Seneka Rootkit with TDSServ

Quads · ‎07-21-2008

Hi Guys

The file with the name TDSServ is used by more than one Malware under different names, The one that seems to be doing the rounds at the moment is the Variation that has the Seneka Rootkit, Can also enter on the back of "AntiVirus 2009"

This seems to be the order of removal for this nasty piece of work. The drivers are in use

1. You have to disable the drivers, Reboot, then Remove. By doing this,

Go to the "Control Panel" click on "System

Click on the "Hardware" tab.

Click on "Device Manager" to open it
Click 'View' in the menu and select 'Show Hidden Devices'
Expand the 'Non-Plug and Play' Drivers category
(If you find them, You can tell me), Right-click and 'Disable' "clbdriver.sys", "msqpdxserv.sys", "tdsserv.sys" (or tdssxyz.sys where xyz.sys are random characters), and/or "seneka.sys"

Restart computer to Safe Mode
After restart, go back to Device Manager and right-click 'Uninstall' for the above drivers

Then Use the latest Version of "SDfix", Instructions

How to use SDFix:
1. Download SDFix and save to your Desktop.
2. Install SDFix: double-click on the SDFix. If a “Security Warning window opens”, click on the Run button.
3. Follow the prompts.
4. Reboot your PC in to Safe mode.

- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
- Instead of Windows loading as normal, a menu should appear
- Select the first option, to run Windows in Safe Mode.

5. Click Start -> Run,type the following text in type box: C:\SDFix\RunThis.bat
6. Press Enter or OK button.
7. When the tool is finished, it will produce a report for you.

Notes:
If this error message is displayed when running SDFix:

The command prompt has been disabled by your administrator. Press any key to continue . . .
Please goto Start Menu > Run > then copy and paste the following line: %systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press OK then run SDFix again

If the Command Prompt window flashes on then off again on XP or Windows2000

Please goto Start Menu > Run > then copy and paste the following line: %systemdrive%\SDFix\apps\FixPath.exe /Q Reboot and then run SDFix again

Then apparently the SAS pre-release will remove the ruminants http://www.superantispyware.com/prerelease.html

Try that for the guys that are getting infected with this form that's doing the rounds.

Quads

Message Edited by Quads on 12-07-2008 08:51 AM

[edit: edit at Quads request.]

Message Edited by Allen_K on 12-11-2008 08:11 AM

TrDo · ‎11-26-2008

Hi Quads,

Great info!Great work!Well done!

Thanks.

TrDo.

PS: Two Questions:

1)Why Pre-release SAS? The normal free edition (4.22.1014 ) will not do it?

2) SDFix from Andy Manchesta, and download from My Anti Spyware?

Message Edited by TrDo on 12-06-2008 11:04 PM

Phil_D · ‎06-10-2008

Nice Research Quads!

I hope I never have to refer to it, but I'm going to bookmark this one.

Norton 360 • Norton Internet Security • Norton Zone | XP SP3 • Windows 7 Professional SP1 x64
• PLEASE, BACKUP or EXPORT your Identity Safe Data on a regular basis •

Quads · ‎07-21-2008

TrDo wrote:
Hi Quads,

Great info!Great work!Well done!

Thanks.

TrDo.

PS: Two Questions:

1)Why Pre-release SAS? The normal free edition (4.22.1014 ) will not do it?
2) SDFix from Andy Manchesta, and download from My Anti Spyware?
Message Edited by TrDo on 12-06-2008 11:04 PM

1. People are reporting the normal version of SAS is not doing the job at removing.

2. Yes, from here http://downloads.andymanchesta.com/RemovalTools/SDFix_ReadMe.htm

or as you say here http://www.myantispyware.com/free-programs/

Quads

Tech0utsider · ‎07-29-2008

...you posted this because Norton is incapable of detecting this?

=\

Quads · ‎07-21-2008

Tech0utsider wrote:
...you posted this because Norton is incapable of detecting this?

I posted it to help people. I have I think had 5 Posters saying Norton Detects (which ever variant) but manual removal is required. Then they can't find the files or can't delete the file. Due to probably in use, or locked.

Quads

TrDo · ‎11-26-2008

Hi Quads,

Thanks for the reply.

TrDo.

TomiRed · ‎06-19-2008

This thread brings me to ask a question for the Symantec guys: if Early Load is enabled in NIS/NAV, are Norton's services and drivers loaded early enough to detect and remove rootkits like these before they hide themselves into the seclusion of Non Plug and Play Driver section?

And what about those rootkits that hook the network drivers and ntfs.sys to hide themselves completely, and that run in kernel mode exclusively (like the Srizbi botnet rootkit)?

Is NIS effective against those?

Windows 7 Ultimate x64 SP1 -- NIS 2012>2013

Tech0utsider · ‎07-29-2008

Kind of disappointed in NIS/NAV right now, however NIS/NAV08 were the highest rated, "++" in terms of rootkit detection and cleaning.

av-test.org

=\

Quads · ‎07-21-2008

Hey guys

I did this tread to help the people with this type of infection NOT to start on about Norton or other Security software not removing, It is not only Norton having trouble with removing this Malware, People with this nasty piece of work on their system say others can't remove either.

Quads

Message Edited by Quads on 12-07-2008 01:59 PM