PDA

View Full Version : False Positive for Win32.TDSS.reg with 7/1/2009 updates?


antdude
2009-07-01, 20:29
--- Search result list ---
Win32.TDSS.reg: [SBI $7536FD9B] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SKYNET\imagepath

Win32.TDSS.reg: [SBI $C7FA8D4D] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SKYNET\imagepath

[snipped; see http://pastebin.ca/1481044 for the whole results]


I think SKYNET is my HDTV tuner cards if I remember correctly. This was on my updated Windows XP Pro. SP3 machine after I updated and scanned this morning.

Thank you in advance. :)
antdude
2009-07-02, 06:20
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SKYNET]
"Type"=dword:00000001
"Start"=dword:00000003
"ErrorControl"=dword:00000001
"Tag"=dword:0000001a
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,53,00,6b,00,79,00,4e,00,45,00,54,\
00,2e,00,53,00,59,00,53,00,00,00
"DisplayName"="TechniSat DVB-PC TV Star PCI"
"Group"="NDIS"
"dwOurExactWinVer"=dword:000007d1
"dwExactWinVerMaj"=dword:00000005
"dwExactWinVerMin"=dword:00000001
"dwExactWinVerBuild"=dword:00000a28

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SKYNET\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

--

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SKYNET]
"Type"=dword:00000001
"Start"=dword:00000003
"ErrorControl"=dword:00000001
"Tag"=dword:0000001a
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,53,00,6b,00,79,00,4e,00,45,00,54,\
00,2e,00,53,00,59,00,53,00,00,00
"DisplayName"="TechniSat DVB-PC TV Star PCI"
"Group"="NDIS"
"dwOurExactWinVer"=dword:000007d1
"dwExactWinVerMaj"=dword:00000005
"dwExactWinVerMin"=dword:00000001
"dwExactWinVerBuild"=dword:00000a28

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SKYNET\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SKYNET\Enum]
"0"="PCI\\VEN_13D0&DEV_2103&SUBSYS_210313D0&REV_02\\4&31b6cd7&0&10F0"
"Count"=dword:00000002
"NextInstance"=dword:00000002
"1"="PCI\\VEN_13D0&DEV_2103&SUBSYS_210313D0&REV_02\\4&31b6cd7&0&18F0"

--

Should I post my driver file?
Yodama
2009-07-02, 08:23
Thank you for reporting this false positive, we will change the detection rules to not detect this TV card driver anymore.



Should I post my driver file?
Thank you but that is not necessary for the time being.
antdude
2009-07-02, 18:10
Thank you for reporting this false positive, we will change the detection rules to not detect this TV card driver anymore.


Thank you but that is not necessary for the time being.Thanks! Do I assume the updated definitions will be next Wed.?
drragostea
2009-07-02, 22:48
antdude: Yes, it'll be corrected and updated next Wednesday.
antdude
2009-07-02, 22:58
antdude: Yes, it'll be corrected and updated next Wednesday.Thanks! :)
WritePublishDie
2009-07-04, 12:40
I don't own an HDTV tuner card, but still get the two SKYNET returns after scanning.

Mine aren't quite the same as the original poster's, but the are in HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SKYNETwuypibmq and HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SKYNETmfpfwbxx.

Both keys are empty (except for the entry "Default - value not set") and have no subordinate keys.

Nevertheless, every time I scan and then let Spybot fix the two problems (both listed under Win32.TDSS.reg), they reappear upon the next scan.

If this is a false positive, should I just delete these two keys from my registry?
Yodama
2009-07-06, 09:05
I don't own an HDTV tuner card, but still get the two SKYNET returns after scanning.

Mine aren't quite the same as the original poster's, but the are in HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SKYNETwuypibmq and HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SKYNETmfpfwbxx.

Both keys are empty (except for the entry "Default - value not set") and have no subordinate keys.

Nevertheless, every time I scan and then let Spybot fix the two problems (both listed under Win32.TDSS.reg), they reappear upon the next scan.

If this is a false positive, should I just delete these two keys from my registry?

@WritePublishDie
in your case it is not a false positive, for help with removal you can send an email to detections@spybot.info or post in Malware Removal.
If you send an email to detections provide the following information:

Full Spybot S&D Report (right click scan result and choose to save a full report to your desktop)
RootAlyzer log (http://forums.spybot.info/downloads.php?id=8)