I had a really nasty experience last night with a rootkit only because I forgot my bootable antimalware disc. Root.TDSSERV/FAKE (as identified by SuperAntiSpyware) performs 100% search engine query redirection to go.google which then serves up malvertised websites (like info.com).
Once I used my bootable SAS (i had too run home and get my disc) that rootkit was easily toasted.
If you encounter tdsserv without a bootable antimalware disc you can use GMER to find, disable and delete it.
Hope that helps someone out there.
{ 16 comments… read them below or add one }
At least you toasted the malware in the end… did you get a feeling of satisfaction? Well done anyway… can’t wait for the F-Secure vid tomorow, hope it does well.
I always got that one when i was testing some malware
If you hit anylinks it will direct you to go.google.com
or go.yahoo.com or go.live.com etc… Yeah malware bytes gets rid of it
Most AV/AS seem to detect it. Including A-Squared, VIPRE, Sophos, Ikarus, Kaspersky,DrWeb. ( As scanned on VirusScan.Jotti.org )
Sunbelt VIPRE has good details on the same.
http://research.sunbelt-software.com/threatdisplay.aspx?name=Trojan.TDSServ&threatid=383885
Did you try to install the trial version of AVG Internet Security 8? It has the Anti-Rootkit feature
Alan – He did try but AVG refuses to install on such a highly infected PC.
James – How about installing the AVG internet security on the non infected virtual machine and get it infected
Yess, it would be nice if you could test AVG again, maby they have fixed the problem, or test like Alan say =)
Hi Matt. Still enjoying the reviews, sorry about F-Secure =) I think other good programs you could test are A2 Squared free and/or the Antimalware (w/ the Ikarus Engine) which is available for a 30 day trial. I have always heard that these programs have great detection but are known for high false positives, but I have seen very little on how these products actually remove the malware. I think a review of one of these products by Emsisoft would be very informative.
About the F-Secure review, why did´nt you test in safe mode?
Other Antivirus you should test: Norman, AVG Antivirus ( Test Again) Sophos.
@alan – I did try, however it won’t install unless i deselect the toolbar for ie.
@Drpcfixit – Yeah, I figured MBAM would at least see it, however it didn’t.
@VJ – It seams like everyone detects it as long as I’m in a bootable env (which nullifies the hidden rootkit)
@AV-Guy – I’m trying to fit A-Squard in this month. I use this app everyweek from a bootable env
Detects hijackers
search-and-destroyis amazing software which detected, blocked and removed hijackers, Rootkits .The speed of my pc has also increased. It was really a blessing for me. You too go for it….it’s amazing
I have been struggling with this all morning. It slipped straight past AVG 8 (which now doesn’t even work), and have been trying to remove it with SuperAntiSpyware and MalwareBytes Anti-Malware.
To get those programs to work I had to rename the .exe files, as I think they were being blocked.
MalwareBytes claims the infection has gone, however SuperAntiSpyware has just found 17 more items.
@David – you can try GMER (but that hasn’t been working for lately).
A bootable anti-malware disc is about the only way to get rid of it (besides GMER if it works).
Ok, I have finally quashed this one.
GMER wouldn’t complete without crashing (got stuck on the protected registry entries)
To summarise: I was running AVG 8, and it couldn’t see any issues.
MalwareBytes Anti-Malware found and removed a lot of issues in the registry and took out a lot of the TDSS*.sys files dotted around the drive.
SuperAntiSpyware was used afterwards, and took the count down to 17 registry items which kept recurring on bootup.
At this point nothing was being fixed any further. I found a hidden device driver under PNP devices, and deleted it and booted into safe mode, which allowed me to see and delete a few more TDSS files from System32 and System32/Drivers directories.
After this, I deleted a lot of TDSS entries in the registry but it didn’t help – the ones I needed to kill were hidden and protected.
Eventually I tried Combifix (I think it’s the right name?) which took out a protected registry entry on reboot, and then SAS cleared out the remaining ones.
So far, it’s reporting as being clean in SAS and GMER (works again now), in both safe and normal mode.
What was the name of the hidden PNP device? I am working on the exact same problem, now. Thanks
In device manager, select “show hidden devices” under view. The TDSServ ‘driver’ hides in the Non Plug & Play location.
Good luck!