Spyware Dr. finds Rootkit.TDSS - do I believe it?

[John_A]

Can I trust Spyware Doctor?

I have (I hope) recently recovered from an attack of the infestation which causes you to be inundated with phony network attack messages (mentioning Bankerfox.A) and false virus alerts that tried to get me to a website called 'Spyware Project 2009 and buy their anti-virus software.

Having sorted the problem out, or, at least, got rid of the symptoms, I now want to install reliable anti-spyware. I have tried installing and running, one after the other, Malwarebytes, Avast, Spy Sweeper and Spy Bot, all of which congratulate me on being free of malware.

However, I've run Spyware Doctor several times and it insists that I have the Rootkit.TDSS virus, and it wants me to buy the Spyware Doctor product to eliminate it.

Is Spyware Doctor ahead of the game here, or is it just trying it on?

Thanks for any suggestions.

[mountaintree16]

Hello John A and welcome to Malwarebytes!

While I don't quite know the answer to your question, I am advising you to please please not purchase it in order to remove what it says its detecting. It is extremely poor business practice to ask a user to purchase a program to remove an infection detected on their system. This puts your personal information at risk. As I am sure you know, Malwarebytes does not do this and never will do this!

You are talking about Spyware Doctor by PC Tools, correct?

What has Malwarebytes detected in its scanning? You say its not detecting anything, as well as SpyBot. I've never used Spy Sweeper, so I can't say anything about that product. If they are all saying that you are clean though, you probably are (but it would be a good idea to have your system checked anyway, just in case). Were ANY of the detections by Mbam, SpyBot, or SpySweeper named TDSS or have anything similarly named in their detections?

Also, as a side note, please when replying hit the "add reply" button at the bottom of the page or erase what the person before you said, as this makes the forum easier to read

Thank you.

[John_A]

Hi there, and thanks for the fast and somewhat reassuring reply.

Yes, It's the PC Tools Spy Doctor I'm talking about and I've just run it again and it still says I'm in the same state. It says I've got 1 threat and 4 infections ... details as follows:

File:

C:|WINDOWS|SYSTEM32|drivers\uac4pdt.sys

Startup Program:

HKEY_LOCALMACHINE\SYSTEM|CurrentControlSet\Services\uac4odt, ImagePath = system32\DRIVERS\uac4pdt.sys

HKEY_LOCALMACHINE\SYSTEM|ControlSet003\Services\uac4odt, ImagePath = system32\DRIVERS\uac4pdt.sys

HKEY_LOCALMACHINE\SYSTEM|ControlSet002\Services\uac4odt, ImagePath = system32\DRIVERS\uac4pdt.sys

I then ran MBAM (full scan) and it said all is ok, no malware on my system.

Spy Doctor would like me to do an online purchase of their product, presumably entering my credit card details, yet they tell me that Rootkit.TDSS has a high threat level and that it "can hide the presence of any process on the infected machine in order to perform malicious actions without users knowledge". Why should I want to expose my credit card details to such a risk?

Previously Spybot came up with a couple of things to do with Adware, nothing about Rootkit.TDSS though. Spy Sweeper found nothing but left some annoying things on my toolbar that I didn't need, which remain there after I've uninstalled it. All in all, MBAM and Spybot are front runners for my custom for more permanent use.

Incidentally, can you tell me what you have in mind when you say it would be a 'good idea to have my system checked'?

Thanks again.

[CCMUA2009]

doesn't it sound kind of fishy? I mean it detects something but will make you pay to get rid of it??

[nosirrah]

uac4pdt.sys <- looks legit , seems they are FPing this because the file name starts with uac .

The real UAC variant of this rooter wont have numbers in its name and will have UAC in caps . For example if this was real this is what it would look like :

UACsdfsdgfhkasdasd.sys

[mountaintree16]

@ John A

You are most welcome

I just received a message from one of our experts here, and he wanted me to ask you to check and see if you have the following installed:

Do you have any devices from Pensare Digitale installed, such as a VoIP handset or similar device? If so, that file is actually just one of their drivers. It is safe, and thus a false positive on the part of Spyware Doctor.

