• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos8 Stats

Seneka Rootkit with TDSServ

Hi Guys

The file with the name  TDSServ is used by more than one Malware under different names, The one that seems to be doing the rounds at the moment is the Variation that has the Seneka Rootkit, Can also enter on the back of "AntiVirus 2009"

This seems to be the order of removal for this nasty piece of work. The drivers are in use

1. You have to disable the drivers, Reboot, then Remove. By doing this,

Go to the "Control Panel" click on "System

Click on the "Hardware" tab.  

Click on "Device Manager" to open it
Click 'View'  in the menu and select 'Show Hidden Devices'
Expand the 'Non-Plug and Play' Drivers category
(If you find them, You can tell me), Right-click and 'Disable' "clbdriver.sys", "msqpdxserv.sys", "tdsserv.sys" (or tdssxyz.sys where xyz.sys are random characters), and/or "seneka.sys"

Restart computer to Safe Mode
After restart, go back to Device Manager and right-click 'Uninstall' for the above drivers

Then Use the latest Version of "SDfix", Instructions

How to use SDFix:
1. Download SDFix and save to your Desktop.
2. Install SDFix: double-click on the SDFix. If a “Security Warning window opens”, click on the Run button.
3. Follow the prompts.
4. Reboot your PC in to Safe mode.

- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
- Instead of Windows loading as normal, a menu should appear
- Select the first option, to run Windows in Safe Mode.

5. Click Start -> Run,type the following text in type box: C:\SDFix\RunThis.bat
6. Press Enter or OK button.
7. When the tool is finished, it will produce a report for you.

Notes:
If this error message is displayed when running SDFix:

The command prompt has been disabled by your administrator. Press any key to continue . . .
Please goto Start Menu > Run > then copy and paste the following line: %systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press OK then run SDFix again

If the Command Prompt window flashes on then off again on XP or Windows2000

Please goto Start Menu > Run > then copy and paste the following line: %systemdrive%\SDFix\apps\FixPath.exe /Q Reboot and then run SDFix again
 
Then apparently the SAS pre-release will remove the ruminants  http://www.superantispyware.com/prerelease.html
Try that for the guys that are getting infected with this form that's doing the rounds. 
Quads 
  
 
Message Edited by Quads on 12-07-2008 08:51 AM[edit: edit at Quads request.]
Message Edited by Allen_K on 12-11-2008 08:11 AM

Replies

Kudos0

Re: Seneka Rootkit with TDSServ

Hi Guys

The file with the name  TDSServ is used by more than one Malware under different names, The one that seems to be doing the rounds at the moment is the Variation that has the Seneka Rootkit, Can also enter on the back of "AntiVirus 2009"

This seems to be the order of removal for this nasty piece of work. The drivers are in use

1. You have to disable the drivers, Reboot, then Remove. By doing this,

Go to the "Control Panel" click on "System

Click on the "Hardware" tab.  

Click on "Device Manager" to open it
Click 'View'  in the menu and select 'Show Hidden Devices'
Expand the 'Non-Plug and Play' Drivers category
(If you find them, You can tell me), Right-click and 'Disable' "clbdriver.sys", "msqpdxserv.sys", "tdsserv.sys" (or tdssxyz.sys where xyz.sys are random characters), and/or "seneka.sys"

Restart computer to Safe Mode
After restart, go back to Device Manager and right-click 'Uninstall' for the above drivers

Then Use the latest Version of "SDfix", Instructions

How to use SDFix:
1. Download SDFix and save to your Desktop.
2. Install SDFix: double-click on the SDFix. If a “Security Warning window opens”, click on the Run button.
3. Follow the prompts.
4. Reboot your PC in to Safe mode.

- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
- Instead of Windows loading as normal, a menu should appear
- Select the first option, to run Windows in Safe Mode.

5. Click Start -> Run,type the following text in type box: C:\SDFix\RunThis.bat
6. Press Enter or OK button.
7. When the tool is finished, it will produce a report for you.

Notes:
If this error message is displayed when running SDFix:

The command prompt has been disabled by your administrator. Press any key to continue . . .
Please goto Start Menu > Run > then copy and paste the following line: %systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press OK then run SDFix again

If the Command Prompt window flashes on then off again on XP or Windows2000

Please goto Start Menu > Run > then copy and paste the following line: %systemdrive%\SDFix\apps\FixPath.exe /Q Reboot and then run SDFix again
 
Then apparently the SAS pre-release will remove the ruminants  http://www.superantispyware.com/prerelease.html
Try that for the guys that are getting infected with this form that's doing the rounds. 
Quads 
  
 
Message Edited by Quads on 12-07-2008 08:51 AM[edit: edit at Quads request.]
Message Edited by Allen_K on 12-11-2008 08:11 AM
Kudos0

Re: Seneka Rootkit with TDSServ

Hi Quads,

Great info!Great work!Well done! 

Thanks.

TrDo.

PS: Two Questions:

1)Why Pre-release SAS? The normal free edition (4.22.1014 ) will not do it?

2) SDFix from Andy Manchesta, and download from My Anti Spyware?

Message Edited by TrDo on 12-06-2008 11:04 PM
Kudos0

Re: Seneka Rootkit with TDSServ

Nice Research Quads!

I hope I never have to refer to it, but I'm going to bookmark this one.

"Anyone who isn't confused really doesn't understand the situation."   Edward R. Murrow
Kudos1 Stats

Re: Seneka Rootkit with TDSServ


TrDo wrote:

Hi Quads,

Great info!Great work!Well done! 

