Can't remove tdsserv.sys

Toshiba / SATELLITE P200
December 21, 2008 at 18:52:21
Specs: Vista, Intel Core 2 T7200/2GB Ra
I seem to have the tdsserv.sys malware. It shows up in my hidden devices in device manager. However, I don't have an option to disable it. I don't know if that's because I'm running Vista? On an XP machine I'm able to disable it. I only have the option to uninstall it.

It doesn't appear to be running as a service. I found the registry key which seems to be loading it: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSERV.SYS. The system is not letting me delete the key. Any malware/virus scanner/rootkit scanner seems to be blocked from running. Trying all of this even in safe mode. I tried to find the file to rename it and keep it from loading but I can't seem to locate it. I'm not sure how to proceed in disabling it or removing it. Any help would be great. Thanks!


See More: Cant remove tdsserv.sys

Report •


#1
December 21, 2008 at 19:03:38
Lets try it this way first, i don't think you tried this:
1. Click on start
2. Type services.msc in the search box
You might be prompted by a UAC box. Choose to continue.
3. Double click TDSServ.sys, and choose Stop to stop it immediately
4. Click the drop down arrow on the far right of "Startup Type" and select disable
5. Click apply. ok then exit services by clicking the x at the top right of the screen.

Restrat the computer.

Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

1. Double Click mbam-setup.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.


Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This


1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


Report •

#2
December 21, 2008 at 19:23:35
Yeah, services.msc just brings up the windows services console. TDSServ.sys isn't listed there unless it's hidden as something else and I'm not seeing it.

Malwarebytes won't run. It just gets killed as soon as it's executed.

HijackThis will run. Here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:01:20 PM, on 12/21/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Safe mode

Running processes:
C:\Windows\Explorer.EXE
C:\Users\Jason\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B3B3B30-A9EC-4A89-86BE-93B7CAD3064D}: NameServer = 68.87.85.98,68.87.69.146,68.87.78.130
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: IJY - Sysinternals - www.sysinternals.com - C:\Users\Jason\AppData\Local\Temp\IJY.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
O23 - Service: WEQNWB - Sysinternals - www.sysinternals.com - C:\Users\Jason\AppData\Local\Temp\WEQNWB.exe

--
End of file - 4391 bytes


Report •

#3
December 21, 2008 at 19:47:09
Go to control panel> programs and features and uninstall malwarebytes.

Next redownload malwarebytes but rename it before you download it to your desktop. As you are in the process of downloading when you get to the point that the "enter name of file to save to" box appears, in the "filename" slot, rename mbam-setup.exe to somthing.exe the click save.

If it installed but will not run navigate to this folder:

C:\Programs Files\Malwarebytes' AntiMalware

Rename all the .exe files in the MAlwarebytes' Anti-Malware folder and try to run it again.


Report •

Related Solutions

#4
December 21, 2008 at 21:00:03
Download Registry Search and doubleclick to start it. Enter TDSSERV in the top box and click "Ok". Notepad will be opened with text in it (the file will be saved in the program's folder as well). Post this text.

Report •

#5
December 21, 2008 at 22:11:51
Renaming Malwarebytes before I copied it over to the computer seems to have done the trick and fooled it. That got it to install and renaming the executables got it to run. Here were the results:

-
Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 6.0.6001 Service Pack 1

12/21/2008 10:44:46 PM
mbam-log-2008-12-21 (22-44-46).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 106073
Time elapsed: 1 hour(s), 27 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{7fc793e3-2599-4e31-9806-1e7bff68f894} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\spyware guard (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{7fc793e3-2599-4e31-9806-1e7bff68f894} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\nnnnMEXr.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Windows\System32\rXEMnnnn.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Windows\System32\rXEMnnnn.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Windows\System32\TDSScrrx.dll (Trojan.TDSS) -> Delete on reboot.
C:\Windows\System32\TDSSntlv.dll (Trojan.TDSS) -> Delete on reboot.
C:\Windows\System32\TDSSrfpp.dll (Trojan.TDSS) -> Delete on reboot.
C:\Windows\System32\TDSStmei.dll (Trojan.TDSS) -> Delete on reboot.
C:\Windows\System32\drivers\TDSSnbcb.sys (Trojan.TDSS) -> Delete on reboot.
C:\ProgramData\Microsoft\Protect\track.sys (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\System32\TDSSfopt.dll (Rootkit.Agent) -> Delete on reboot.
C:\Windows\System32\TDSSsbxq.log (Trojan.TDSS) -> Delete on reboot.
--

I then did the Registry Search and it didn't find anything:

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.6.0

; Results at 12/21/2008 10:53:57 PM for strings:
; 'tdsserv'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...
---

That looks like it got it. Internet seems to be working properly now. I'm going to run the Malwarebytes again for double checking.

