False Positive for Win32.TDSS.reg with 7/1/2009 updates?

A

antdude

New member
Alpha Testers
--- Search result list ---
Win32.TDSS.reg: [SBI $7536FD9B] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SKYNET\imagepath

Win32.TDSS.reg: [SBI $C7FA8D4D] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SKYNET\imagepath

[snipped; see http://pastebin.ca/1481044 for the whole results]


I think SKYNET is my HDTV tuner cards if I remember correctly. This was on my updated Windows XP Pro. SP3 machine after I updated and scanned this morning.

Thank you in advance. :)
 
Yep, they're my HDTV tuner card drivers.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SKYNET]
"Type"=dword:00000001
"Start"=dword:00000003
"ErrorControl"=dword:00000001
"Tag"=dword:0000001a
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,53,00,6b,00,79,00,4e,00,45,00,54,\
00,2e,00,53,00,59,00,53,00,00,00
"DisplayName"="TechniSat DVB-PC TV Star PCI"
"Group"="NDIS"
"dwOurExactWinVer"=dword:000007d1
"dwExactWinVerMaj"=dword:00000005
"dwExactWinVerMin"=dword:00000001
"dwExactWinVerBuild"=dword:00000a28

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SKYNET\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

--

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SKYNET]
"Type"=dword:00000001
"Start"=dword:00000003
"ErrorControl"=dword:00000001
"Tag"=dword:0000001a
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,53,00,6b,00,79,00,4e,00,45,00,54,\
00,2e,00,53,00,59,00,53,00,00,00
"DisplayName"="TechniSat DVB-PC TV Star PCI"
"Group"="NDIS"
"dwOurExactWinVer"=dword:000007d1
"dwExactWinVerMaj"=dword:00000005
"dwExactWinVerMin"=dword:00000001
"dwExactWinVerBuild"=dword:00000a28

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SKYNET\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SKYNET\Enum]
"0"="PCI\\VEN_13D0&DEV_2103&SUBSYS_210313D0&REV_02\\4&31b6cd7&0&10F0"
"Count"=dword:00000002
"NextInstance"=dword:00000002
"1"="PCI\\VEN_13D0&DEV_2103&SUBSYS_210313D0&REV_02\\4&31b6cd7&0&18F0"

--

Should I post my driver file?
 
Thank you for reporting this false positive, we will change the detection rules to not detect this TV card driver anymore.

Should I post my driver file?
Click to expand...
Thank you but that is not necessary for the time being.
 
Yodama said:
Thank you for reporting this false positive, we will change the detection rules to not detect this TV card driver anymore.


Thank you but that is not necessary for the time being.
Click to expand...
Thanks! Do I assume the updated definitions will be next Wed.?
 
Another Instance

I don't own an HDTV tuner card, but still get the two SKYNET returns after scanning.

Mine aren't quite the same as the original poster's, but the are in HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SKYNETwuypibmq and HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SKYNETmfpfwbxx.

Both keys are empty (except for the entry "Default - value not set") and have no subordinate keys.

Nevertheless, every time I scan and then let Spybot fix the two problems (both listed under Win32.TDSS.reg), they reappear upon the next scan.

If this is a false positive, should I just delete these two keys from my registry?
 
Last edited:
WritePublishDie said:
I don't own an HDTV tuner card, but still get the two SKYNET returns after scanning.

Mine aren't quite the same as the original poster's, but the are in HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SKYNETwuypibmq and HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SKYNETmfpfwbxx.

Both keys are empty (except for the entry "Default - value not set") and have no subordinate keys.

Nevertheless, every time I scan and then let Spybot fix the two problems (both listed under Win32.TDSS.reg), they reappear upon the next scan.

If this is a false positive, should I just delete these two keys from my registry?
Click to expand...

@WritePublishDie
in your case it is not a false positive, for help with removal you can send an email to detections@spybot.info or post in Malware Removal.
If you send an email to detections provide the following information:
  • Full Spybot S&D Report (right click scan result and choose to save a full report to your desktop)
  • RootAlyzer log
 
You must log in or register to reply here.
Back
Top