Thanks.

TrDo.

PS: Two Questions:

1)Why Pre-release SAS? The normal free edition (4.22.1014 ) will not do it?

2) SDFix from Andy Manchesta, and download from My Anti Spyware?

Message Edited by TrDo on 12-06-2008 11:04 PM
 1. People are reporting the normal version of SAS is not doing the job at removing. 
2. Yes, from here http://downloads.andymanchesta.com/RemovalTools/SDFix_ReadMe.htm
    or as you say here http://www.myantispyware.com/free-programs/
Quads 
 
 
Kudos0

Re: Seneka Rootkit with TDSServ

...you posted this because Norton is incapable of detecting this?
=\
Kudos1 Stats

Re: Seneka Rootkit with TDSServ


Tech0utsider wrote:
...you posted this because Norton is incapable of detecting this?
I posted it to help people. I have I think had 5 Posters saying Norton Detects (which ever variant) but manual removal is required. Then they can't find the files or can't delete the file. Due to probably in use, or locked.
 Quads 
Kudos0

Re: Seneka Rootkit with TDSServ

Hi Quads,

Thanks for the reply.

TrDo.

Kudos0

Re: Seneka Rootkit with TDSServ

This thread brings me to ask a question for the Symantec guys: if Early Load is enabled in NIS/NAV, are Norton's services and drivers loaded early enough to detect and remove rootkits like these before they hide themselves into the seclusion of Non Plug and Play Driver section?

And what about those rootkits that hook the network drivers and ntfs.sys to hide themselves completely, and that run in kernel mode exclusively (like the Srizbi botnet rootkit)?

Is NIS effective against those?

Windows 7 Ultimate x64 SP1 -- NIS 21
Kudos0

Re: Seneka Rootkit with TDSServ

Kind of disappointed in NIS/NAV right now, however NIS/NAV08 were the highest rated, "++" in terms of rootkit detection and cleaning.

av-test.org

=\
Kudos1 Stats

Re: Seneka Rootkit with TDSServ

Hey guys 

I did this tread to help the people with this type of infection NOT to start on about Norton or other Security software not removing, It is not only Norton having trouble with removing this Malware, People with this nasty piece of work on their system say others can't remove either.

Quads 

Message Edited by Quads on 12-07-2008 01:59 PM
Kudos0

Re: Seneka Rootkit with TDSServ

Can you PM me the link to the infected file, or more specfically the Seneka Rootkit?

I have enough CPU cycles to spare =)

Message Edited by Tech0utsider on 12-07-2008 12:50 AM
=\
Kudos0

Re: Seneka Rootkit with TDSServ

Thanks Quads!!!!

 

I am a novice at dealing with viruses, but found your instructions easy to follow.

Followed them to the letter and deleted the virus.

 

I will know where to go next time I need help.


Jen

Kudos0

Re: Seneka Rootkit with TDSServ

That's good

Quads 

Kudos0

Re: Seneka Rootkit with TDSServ

Hi, I am following your guide. However in the 'Non-Plug and Play' Drivers category, I cant find any of the devices you've listed, but I have found msqpdxserv.sys. Should I just uninstall that?
Kudos1 Stats

Re: Seneka Rootkit with TDSServ

Great work Quads. Good to see your passion to help out the people around the forum
"All that we are is the result of what we have thought"
Kudos0

Re: Seneka Rootkit with TDSServ

Hi Julz

"msqpdxserv.sys" indeed belongs to W32.Tidns,and is in the TDSS family ( Norton detects as Tidsserv!inf), It spreads by removable drives  (flash Drive etc) This bug also redirects your browser.

Please use the instuctions in the first post as you were doing, Disable  msqpdxserv.sys, reboot, Uninstall .......................... SDfix instuctions, then the 3rd at the Bottom SuperAntispyware Free Prerelease....................................

You can report back after all that. 

Quads 

Kudos0

Re: Seneka Rootkit with TDSServ

Hi Stu

It's actually enjoyable helping people, and sometimes more research and tinkering is needed than other times,

But then again you are the Guru, so you must be the same.

Quads 

Kudos0

Re: Seneka Rootkit with TDSServ


Quads wrote:

Hi Stu

It's actually enjoyable helping people, and sometimes more research and tinkering is needed than other times,

But then again you are the Guru, so you must be the same.

Quads 


Please don't tell anyone ;)

"All that we are is the result of what we have thought"
Kudos1 Stats

Re: Seneka Rootkit with TDSServ

Hi

Part of the TDSServ (which variant?? and how much of it?? for the change) has been added to SuperAntispywares definitions as,

"Rootkit.TDSServ/Fake"  

Also whether you have to still do any of the steps in the first post, don't know.  

Quads 

Kudos0

Re: Seneka Rootkit with TDSServ

There's a new version of the Seneka rootkit out - it doesn't seem to be hiding in the "non-plug and play" drivers section anymore. (I've killed the Seneka / TDSServ rootkit described by Quads a few weeks ago.)

Symantec endpoint protection catches it...sort of. It finds

"Trojan.Vundo" (Deleted but restart required)

"Backdoor.Tidserv!inf" Unable to do anything because a process or server is using it - the file was seneka4cbd.tmp.

"Trojan.Adclicker" deleted

"Downloader.MisleadApp" deleted.

