive etc) This bug also redirects your browser.

Please use the instuctions in the first post as you were doing, Disable msqpdxserv.sys, reboot, Uninstall .......................... SDfix instuctions, then the 3rd at the Bottom SuperAntispyware Free Prerelease....................................

You can report back after all that.

Quads

Re: Seneka Rootkit with TDSServ

Quads — Thu, 11 Dec 2008 06:46:05 GMT

Hi Stu

It's actually enjoyable helping people, and sometimes more research and tinkering is needed than other times,

But then again you are the Guru, so you must be the same.

Quads

Re: Seneka Rootkit with TDSServ

Stu — Thu, 11 Dec 2008 06:47:52 GMT

Quads wrote:
Hi Stu

It's actually enjoyable helping people, and sometimes more research and tinkering is needed than other times,

But then again you are the Guru, so you must be the same.

Quads

Please don't tell anyone ;)

Re: Seneka Rootkit with TDSServ

Quads — Mon, 15 Dec 2008 05:14:35 GMT

Part of the TDSServ (which variant?? and how much of it?? for the change) has been added to SuperAntispywares definitions as,

"Rootkit.TDSServ/Fake"

Also whether you have to still do any of the steps in the first post, don't know.

Quads

Re: Seneka Rootkit with TDSServ

mmetzger — Fri, 02 Jan 2009 23:08:13 GMT

There's a new version of the Seneka rootkit out - it doesn't seem to be hiding in the "non-plug and play" drivers section anymore. (I've killed the Seneka / TDSServ rootkit described by Quads a few weeks ago.)

Symantec endpoint protection catches it...sort of. It finds

"Trojan.Vundo" (Deleted but restart required)

"Backdoor.Tidserv!inf" Unable to do anything because a process or server is using it - the file was seneka4cbd.tmp.

"Trojan.Adclicker" deleted

"Downloader.MisleadApp" deleted.

So, after a restart, it can't find any sign of Backdoor.Tidserv!inf or any new trojans. In fact, the system seems fine. Except...if you try to go to symantec or any other security-related websites, it's unable to connect. (Tracert shows that the system is just trying to talk to 127.0.0.1 instead of going to the actual websites.) So, this is the same thing that Seneka/TDSServ did, but Quads' steps no longer apply. Any thoughts?