Problem with TDSSserv.sys

JohnMartin · Apr 17, 2009

Today when I sat down with my in-laws computer I was met by a virus warning from the Norman anti virus program.

It said that c:\windows\system32\explorer.exe was infected by TDSSserv.sys and the file could not be removed.
This message came up over and over and over again. I found a guide in this forum that explained how to remove it. And the guide said that I had to delete some driver from "Non-plug and Play Drivers" in the hardware monitor. But the drivers that was listen in that guide, I could not find. They wasn't there...

I started following your UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions guide. And when I made a full system scan with my virus software(step 1), the program didn't find anything.
I then had a look in my quarantine folder in my virus program. And now Norman had manage to move explorer.exe to quarantine.
Together with explorer.exe, Norman had also found another file.
nmiezmcz.sys, infected by W32/Agent.HHSF

Does this mean the computer is "clean" now? Since I was so unsure, I completed your guide anyway, and have attached the logs!

- Did not attach the log from Malwarebytes' Anti-Malware because I installed the program with norwegian language, so I guess that it is hard to understand. But there was zero findings with Malwarebytes' Anti-Malware.

Hope someone could have a look, and tell me if the computer is clean. Or what I have to do..

Bobbye · Apr 17, 2009

Have Parental Controls been set up on multiple accounts?

Wpclsp.dll Windows Vista - Windows Parental Control Related L
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll

I'm still reviewing the logs but have questions:

1. I would suggest you get rid of the 'Norman' program though I didn't think any program could exceed the bloat of Norton/Symantec, but this one has! There are 10 running processes for Norman, 6 Services set to Automatic

2. I am seeing some unusual entries though, such as:

O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
Name: No-IP DUC
Filename: DUC20.exe
Command: Unknown at this time.
Description: Part of http://www.no-ip.com provided service. Keeps No-IP's dynamic nameserver (DNS) updated if and when your computer's (network's) dynamic IP-address changes so that you can run servers on computers with dynamic IP. Shortcut available
File Location: Unknown

3. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer levert av Komplett

This is a foreign site. There is no URL or IP associated with it.
http://www.aboutus.org/Komplett.nl

4. An most importantly:

C:\Windows\system32\wininit.exe
Filename: wininit.exe
Command: C:\Windows\System32\wininit.exe
Description: Added by the W32/Zotob-K worm and IRC backdoor.
File Location: %System%
Startup Type: This startup entry is started automatically from a Run, RunOnce, RunServices, or RunServicesOnce entry in the registry.
HijackThis Category: O4 Entry

5. Please download ComboFix HERE & save to your desktop.:

With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

Please disable all security programs, such as antiviruses, antispywares, and firewalls.
Also disable your internet connection.

• Run Combo-Fix.exe and follow the prompts.
**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
• Wait for the scan to be completed.
• If it requires a reboot, please do it.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Do not click on the ComoboFix window, as it may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please connect on #1,2,3 and 4. Do a new scan with Hijackthis after Combofix. Attach new log and report.

JohnMartin · Apr 18, 2009

Bobbye said:
Have Parental Controls been set up on multiple accounts?

I'm still reviewing the logs but have questions:

2. I am seeing some unusual entries though, such as:

3. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer levert av Komplett

4. An most importantly:

5. Please download ComboFix HERE & save to your desktop.:

With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

Please disable all security programs, such as antiviruses, antispywares, and firewalls.
Also disable your internet connection.

Please connect on #1,2,3 and 4. Do a new scan with Hijackthis after Combofix. Attach new log and report.

Hi.
Thanx for the reply.

Yes, Parental controls have been set up on multiple accounts.

1. At the current time, they want to use Norman Antivirus, because the get it for free tru their bank.
Is AVG free edition any better?

2. The No-IP DUC program, I have installed because I was running VNC on this computer, in case my in laws needed help. But don't use VNC anymore, so I will delete it.

3. Yes, it is a Foreign site, norwegian. But it is komplett.no not komplett.nl. Komplett.no is a big trusted web shop for computers in Norway. It was they who delivered this computer.

4. What was I gonna do with this?

5. Have run the combofic and have added the log. Tried to run the program in English, so the log would come out in englsih, but no success. Have attached the log anyway.

kimsland · Apr 18, 2009

P2P Running:
uTorrent
Azureus

Also running:
No-IP
Norman Virus Control
Symantec AntiVirus
Symantec Firewall

Info on using P2P Programs => https://www.techspot.com/vb/topic124748.html

Quote from 8-Step Removal Guide:

Julio said:
Uninstall File Sharing/P2P Programs

During the cleaning process all File Sharing Programs should be uninstalled
This is to avoid any possible reinfection of any malwares through file sharing

We reserve the right to withdraw our support:

If such programs are found in your logs

Should you not agree to their removal.