So, after a restart, it can't find any sign of Backdoor.Tidserv!inf or any new trojans. In fact, the system seems fine. Except...if you try to go to symantec or any other security-related websites, it's unable to connect. (Tracert shows that the system is just trying to talk to 127.0.0.1 instead of going to the actual websites.) So, this is the same thing that Seneka/TDSServ did, but Quads' steps no longer apply. Any thoughts?

Kudos0

Re: Seneka Rootkit with TDSServ

Hi mmetzger

1. Please where was the file "seneka4cbd.tmp" located??  

2. Is there any stange looking names in the "Non Plug and Play" devices??

3. the problem you are having with getting to security websites is due to one of the infections placing security websites in your HOSTS file so when you try to get to that website you get redirected to the site the Malware wants.

so.

4. Download Hijackthis from http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download

    and download the executable the run saving the log.  Then Personal message me the log, as to see if the hosts entries show up like for SpywareGuard2008.

Quads 

Kudos0

Re: Seneka Rootkit with TDSServ

1. The seneka4cbd.tmp file was located in c:\Documents and Settings\[my user name]\Local Settings\Temp

2. The only driver that isn't the name of a symantec or microsoft driver is simply called "Null".  Also, the driver SYMTDI is flagged as not working properly (code 24.) However, I note that I have a WpsHelper driver (apparently part of the symantec firewall) and "WPS" which does not show up as a symantec-related file when I googled it

3. The hosts file itself is empty, not surprising.

4. I have pm'd you the log. 

Kudos0

Re: Seneka Rootkit with TDSServ

Hi

Start Hijackthis and tick these entries

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - Global Startup: VPN Client.lnk = ?

O23 - Service: Symantec Auto-upgrade Agent (Smcinst) - Unknown owner - C:\Program Files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe (file missing)

Then Click "Fix Checked"

Is the "senekaxxxx.tmp" now gone?? If not try manually deleting it while in Safe Mode  

The HOSTS file itself is not black, so it depends what you mean by empty.

Try downloading SuperAntispyware Free, installing, update the definitions, then do a full scan is Safe Mode also.

Quads

Kudos0

Re: Seneka Rootkit with TDSServ

I fixed the three processes in hijackthis, but I wasn't able to locate any seneka* files. I tried installing SuperAntispyware Free, but the system told me "The system administrator has set policies to prevent this installation." (There were no anti-installation policies before my computer was infected.)
Kudos0

Re: Seneka Rootkit with TDSServ

Were you trying to install in safe mode or Normal Mode, cos the installation should be in Normal Mode.

Also check these Registry keys.


HKLM\Software\Policies\Microsoft\Windows\Installer
and check here as well
HKCU\Software\Policies\Microsoft\Windows\Installer

Delete "DisableMSI" or change the value to 0.

Can you install Malwarebytes instead?? http://www.malwarebytes.org/mbam.php 

Quads 

Message Edited by Quads on 01-04-2009 01:39 PMMessage Edited by Quads on 01-04-2009 01:40 PM
Kudos1 Stats

Re: Seneka Rootkit with TDSServ

I did the installation in normal mode, but Superantispyware was unable to find anything. I checked for the keys you mentioned but they didn't exist either.

After you modified your post, I downloaded Malwarebytes. Running the scan twice in safe-mode (with a reboot between scans) did the trick - malwarebytes found the files and the senekaXXXX.temp file. 

Thanks a ton for your help - symantec should hire you!

Kudos1 Stats

Re: Seneka Rootkit with TDSServ


mmetzger wrote:

I did the installation in normal mode, but Superantispyware was unable to find anything. I checked for the keys you mentioned but they didn't exist either.

After you modified your post, I downloaded Malwarebytes. Running the scan twice in safe-mode (with a reboot between scans) did the trick - malwarebytes found the files and the senekaXXXX.temp file. 

Thanks a ton for your help - symantec should hire you!


Thats good, Symantec hire me hahaha LOL, we get paid in Kudos instead.

I did do the first post in this thread to help people with the TDSS....  variants as there were a few people coming through with it.

Quads 

Kudos0

Re: Seneka Rootkit with TDSServ

Quads,

A great many thanks for your discovery of this and to the many people that posted on here. I too was struck by this ill willed digital brigand. All the rooting through registry, system32 and temp foler in normal/safe/recovery console did not work like usual. Did not see the senek*.* with a `dir /o-d`which was weird (Not a novice but just dangerous enough to know I will screw up something serious). :)

That link to MalwareBytes did the trick. Although, doing the full scan killed explorer in the beginning. Had to use the quick scan until the count went down to about 1 or 2. Then at that point was able to regain access to update MalwareBytes and did the full deep scan which cleared out everything.

SDfix was reporting that my Administartor account did not have full access?!? I tried SDFix before MalwareBytes as prior exprience with it was positive. Is there a doc or some information for how the registry was locked away or how to check for it? Also any docs on this rootkit for it's behavior? Want to know so I can learn more.

Thx.

Kudos0

Re: Seneka Rootkit with TDSServ

By the registry being locked I take it you mean, disabled, so that if you use the "run" feature and type "regedit" you can't open it.

Malwarebytes and Hijackthis should show the registry as disabled, Hijackthis shows the entry with the value of "1" on the end.

In Vista some programs you have to right click then choose "run as administator" to get the program to run or install.

I had this experiance recently were a poster on this site could not get a fulll log with Hijackthis because she did not have the "rights" for certian areas, the right click menu did the trick.

