Comments on: rootkit.tdsserv/fake – A Very Annoying RootKit

By: David

David — Mon, 15 Dec 2008 20:48:52 +0000

In device manager, select “show hidden devices” under view. The TDSServ ‘driver’ hides in the Non Plug & Play location.
Good luck!

By: Thor

Thor — Mon, 15 Dec 2008 17:36:34 +0000

What was the name of the hidden PNP device? I am working on the exact same problem, now. Thanks

By: David

David — Thu, 04 Dec 2008 08:46:55 +0000

Ok, I have finally quashed this one.
GMER wouldn’t complete without crashing (got stuck on the protected registry entries)

To summarise: I was running AVG 8, and it couldn’t see any issues.
MalwareBytes Anti-Malware found and removed a lot of issues in the registry and took out a lot of the TDSS*.sys files dotted around the drive.
SuperAntiSpyware was used afterwards, and took the count down to 17 registry items which kept recurring on bootup.

At this point nothing was being fixed any further. I found a hidden device driver under PNP devices, and deleted it and booted into safe mode, which allowed me to see and delete a few more TDSS files from System32 and System32/Drivers directories.

After this, I deleted a lot of TDSS entries in the registry but it didn’t help – the ones I needed to kill were hidden and protected.

Eventually I tried Combifix (I think it’s the right name?) which took out a protected registry entry on reboot, and then SAS cleared out the remaining ones.

So far, it’s reporting as being clean in SAS and GMER (works again now), in both safe and normal mode.

By: malwarekilla

malwarekilla — Thu, 04 Dec 2008 02:00:15 +0000

@David – you can try GMER (but that hasn’t been working for lately).

A bootable anti-malware disc is about the only way to get rid of it (besides GMER if it works).

By: David

David — Thu, 04 Dec 2008 01:56:12 +0000

I have been struggling with this all morning. It slipped straight past AVG 8 (which now doesn’t even work), and have been trying to remove it with SuperAntiSpyware and MalwareBytes Anti-Malware.

To get those programs to work I had to rename the .exe files, as I think they were being blocked.

MalwareBytes claims the infection has gone, however SuperAntiSpyware has just found 17 more items.

By: Michel

Michel — Wed, 29 Oct 2008 08:03:13 +0000

Detects hijackers
search-and-destroyis amazing software which detected, blocked and removed hijackers, Rootkits .The speed of my pc has also increased. It was really a blessing for me. You too go for it….it’s amazing

By: malwarekilla

malwarekilla — Tue, 07 Oct 2008 13:48:43 +0000

@alan – I did try, however it won’t install unless i deselect the toolbar for ie.

@Drpcfixit – Yeah, I figured MBAM would at least see it, however it didn’t.

@VJ – It seams like everyone detects it as long as I’m in a bootable env (which nullifies the hidden rootkit)

@AV-Guy – I’m trying to fit A-Squard in this month. I use this app everyweek from a bootable env

By: Jonte

Jonte — Mon, 06 Oct 2008 13:25:52 +0000

About the F-Secure review, why did´nt you test in safe mode?
Other Antivirus you should test: Norman, AVG Antivirus ( Test Again) Sophos.

By: AV-Guy

AV-Guy — Mon, 06 Oct 2008 06:22:10 +0000

Hi Matt. Still enjoying the reviews, sorry about F-Secure =) I think other good programs you could test are A2 Squared free and/or the Antimalware (w/ the Ikarus Engine) which is available for a 30 day trial. I have always heard that these programs have great detection but are known for high false positives, but I have seen very little on how these products actually remove the malware. I think a review of one of these products by Emsisoft would be very informative.

By: Jonas

Jonas — Sun, 05 Oct 2008 16:09:18 +0000

Yess, it would be nice if you could test AVG again, maby they have fixed the problem, or test like Alan say =)