As they are normally set to bypass your Firewall and Anti-Virus software
Filesharing/P2P Programs serves as a constant threat to your computer

Bobbye · Apr 18, 2009

1. At the current time, they want to use Norman Antivirus, because the get it for free tru their bank.Is AVG free edition any better?

No it isn't. But the main reason I brought Norman to your attention is the large number of processes it loads and runs. You can get Free Avira or Avast, Free Comodo or ZoneAlarm firewall, Free spyware/adware programs and together, they would have as many entries or use as much of the resources as the Norman program does.

2. The No-IP DUC program, I have installed because I was running VNC on this computer, in case my in laws needed help. But don't use VNC anymore, so I will delete it.

It's always a good idea to go through the Add/Remove Programs in the Control Panel and uninstall those you don't use or need. If they load when you boot, they run in the background. They are using system resources that could be freed up.

You mentioned this on your original post we moved:

And I constantly get a message from my Norman antivirus that explorer.exe in system32 folder is infected with TDSSserv.sys.

But you showed the hidden files and folders and weren't able to find the entries for this malware. Let's do an online scan from Kaspersky and see if anything shows up:

Kaspersky' online scan
Open Kaspersky Online Scanner in Internet Explorer using this link:
http://www.kaspersky.com/virusscanner

* Click Accept and the web scanner will begin to load
* If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
* You will be prompted to install an ActiveX component from Kaspersky, click Install
* If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT and then Scan Settings
* In the scan settings make that the following are selected:
o Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
o Scan Options:
Scan Archives
Scan Mail Bases
* Click OK
* Now under select a target to scan:
Select My Computer
* The program will start to scan your system.
* Once the scan is complete, click on the Save as Text button and save the file to your desktop

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

Because of the multi-lingual nature of your system, this entry is likely okay, but since it can also be malware, you just need to verify it:

C:\Windows\system32\conime.exe
Re: conime.exe a trojan?

It CAN be: Description:
conime.exe is a process which is registered as the BFGhost 1.0 Remote administration backdoor tool. This backdoor application can allow attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately.

Or it CAN be: If your locale is set to an asian language, than it's more than likely it's a Microsoft service.Process name: Input Method Editor

You should show hidden files and folders> Then Find it and right click on it and check the properties. See if it's from Microsoft

These must be the old entries kimsland is referring to: As you have been advised of the dangers, It will be up to you to remove them:

2008-10-31 18:25 -------- d-----w c:\users\John Martin\AppData\Roaming\uTorrent
2009-02-21 18:37 -------- d-----w c:\programdata\Azureus
Azureus, now called Vuze : Java BitTorrent Client -

There are Registry entries still loading from previously install of Symantec/Norton security:
Please run the Norton Removal Tool HERE

Please attach the Kaspersky report and advise of any current problems with the system.

JohnMartin · Apr 19, 2009

After Norman managed to move explorer.exe to quarantine. I have not got the message since.

And it's tru. When I checked for the entries of this malware, I could not find it. And yes, I had switch on to show hidden files and folder.

Have now made a scan with Kaspersky' online scan, no findings. Have attached the log.

About the conime.exe file. I have no idea what that is for. All I know is that this computer rundt Norwegian language, witch is very far from any asian language.. So it may be a trojan then?
Checked its properties, and it said Microsoft. Also used the Kaspersky online file scanner, and it came out clean.. So I gues it is not a trojan then?

Have also run the Norton Removal Tool, because I didn't know what version to choose I picked one. So i hope everything is removed.

Last item: Free Avira or Avast, is that virus program I can install instead of Norman? I'm currently using windoes Firewall, so I guess I don't have to change that.

Bobbye · Apr 23, 2009

Last item: Free Avira or Avast, is that virus program I can install instead of Norman? I'm currently using windoes Firewall, so I guess I don't have to change that.

See Step 1 HERE for Free AV and Free Firewall recommendations.

The Windows Firewall only listens at incoming ports. Better to have a bi-directional firewall that listens at both incoming AND outgoing.

Problem with TDSSserv.sys

JohnMartin

Posts: 8 +0

Attachments

Bobbye

Posts: 16,313 +36

JohnMartin

Posts: 8 +0

kimsland

Posts: 13,806 +3

Bobbye

Posts: 16,313 +36

JohnMartin

Posts: 8 +0

Bobbye

Posts: 16,313 +36

Similar threads

Latest posts