Quads 

Kudos0

Re: Seneka Rootkit with TDSServ

Quads,

Sorry, didn't provide info on my OS which is WinXP SP3. I was able to get to the registry with command line however, when I ran SDFix, it came back with not enough permissions. Don't have the exact message now but when I get home, I'll post my SDFix log. Prior to SDFix, had used some other rootkit stuff like Mark's RootKit Revealer Sophos AntiRootKit and BitDefender's RootKit Uncover with one or two of those reporting similar registry access privilege insufficient message. This is before I used MalwareBytes which cleansed the machine as far as I know. Have not run SDFix afterwards. If I have the other logs, will post those too. Purely informational though at this point since MalwareBytes did remove Seneka (detected by SysInternal but there is no removal capabilities builtin but helped lead me to this post).

Ogre01

Kudos0

Re: Seneka Rootkit with TDSServ

Hi Quads,

I've been reading your posts and believe I have this nasty virus as well.  I was able to run Avast yesterday at boot and delete two files, and tested by accessing norton.com; so I thought I was safe.

I came home tonight to make a backup of my system as I just am a bit nervous, and got about 1/2 way through that process and had the same symptoms happen.

I've looked all around my non plug & play drivers and don't have any of the ones that you've mentioned in your posts.

I have some that appear suspicious (catchme) or recently changed (printer drivers, SYMTDI), but my google searches haven't been very fruitful.

I've run SDFix a couple of times, but still have symptoms :(

Kudos1 Stats

Re: Seneka Rootkit with TDSServ

Hi crystallynn04

Can you

1. Download  Hijackthis from http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download  and download the executable, run it with save log file. then open the log file copy the contents. 

Go ahead private message me if you like, Click my name (Quads) to bring up my profile then click "send user private message" 

2. Download Malwarebytes Antimalware, http://www.malwarebytes.org/mbam.php  Install, then  update definitions, then restart into Safe Mode and do a full scan. 

You may still have the xxxxx.tmp file.

Quads 

Message Edited by Quads on 01-06-2009 04:22 PM
Kudos1 Stats

Re: Seneka Rootkit with TDSServ

Hi Guys 

SuperAntispyware (SAS) has also in there latest database update added

Rootkit.SENEKA-Trace        3 Items Added/Updated

Quads 

Kudos0

Re: Seneka Rootkit with TDSServ

WOW - malwarebytes found 10 things ... so i'm rebooting to delete and running the scan again.

my question now is do i need to do this on each profile on my laptop (XPP, SP2)?  I've been doing these scans and cleaning as the admin, but it was my profile that originally was infected and was displaying the worse symptoms.  or does running it from admin get everything?

also, i was reading elsewhere on the norton site about turning off system restore before running scans - i didn't do that, but have been running from safemode with networking, so should i do one in normal mode with system restore off?

thanks so much for your help!

Kudos1 Stats

Re: Seneka Rootkit with TDSServ

Do you have that log from MBAM (MalwareBytes) that tells you what the infected objects were?

Sometimes running the likes of MBAM while logged in as a different users, seeing as it was your profile that showed the greater affects of infection it would be a good idea.

It is generally a good idea to turn off System restore if you know you are infected as if the infection(s) have files in the system folders System Restore can back them up. When you delete/remove the infection the system restore can place them back as what it sees as a system file is missing, and you can end up back at square one.

At this point if yoy go back into Normal mode and find that the infection has not returned in any way with System Restore turned on there is probably no point unless you want to turn it of wiping the old restore points, then turn it back on to make a nice fresh restore point.

Quads 

Kudos1 Stats

Re: Seneka Rootkit with TDSServ

With Hijackthis you can check (tick) this entry (if still there)

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

Then click "Fix Checked"

Quads 

Kudos0

Re: Seneka Rootkit with TDSServ

all fixed - thanks a million!!
Kudos0

Re: Seneka Rootkit with TDSServ

Thanks Quads for the information on here. Lead me in the right direction.

Cheers

Kudos0

Re: Seneka Rootkit with TDSServ

There is also an executable called ComboFix.exe (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) that will clean the TDSS infections. It's exteremly easy to use and works great. It's saved me a couple of times. I've got kids so theres no telling what types of infections I pick up. I run it at least once a month.
Kudos0

Re: Seneka Rootkit with TDSServ


BigJoeD wrote:
There is also an executable called ComboFix.exe (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) that will clean the TDSS infections. It's exteremly easy to use and works great. It's saved me a couple of times. I've got kids so theres no telling what types of infections I pick up. I run it at least once a month.
I know of combofix, I just don't recommend it, due to the fact it can cause problems now and then, I have only seen it do this once with the OS, And I am not there to repair the damage if this happens.
Then the person asking for help will be upset etc.
 
Quads 
Kudos0

Re: Seneka Rootkit with TDSServ


Quads wrote:

BigJoeD wrote:
There is also an executable called ComboFix.exe (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) that will clean the TDSS infections. It's exteremly easy to use and works great. It's saved me a couple of times. I've got kids so theres no telling what types of infections I pick up. I run it at least once a month.
I know of combofix, I just don't recommend it, due to the fact it can cause problems now and then, I have only seen it do this once with the OS, And I am not there to repair the damage if this happens.
Then the person asking for help will be upset etc.
Quads 

That's great information to give to the user community, but having options is always a good thing. It's a pretty powerful tool and may not be for everyone. Maybe a last ditch effort :)

Message Edited by BigJoeD on 01-22-2009 04:07 PMMessage Edited by BigJoeD on 01-22-2009 04:08 PM
Kudos2 Stats

Re: Seneka Rootkit with TDSServ

Having options is one thing, (I had already stated about Combofix once before) but some of the people asking for help for Malware removal, I have to take them through step by step by step...........................

