Seneka Rootkit with TDSServ

Hi Guys

 

The file with the name  TDSServ is used by more than one Malware under different names, The one that seems to be doing the rounds at the moment is the Variation that has the Seneka Rootkit, Can also enter on the back of "AntiVirus 2009"

 

This seems to be the order of removal for this nasty piece of work. The drivers are in use

 

1. You have to disable the drivers, Reboot, then Remove. By doing this,

 

Go to the "Control Panel" click on "System

Click on the "Hardware" tab.  

Click on "Device Manager" to open it
Click 'View'  in the menu and select 'Show Hidden Devices'
Expand the 'Non-Plug and Play' Drivers category
(If you find them, You can tell me), Right-click and 'Disable' "clbdriver.sys", "msqpdxserv.sys", "tdsserv.sys" (or tdssxyz.sys where xyz.sys are random characters), and/or "seneka.sys"

Restart computer to Safe Mode
After restart, go back to Device Manager and right-click 'Uninstall' for the above drivers

 

Then Use the latest Version of "SDfix", Instructions

 

How to use SDFix:
1. Download SDFix and save to your Desktop.
2. Install SDFix: double-click on the SDFix. If a “Security Warning window opens”, click on the Run button.
3. Follow the prompts.
4. Reboot your PC in to Safe mode.

- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
- Instead of Windows loading as normal, a menu should appear
- Select the first option, to run Windows in Safe Mode.

5. Click Start -> Run,type the following text in type box: C:\SDFix\RunThis.bat
6. Press Enter or OK button.
7. When the tool is finished, it will produce a report for you.

Notes:
If this error message is displayed when running SDFix:

The command prompt has been disabled by your administrator. Press any key to continue . . .
Please goto Start Menu > Run > then copy and paste the following line: %systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press OK then run SDFix again

If the Command Prompt window flashes on then off again on XP or Windows2000

Please goto Start Menu > Run > then copy and paste the following line: %systemdrive%\SDFix\apps\FixPath.exe /Q Reboot and then run SDFix again
 
Then apparently the SAS pre-release will remove the ruminants  http://www.superantispyware.com/prerelease.html
Try that for the guys that are getting infected with this form that's doing the rounds. 
Quads 
  
 

 

Message Edited by Quads on 12-07-2008 08:51 AM
[edit: edit at Quads request.]
Message Edited by Allen_K on 12-11-2008 08:11 AM