Problem with TDSSserv.sys

By JohnMartin
Apr 17, 2009
  1. Today when I sat down with my in-laws computer I was met by a virus warning from the Norman anti virus program.

    It said that c:\windows\system32\explorer.exe was infected by TDSSserv.sys and the file could not be removed.
    This message came up over and over and over again. I found a guide in this forum that explained how to remove it. And the guide said that I had to delete some driver from "Non-plug and Play Drivers" in the hardware monitor. But the drivers that was listen in that guide, I could not find. They wasn't there...

    I started following your UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions guide. And when I made a full system scan with my virus software(step 1), the program didn't find anything.
    I then had a look in my quarantine folder in my virus program. And now Norman had manage to move explorer.exe to quarantine.
    Together with explorer.exe, Norman had also found another file.
    nmiezmcz.sys, infected by W32/Agent.HHSF

    Does this mean the computer is "clean" now? Since I was so unsure, I completed your guide anyway, and have attached the logs!

    - Did not attach the log from Malwarebytes' Anti-Malware because I installed the program with norwegian language, so i guess that it is hard to understand. But there was zero findings with Malwarebytes' Anti-Malware.

    Hope someone could have a look, and tell me if the computer is clean. Or what I have to do..

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Have Parental Controls been set up on multiple accounts?
    I'm still reviewing the logs but have questions:
    2. I am seeing some unusual entries though, such as:
    3. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer levert av Komplett
    4. An most importantly:
    5. Please download ComboFix HERE & save to your desktop.:

    With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

    Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    Also disable your internet connection.

    Please connect on #1,2,3 and 4. Do a new scan with Hijackthis after Combofix. Attach new log and report.
  3. JohnMartin

    JohnMartin TS Rookie Topic Starter

    Thanx for the reply.

    Yes, Parental controls have been set up on multiple accounts.

    1. At the current time, they want to use Norman Antivirus, because the get it for free tru their bank.
    Is AVG free edition any better?

    2. The No-IP DUC program, I have installed because I was running VNC on this computer, in case my in laws needed help. But don't use VNC anymore, so I will delete it.

    3. Yes, it is a Foreign site, norwegian. But it is not is a big trusted web shop for computers in Norway. It was they who delivered this computer.

    4. What was I gonna do with this?

    5. Have run the combofic and have added the log. Tried to run the program in English, so the log would come out in englsih, but no success. Have attached the log anyway.
  4. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    P2P Running:

    Also running:
    Norman Virus Control
    Symantec AntiVirus
    Symantec Firewall

    Info on using P2P Programs =>

    Quote from 8-Step Removal Guide:
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    No it isn't. But the main reason I brought Norman to your attention is the large number of processes it loads and runs. You can get Free Avira or Avast, Free Comodo or ZoneAlarm firewall, Free spyware/adware programs and together, they would have as many entries or use as much of the resources as the Norman program does.

    It's always a good idea to go through the Add/Remove Programs in the Control Panel and uninstall those you don't use or need. If they load when you boot, they run in the background. They are using system resources that could be freed up.

    You mentioned this on your original post we moved:
    But you showed the hidden files and folders and weren't able to find the entries for this malware. Let's do an online scan from Kaspersky and see if anything shows up:

    Kaspersky' online scan
    Open Kaspersky Online Scanner in Internet Explorer using this link:
    Because of the multi-lingual nature of your system, this entry is likely okay, but since it can also be malware, you just need to verify it:

    Re: conime.exe a trojan?

    It CAN be: Description:
    conime.exe is a process which is registered as the BFGhost 1.0 Remote administration backdoor tool. This backdoor application can allow attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately.

    Or it CAN be: If your locale is set to an asian language, than it's more than likely it's a Microsoft service.Process name: Input Method Editor

    You should show hidden files and folders> Then Find it and right click on it and check the properties. See if it's from Microsoft

    These must be the old entries kimsland is referring to: As you have been advised of the dangers, It will be up to you to remove them:
    There are Registry entries still loading from previously install of Symantec/Norton security:
    Please run the Norton Removal Tool HERE

    Please attach the Kaspersky report and advise of any current problems with the system.
  6. JohnMartin

    JohnMartin TS Rookie Topic Starter

    After Norman managed to move explorer.exe to quarantine. I have not got the message since.

    And it's tru. When I checked for the entries of this malware, I could not find it. And yes, I had switch on to show hidden files and folder.

    Have now made a scan with Kaspersky' online scan, no findings. Have attached the log.

    About the conime.exe file. I have no idea what that is for. All I know is that this computer rundt Norwegian language, witch is very far from any asian language.. So it may be a trojan then?
    Checked its properties, and it said Microsoft. Also used the Kaspersky online file scanner, and it came out clean.. So I gues it is not a trojan then? :p

    Have also run the Norton Removal Tool, because I didn't know what version to choose I picked one. So i hope everything is removed.

    Last item: Free Avira or Avast, is that virus program I can install instead of Norman? I'm currently using windoes Firewall, so I guess I don't have to change that.
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    See Step 1 HERE for Free AV and Free Firewall recommendations.

    The Windows Firewall only listens at incoming ports. Better to have a bi-directional firewall that listens at both incoming AND outgoing.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...