So just not a good idea for them to use it.  Some struggle enough just with Hijackthis or SDfix.  So to give Combofix as an option when they struggle as it is, is in my mind maybe a bit foolish.

I take note of the posters level, then decide from there.

Quads 

Kudos0

Re: Seneka Rootkit with TDSServ

Thanks for helping us out Quads.

Found this thread and fix a laptop today.

Kudos2 Stats

Re: Seneka Rootkit with TDSServ

Newer variants have stopped using TDSS*.* for their rootkit driver and modules now they use UAC*.*

Also, it no-longer shows up in the Non-Plug and Play section of the device manager (I'm surprised it did in the first place). Here are the virus total results of a semi-recent version for those who are interested (this is just the driver itself, which if removed none of the other hidden components will load).
https://www.virustotal.com/analisis/16f92f05a3569dd3171f783fcb8cff16

Kudos0

Re: Seneka Rootkit with TDSServ


M8R-t2brtq wrote:

Newer variants have stopped using TDSS*.* for their rootkit driver and modules now they use UAC*.*

Also, it no-longer shows up in the Non-Plug and Play section of the device manager (I'm surprised it did in the first place). Here are the virus total results of a semi-recent version for those who are interested (this is just the driver itself, which if removed none of the other hidden components will load).
https://www.virustotal.com/analisis/16f92f05a3569dd3171f783fcb8cff16


 
Thanks for that
 
Quads 
Kudos1 Stats

Re: Seneka Rootkit with TDSServ

Hi

I see SuperAntispyware had added more detections to their database for Seneka and TDSS variants.

For those that can install SAS that is.

Quads 

Kudos0

Re: Seneka Rootkit with TDSServ

Before Running any Anti-Virus Scan, e.g. Norton, Malwarebytes' Anti-Malware, e.t.c., you should in this order:

01. Update the Product.

02. If you plan to do the Anti-Virus Scan in Normal Mode, Dis-connect from the Internet, then Run the Anti-Virus Scan.

03. If you plan to do the Anti-Virus Scan in Safe Mode, you should do so Without Networking and double-check that you are indeed not connected to the Internet, then Run the Anti-Virus Scan.

04. If you plan to do the Anti-Virus Scan in Safe then Normal Mode, re-start in Safe Mode Without Networking and double-check that you are not Connected to the Internet, then Run the Anti-Virus Scan.  Re-start in to Safe Mode, and do not Connect to the Internet until the Anti-Virus Scan in Normal Mode has been Completed.

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: Seneka Rootkit with TDSServ

HI Floating Red


Floating_Red wrote:

Before Running any Anti-Virus Scan, e.g. Norton, Malwarebytes' Anti-Malware, e.t.c., you should in this order:

01. Update the Product.

02. If you plan to do the Anti-Virus Scan in Normal Mode, Dis-connect from the Internet, then Run the Anti-Virus Scan.

03. If you plan to do the Anti-Virus Scan in Safe Mode, you should do so Without Networking and double-check that you are indeed not connected to the Internet, then Run the Anti-Virus Scan.

04. If you plan to do the Anti-Virus Scan in Safe then Normal Mode, re-start in Safe Mode Without Networking and double-check that you are not Connected to the Internet, then Run the Anti-Virus Scan.  Re-start in to Safe Mode, and do not Connect to the Internet until the Anti-Virus Scan in Normal Mode has been Completed.


That is if the security programs can update, scan or even insall etc.  Some have found they can't do that.

Quads 

Kudos0

Re: Seneka Rootkit with TDSServ

Hi I just made this account, as I'm new to this website. I've been searching around for a while now on how to get rid of this stupid virus. Every 10 minutes or so I get "VIRUS DETECTED blablabla seneka.sys"I've tried looking through the nonplug and play drivers and this is what I've found:AFDAVG Free AVI Loader Driver x86BeepdmbootdmloadFipsGeneric Packet ClassifiergmerHTTPIP Network Adress TranslatorIPSEC driverksecddMicrosoft AGPv3.5 FiltermnmddmountmgrNDIS System DriverNDIS usermode I/O protocolNDProxyNetBios over TcpipNPPTNT2NTSIMNullPartmgrParVdmRDPCDDRemote Acess Auto Connection DriverRemote Access IP ARP DriverRemote Acess NDIS TAPI DriverTCP/IP Protocol DriverVgasaveVolsnap  I thought "ksecdd" was a bit iffey...When I'm on MSN every 10 minutes or so it sends "foto :p [link of this virus]".Also sometimes it will completely shut off my internet and I have to reboot my computer. I get this file each time:  --#
# An unexpected error has been detected by Java Runtime Environment:
#
#  EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x6d06fe12, pid=2028, tid=1936
#
# Java VM: Java HotSpot(TM) Client VM (11.0-b15 mixed mode, sharing windows-x86)
# Problematic frame:
# C  [awt.dll+0x6fe12]
#
# If you would like to submit a bug report, please visit:
#   [website]
# The crash happened outside the Java Virtual Machine in native code.
# See problematic frame for where to report the bug.
#
---------------  T H R E A D  ---------------Current thread (0x0309a400):  JavaThread "AWT-Windows" daemon [_thread_in_native, id=1936, stack(0x033f0000,0x03440000)]siginfo: ExceptionCode=0xc0000005, reading address 0x00000044Registers:
EAX=0x00000000, EBX=0x00000001, ECX=0x00000000, EDX=0x00000000
ESP=0x0343f2ec, EBP=0x0343f324, ESI=0x0309a514, EDI=0x00000000
EIP=0x6d06fe12, EFLAGS=0x00010246
Top of Stack: (sp=0x0343f2ec)
0x0343f2ec:   00009813 0309a514 6d096b47 00000000
0x0343f2fc:   0343f38c 6d096710 00000000 00000000
0x0343f30c:   0343f338 0309a514 0343f2fc 0343f3a8
0x0343f31c:   6d0b9f18 00000001 0343f350 7e418734
0x0343f32c:   000202f4 00009813 0004032e 00000000
0x0343f33c:   6d096710 dcbaabcd 00000000 0343f38c
0x0343f34c:   6d096710 0343f3b8 7e418816 6d096710
0x0343f35c:   000202f4 00009813 0004032e 00000000
Instructions: (pc=0x6d06fe12)
0x6d06fe02:   ce e8 c8 be 00 00 8b b6 80 01 00 00 85 f6 75 03
0x6d06fe12:   8b 77 44 8b 44 24 0c 50 56 e8 78 7f 04 00 5f 5e