If you do have that, its highly unlikely that you are actually infested with tdss And if you were infected, MBAM would most likely find it right away with a quick scan, unless it was an extremely new and not-detected yet variant.

What I meant by getting your system checked is the following:

We don't work on Malware removal in the general forums.

Please read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.

One of the expert helpers there will give you one-on-one assistance when one becomes available.

It wouldn't hurt to get checked just in case, but that is very likely a false positive on Spyware Doctor's part.

[John_A]

I don't have a device of that type, but I do have a VoiPvoice model v652skMLR CyberPhone k, which I use with Skype. I can't see anything on its installation disk, though there is a cab file, so maybe its hidden in there.

Did the check you referred me to, Mountaintree. All seems OK so I am going to assume a false positive from Spy Doctor on this. Don't mind over-zealousness, but I'm not pleased about being told I've got a serious risk and then that I need to expose my credit card details to that risk in order to get rid of it.

Many thanks to all who helped me with this.

[mountaintree16]

John,

Your CyberPhone device might be accounting for the FP then, but I don't know that for sure.

You are very welcome

Spyware Doctor's habits displease me too; they should not ask for payment for removal (and neither should other products that do a "free scan"). This is misleading and poor business practice. Mbam and SAS are both great products (although I have never used SAS, I know people who do, including those on this forum) that update, scan, and remove for free with no hitch. Purchase is only required for realtime protection, auto updates, and such.

I'll message the expert who asked me to ask you about that device with this thread link, and see what he thinks

If there's anything else that you need help with, feel free to post and someone will be happy to help you

[noknojon]

Again welcome John A -

Never get sucked into any software that says it will only fix your problem if you give them money -

These are also Rogues who are as bad as any Fake Trojan that you ever get -

You should be using Malwarebytes (free) or at least SUPERAntispyware (free) -

Always keep updated and run regular scans with a free anti malware program every few days -

[mountaintree16]

Hello again John

This is definitely a False Positive on Spyware Doctor's part that you can safely ignore

To verify this, follow these directions: (from the expert)

He can confirm the FP by opening the Device Manager, finding the VoIP handset device and checking its properties to see what driver file it uses. I'd be willing to bet the file that Spyware Dr detected will be listed

Do that, and let me know if that's the case

Other than this False Positive, is your computer running okay? Any other weird things going on or any other detections being found?

----------------------------------------------

Important Note:

For anyone else casually reading this thread/this particular message, DO NOT take it as solid advice for YOUR system, as things MAY be different for you. This is for this particular user ONLY. If you are unsure, start your OWN thread.

I would also advise the following:

We don't work on Malware removal in the general forums.

Please read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.

One of the expert helpers there will give you one-on-one assistance when one becomes available.

[John_A]

Yes, we're on the right tack. Here's what happens.

In Device Manager, under 'sound, video and game controllers' there's something called 'USB Audio Device'. There are 8 driver files listed in this, although uac4pdt.sys does not appear amongst them.

However, if I rename uac4pdt.sys to xyz49dt.sys and restart, my Skype phone no longer works, and 'USB Audio Device' has disappeared from 'sound, video and game controllers'. When I correct the name and restart, all is well again.

I am curious about what Spy Doctor's 'cure' would have been - remove the 'offending' file, perhaps?

Thanks again.

[mountaintree16]

John,

You are quite welcome

I'll send him the link to your latest reply, as I don't know what to say about whats going on.

I'll let you know what he says

Edit:

Yes, that confirms that the driver is indeed for his Skype Handset. Spyware Doctor would indeed have removed the driver as a false positive for TDSS, and thus broken the functionality of his handset.

You can safely ignore the FP from Spyware Doctor