Stack: [0x033f0000,0x03440000],  sp=0x0343f2ec,  free space=316k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
C  [awt.dll+0x6fe12]
C  [USER32.dll+0x8734]
C  [USER32.dll+0x8816]
C  [USER32.dll+0xb4c0]
C  [USER32.dll+0xb50c]
C  [ntdll.dll+0xeae3]
C  [USER32.dll+0xca67]
C  [MSCTF.dll+0x1e9a6]
C  [MSCTF.dll+0x1efb8]
C  [MSCTF.dll+0x1f82a]
C  [MSCTF.dll+0x1f960]
C  [MSCTF.dll+0x1fea5]
C  [MSCTF.dll+0x203ba]
C  [MSCTF.dll+0x20822]
C  [MSCTF.dll+0x20f6d]
C  [MSCTF.dll+0x1ce37]
C  [USER32.dll+0x8734]
C  [USER32.dll+0x8816]
C  [USER32.dll+0x89cd]
C  [USER32.dll+0x8a10]
Java frames: (J=compiled Java code, j=interpreted, Vv=VM code)
j  sun.awt.windows.WToolkit.eventLoop()V+0
j  sun.awt.windows.WToolkit.run()V+69
j  java.lang.Thread.run()V+11
v  ~StubRoutines::call_stub
---------------  P R O C E S S  ---------------Java Threads: ( => current thread )
  0x030cc800 JavaThread "AWT-EventQueue-2" [_thread_in_native, id=3908, stack(0x03290000,0x032e0000)]
  0x0553dc00 JavaThread "Thread-3" daemon [_thread_in_native, id=3204, stack(0x061e0000,0x06230000)]
  0x05504000 JavaThread "Timer-2" [_thread_blocked, id=664, stack(0x02f30000,0x02f80000)]
  0x031af000 JavaThread "Java Sound Event Dispatcher" daemon [_thread_blocked, id=2428, stack(0x04400000,0x04450000)]
  0x030bbc00 JavaThread "Browser Side Object Cleanup Thread" [_thread_blocked, id=432, stack(0x03a50000,0x03aa0000)]
  0x030b7400 JavaThread "Windows Tray Icon Thread" [_thread_in_native, id=336, stack(0x038c0000,0x03910000)]
  0x030b3800 JavaThread "CacheCleanUpThread" daemon [_thread_blocked, id=3808, stack(0x035d0000,0x03620000)]
  0x030c8800 JavaThread "CacheMemoryCleanUpThread" daemon [_thread_blocked, id=1096, stack(0x03580000,0x035d0000)]
  0x0309d000 JavaThread "Java Plug-In Heartbeat Thread" [_thread_blocked, id=312, stack(0x034e0000,0x03530000)]
  0x0309bc00 JavaThread "AWT-EventQueue-0" [_thread_blocked, id=192, stack(0x03490000,0x034e0000)]
=>0x0309a400 JavaThread "AWT-Windows" daemon [_thread_in_native, id=1936, stack(0x033f0000,0x03440000)]
  0x03098c00 JavaThread "AWT-Shutdown" [_thread_blocked, id=2336, stack(0x033a0000,0x033f0000)]
  0x03094400 JavaThread "Java2D Disposer" daemon [_thread_blocked, id=2908, stack(0x03350000,0x033a0000)]
  0x02b67c00 JavaThread "traceMsgQueueThread" daemon [_thread_blocked, id=1588, stack(0x02ff0000,0x03040000)]
  0x02af2000 JavaThread "Timer-0" [_thread_blocked, id=1208, stack(0x02fa0000,0x02ff0000)]
  0x02aa1c00 JavaThread "Low Memory Detector" daemon [_thread_blocked, id=296, stack(0x02d50000,0x02da0000)]
  0x02a9b400 JavaThread "CompilerThread0" daemon [_thread_blocked, id=292, stack(0x02d00000,0x02d50000)]
  0x02a99c00 JavaThread "Attach Listener" daemon [_thread_blocked, id=164, stack(0x02cb0000,0x02d00000)]
  0x02a98800 JavaThread "Signal Dispatcher" daemon [_thread_blocked, id=128, stack(0x02c60000,0x02cb0000)]
  0x02a93c00 JavaThread "Finalizer" daemon [_thread_blocked, id=2612, stack(0x02c10000,0x02c60000)]
  0x02a8f000 JavaThread "Reference Handler" daemon [_thread_blocked, id=2604, stack(0x02bc0000,0x02c10000)]
  0x002a6c00 JavaThread "main" [_thread_blocked, id=144, stack(0x008c0000,0x00910000)]
Other Threads:
  0x02a8d800 VMThread [stack: 0x02b70000,0x02bc0000] [id=1220]
  0x02ab5800 WatcherThread [stack: 0x02da0000,0x02df0000] [id=300]
VM state:not at safepoint (normal execution)VM Mutex/Monitor currently owned by a thread: NoneHeap
 def new generation   total 4032K, used 2150K [0x22010000, 0x22460000, 0x22770000)
  eden space 3648K,  52% used [0x22010000, 0x221ee098, 0x223a0000)
  from space 384K,  62% used [0x22400000, 0x2243ba80, 0x22460000)
  to   space 384K,   0% used [0x223a0000, 0x223a0000, 0x22400000)
 tenured generation   total 51852K, used 45188K [0x22770000, 0x25a13000, 0x28010000)
   the space 51852K,  87% used [0x22770000, 0x25391268, 0x25391400, 0x25a13000)
 compacting perm gen  total 12288K, used 6366K [0x28010000, 0x28c10000, 0x2c010000)
   the space 12288K,  51% used [0x28010000, 0x28647ab8, 0x28647c00, 0x28c10000)
    ro space 8192K,  63% used [0x2c010000, 0x2c523b20, 0x2c523c00, 0x2c810000)
    rw space 12288K,  53% used [0x2c810000, 0x2ce77f38, 0x2ce78000, 0x2d410000)
Dynamic libraries:
0x00400000 - 0x00424000  C:\Program Files\Java\jre6\bin\java.exe
0x7c900000 - 0x7c9b0000  C:\WINDOWS\system32\ntdll.dll
0x7c800000 - 0x7c8f5000  C:\WINDOWS\system32\kernel32.dll
0x77dd0000 - 0x77e6b000  C:\WINDOWS\system32\ADVAPI32.dll
0x77e70000 - 0x77f02000  C:\WINDOWS\system32\RPCRT4.dll
0x77fe0000 - 0x77ff1000  C:\WINDOWS\system32\Secur32.dll
0x7c340000 - 0x7c396000  C:\Program Files\Java\jre6\bin\msvcr71.dll
0x6d800000 - 0x6da56000  C:\Program Files\Java\jre6\bin\client\jvm.dll
0x7e410000 - 0x7e4a0000  C:\WINDOWS\system32\USER32.dll
0x77f10000 - 0x77f58000  C:\WINDOWS\system32\GDI32.dll
0x76b40000 - 0x76b6d000  C:\WINDOWS\system32\WINMM.dll
0x76390000 - 0x763ad000  C:\WINDOWS\system32\IMM32.DLL
0x10000000 - 0x10005000  C:\WINDOWS\system32\avgrsstx.dll
0x6d280000 - 0x6d288000  C:\Program Files\Java\jre6\bin\hpi.dll
0x76bf0000 - 0x76bfb000  C:\WINDOWS\system32\PSAPI.DLL
0x6d7b0000 - 0x6d7bc000  C:\Program Files\Java\jre6\bin\verify.dll
0x6d320000 - 0x6d33f000  C:\Program Files\Java\jre6\bin\java.dll
0x6d7f0000 - 0x6d7ff000  C:\Program Files\Java\jre6\bin\zip.dll
0x6d430000 - 0x6d436000  C:\Program Files\Java\jre6\bin\jp2native.dll
0x6d1c0000 - 0x6d1d3000  C:\Program Files\Java\jre6\bin\deploy.dll
0x77a80000 - 0x77b14000  C:\WINDOWS\system32\CRYPT32.dll
0x77c10000 - 0x77c68000  C:\WINDOWS\system32\msvcrt.dll
0x77b20000 - 0x77b32000  C:\WINDOWS\system32\MSASN1.dll
0x7c9c0000 - 0x7d1d6000  C:\WINDOWS\system32\SHELL32.dll
0x77f60000 - 0x77fd6000  C:\WINDOWS\system32\SHLWAPI.dll
0x774e0000 - 0x7761d000  C:\WINDOWS\system32\ole32.dll
0x77120000 - 0x771ab000  C:\WINDOWS\system32\OLEAUT32.dll
0x78050000 - 0x78120000  C:\WINDOWS\system32\WININET.dll
0x02df0000 - 0x02df9000  C:\WINDOWS\system32\Normaliz.dll
0x78000000 - 0x78045000  C:\WINDOWS\system32\iertutil.dll
0x78130000 - 0x78257000  C:\WINDOWS\system32\urlmon.dll
0x773d0000 - 0x774d3000  C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
0x6d6b0000 - 0x6d6f2000  C:\Program Files\Java\jre6\bin\regutils.dll
0x77c00000 - 0x77c08000  C:\WINDOWS\system32\VERSION.dll
0x7d1e0000 - 0x7d49e000  C:\WINDOWS\system32\msi.dll
0x6d610000 - 0x6d623000  C:\Program Files\Java\jre6\bin\net.dll
0x71ab0000 - 0x71ac7000  C:\WINDOWS\system32\WS2_32.dll
0x71aa0000 - 0x71aa8000  C:\WINDOWS\system32\WS2HELP.dll
0x6d630000 - 0x6d639000  C:\Program Files\Java\jre6\bin\nio.dll
0x6d000000 - 0x6d138000  C:\Program Files\Java\jre6\bin\awt.dll
0x73000000 - 0x73026000  C:\WINDOWS\system32\WINSPOOL.DRV
0x5ad70000 - 0x5ada8000  C:\WINDOWS\system32\uxtheme.dll
0x74720000 - 0x7476b000  C:\WINDOWS\system32\MSCTF.dll
0x755c0000 - 0x755ee000  C:\WINDOWS\system32\msctfime.ime
0x6d220000 - 0x6d274000  C:\Program Files\Java\jre6\bin\fontmanager.dll
0x71a50000 - 0x71a8f000  C:\WINDOWS\System32\mswsock.dll
0x76f20000 - 0x76f47000  C:\WINDOWS\system32\DNSAPI.dll
0x76fb0000 - 0x76fb8000  C:\WINDOWS\System32\winrnr.dll
0x76f60000 - 0x76f8c000  C:\WINDOWS\system32\WLDAP32.dll
0x76fc0000 - 0x76fc6000  C:\WINDOWS\system32\rasadhlp.dll
0x6d190000 - 0x6d1b3000  C:\Program Files\Java\jre6\bin\dcpr.dll
0x6d7a0000 - 0x6d7af000  C:\Program Files\Java\jre6\bin\unpack.dll
0x662b0000 - 0x66308000  C:\WINDOWS\system32\hnetcfg.dll
0x71a90000 - 0x71a98000  C:\WINDOWS\System32\wshtcpip.dll
0x6d520000 - 0x6d544000  C:\Program Files\Java\jre6\bin\jsound.dll
0x6d550000 - 0x6d558000  C:\Program Files\Java\jre6\bin\jsoundds.dll
0x73f10000 - 0x73f6c000  C:\WINDOWS\system32\DSOUND.dll
0x76c30000 - 0x76c5e000  C:\WINDOWS\system32\WINTRUST.dll
0x76c90000 - 0x76cb8000  C:\WINDOWS\system32\IMAGEHLP.dll
0x72d20000 - 0x72d29000  C:\WINDOWS\system32\wdmaud.drv
0x72d10000 - 0x72d18000  C:\WINDOWS\system32\msacm32.drv
0x77be0000 - 0x77bf5000  C:\WINDOWS\system32\MSACM32.dll
0x77bd0000 - 0x77bd7000  C:\WINDOWS\system32\midimap.dll
0x73ee0000 - 0x73ee4000  C:\WINDOWS\system32\KsUser.dll
0x605d0000 - 0x605d9000  C:\WINDOWS\system32\mslbui.dll
VM Arguments:
jvm_args: -D__jvm_launched=534992413 -Xbootclasspath/a:C:\PROGRA~1\Java\jre6\lib\deploy.jar;C:\PROGRA~1\Java\jre6\lib\javaws.jar;C:\PROGRA~1\Java\jre6\lib\plugin.jar -Xmx96m -Dsun.java2d.noddraw=true
java_command: sun.plugin2.main.client.PluginMain write_pipe_name=jpi2_pid848_pipe3,read_pipe_name=jpi2_pid848_pipe2
Launcher Type: SUN_STANDARD
Environment Variables:
PATH=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\AVG\AVG8;C:\Program Files\AVG\AVG8;C:\Program Files\AVG\AVG8;C:\Program Files\AVG\AVG8
USERNAME=Travis
OS=Windows_NT
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, AuthenticAMD
 ---------------  S Y S T E M  ---------------OS: Windows XP Build 2600 Service Pack 2CPU:total 1 (1 cores per cpu, 1 threads per core) family 6 model 8 stepping 1, cmov, cx8, fxsr, mmx, sse, mmxext, 3dnow, 3dnowextMemory: 4k page, physical 785904k(237808k free), swap 1923412k(1340344k free)vm_info: Java HotSpot(TM) Client VM (11.0-b15) for windows-x86 JRE (1.6.0_10-b33), built on Sep 26 2008 01:00:43 by "java_re" with MS VC++ 7.1time: Thu Feb 12 16:03:45 2009
elapsed time: 682 seconds
--       Please can you help me? :( Thanks a lot in advance.

P.S. My internet actually got cut off whilst I was making this :@ argh!!!

....twice!!

Kudos0

Re: Seneka Rootkit with TDSServ

Hi Quads,

Having been directed to this post by delphinium, I think my laptop's probably infected with something similar - a backdoor.tidserv worm (among other things). I followed your instructions from the beginning, but I couldn't find anything awry. As suggested by you/delphinium in my post, I have tried downloading SDfix, MBAM and SAS but I couldn't get the pages to come up on firefox/ IE - "the page cannot be found/ the page cannot be displayed". Someone suggested using a different pc to get them but the library won't allow me access to these sorts of pages.

I was however able to download hijackthis which I see you've suggested to other people e.g. crystallynn04. I have sent you a copy of my log to you in a personal message in case that's what you were going to ask for next.

Oh, and btw, i'm using:

windows vista home premium

and norton internet security 2009

This thread is closed from further comment. Please visit the forum to start a new thread.