Thank you so much for the help jabuck. I hope you get paid for this. If not, you're a saint. I very much appreciate the knowledgeable and prompt responses.


Report •

#6
December 21, 2008 at 22:18:08
Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your AVG antivirus, Ad-Aware, ZoneAlarm and any other antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.


Report •

#7
December 25, 2008 at 17:11:00
Hey jabuck, finally got back to this. Since my last message, I ran Malware again and it kept picking up random infected files. I kept running it until it ran clean. Now when I run it, it doesn't pick up any infected files.

So then I ran ComboFix like you instructed and I got an unhandled exception when it tried to restart the computer. When it rebooted I didn't get a log. I did shut down ZoneAlarm, AVG, and AdAware before running ComboFix including all their processes running in the background.

So I went into safe mode and tried running ComboFix again. It still didn't go completely smooth (kept getting error messages the various processes it was running wouldn't close on their own). I did get a log this time though and here it is:

ComboFix 08-12-24.01 - Jason 2008-12-25 17:17:54.1 - NTFSx86 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2045.1771 [GMT -7:00]
Running from: c:\users\Jason\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\System32\lSBHQXbc.ini
c:\windows\system32\lSBHQXbc.ini2
c:\windows\system32\TDSSwqsc.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys
-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-11-26 to 2008-12-26 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-25 22:44 352,615 ---ha-w c:\windows\system32\drivers\vsconfig.xml
2008-12-22 21:54 --------- d-----w c:\program files\Java
2008-12-22 05:50 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-22 03:56 --------- d-----w c:\users\Jason\AppData\Roaming\Malwarebytes
2008-12-22 03:52 --------- d-----w c:\programdata\Malwarebytes
2008-12-21 22:12 262,144 ----a-w C:\ntuser.dat
2008-12-08 03:38 --------- d-----w c:\programdata\avg8
2008-12-08 03:29 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-12-08 03:29 --------- d-----w c:\program files\AVG
2008-12-08 02:06 --------- d-----w c:\programdata\Lavasoft
2008-12-08 01:15 --------- d-----w c:\program files\SDB4
2008-12-04 02:54 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 02:54 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-11-24 04:37 --------- d-----w c:\program files\7-Zip
2008-11-24 02:31 102,664 ----a-w c:\windows\system32\drivers\tmcomm.sys
2008-11-15 14:23 --------- d-----w c:\users\Chris\AppData\Roaming\AdobeUM
2008-11-12 06:12 --------- d-----w c:\program files\IrfanView
2008-11-05 02:09 --------- d-----w c:\users\Chris\AppData\Roaming\AccurateRip
2008-11-03 09:33 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-11-02 22:56 13,025 ----a-w c:\users\Jason\AppData\Roaming\nvModes.dat
2008-11-02 21:40 --------- d-----w c:\program files\Macrium
2008-11-02 21:39 --------- d-----w c:\program files\IObit
2008-11-02 21:38 --------- d-----w c:\program files\Glary Utilities
2008-11-02 21:37 --------- d-----w c:\program files\Lavasoft
2008-11-02 21:36 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-31 22:57 --------- d-----w c:\program files\Exact Audio Copy
2008-10-31 22:27 --------- d-----w c:\users\Jason\AppData\Roaming\AccurateRip
2008-10-26 06:51 --------- d-----w c:\users\Jason\AppData\Roaming\AdobeUM
2008-10-26 05:28 --------- d-----w c:\programdata\NVIDIA
2008-10-26 05:06 --------- d-----w c:\users\Jason\AppData\Roaming\Toshiba
2008-10-26 05:05 --------- d-----w c:\program files\Common Files\Apple
2008-10-25 17:55 174 --sha-w c:\program files\desktop.ini
2008-10-25 06:02 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-10-25 06:02 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-10-25 06:02 2,560 ----a-w c:\windows\AppPatch\AcRes.dll
2008-10-25 06:02 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-10-25 06:02 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2007-03-02 07:11 262,144 ----a-w c:\programdata\ntuser.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2006-11-06 11:46 2854912 --a------ c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2006-11-06 11:46 2854912 --a------ c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-03 959976]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-20 411768]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-06-20 1316136]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2006-11-06 49168]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-01-13 81920]
"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2006-11-01 413696]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-07 1261336]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"RtHDVCpl"="RtHDVCpl.exe" [2007-01-18 c:\windows\RtHDVCpl.exe]
"NDSTray.exe"="NDSTray.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-11-06 11:34 52224 c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\vio\dvacm.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1401326566-726982139-648884469-1003]
"EnableNotificationsRef"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1401326566-726982139-648884469-1004]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{6C82A5B3-3D35-4E85-A15A-ACF2135A04E8}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{1B5C9107-2782-412C-B447-A2008F98A794}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{F7E62053-18E1-4C96-ABB3-6F546EA6BC79}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{CCBC5AF6-B290-4583-8B66-C1FB8963A4C5}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= c:\toshiba\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\toshiba\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger

R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\DRIVERS\pssnap.sys [2008-05-20 15328]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-07 97928]
S3 IJY;IJY;c:\users\Jason\AppData\Local\Temp\IJY.exe []
S3 WEQNWB;WEQNWB;c:\users\Jason\AppData\Local\Temp\WEQNWB.exe []
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-07 231704]
S4 ReflectService;Macrium Reflect Image Mounting Service;"c:\program files\Macrium\Reflect\ReflectService.exe" [2008-08-06 216032]
S4 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite 2009\RpcAgentSrv.exe [2008-10-25 98488]
.
Contents of the 'Scheduled Tasks' folder

2008-12-25 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2008-10-29 17:58]
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-25 17:22:23
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(420)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll

- - - - - - - > 'Explorer.exe'(1928)
c:\program files\Protector Suite QL\farchns.dll
c:\program files\Protector Suite QL\infra.dll
.
Completion time: 2008-12-25 17:30:33 - machine was rebooted [Jason]
ComboFix-quarantined-files.txt 2008-12-26 00:30:22

Pre-Run: The system cannot find message text for message number 0x2379 in the message file for Application.
Post-Run: 137,104,060,416 bytes free

163 --- E O F --- 2008-11-12 05:14:02


Report •

#8
December 26, 2008 at 10:31:18
So from the previous ComboFix log, it looked like I still had some vestiges of tdsserve. I tried to run ComboFix a few more times to see if it could clean it out, but the Legacy_TDSSSERV.SYS keeps rearing its head. I'm not sure what I should attempt next. The log of the last ComboFix scan I ran is below:

ComboFix 08-12-24.01 - Jason 2008-12-25 19:45:24.4 - NTFSx86 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2045.1765 [GMT -7:00]
Running from: c:\users\Jason\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-11-26 to 2008-12-26 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-26 02:13 352,615 ---ha-w c:\windows\system32\drivers\vsconfig.xml
2008-12-26 02:12 --------- d-----w c:\program files\Windows Mail
2008-12-22 21:54 --------- d-----w c:\program files\Java
2008-12-22 05:50 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-22 03:56 --------- d-----w c:\users\Jason\AppData\Roaming\Malwarebytes
2008-12-22 03:52 --------- d-----w c:\programdata\Malwarebytes
2008-12-21 22:12 262,144 ----a-w C:\ntuser.dat
2008-12-08 03:38 --------- d-----w c:\programdata\avg8
2008-12-08 03:29 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-12-08 03:29 --------- d-----w c:\program files\AVG
2008-12-08 02:06 --------- d-----w c:\programdata\Lavasoft
2008-12-08 01:15 --------- d-----w c:\program files\SDB4
2008-12-04 02:54 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 02:54 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-11-24 04:37 --------- d-----w c:\program files\7-Zip
2008-11-24 02:31 102,664 ----a-w c:\windows\system32\drivers\tmcomm.sys
2008-11-15 14:23 --------- d-----w c:\users\Chris\AppData\Roaming\AdobeUM
2008-11-12 06:12 --------- d-----w c:\program files\IrfanView
2008-11-05 02:09 --------- d-----w c:\users\Chris\AppData\Roaming\AccurateRip
2008-11-03 09:33 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-11-02 22:56 13,025 ----a-w c:\users\Jason\AppData\Roaming\nvModes.dat
2008-11-02 21:40 --------- d-----w c:\program files\Macrium
2008-11-02 21:39 --------- d-----w c:\program files\IObit
2008-11-02 21:38 --------- d-----w c:\program files\Glary Utilities
2008-11-02 21:37 --------- d-----w c:\program files\Lavasoft
2008-11-02 21:36 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-01 03:44 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-11-01 03:44 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-11-01 03:44 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-11-01 03:44 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-11-01 03:44 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-10-31 22:57 --------- d-----w c:\program files\Exact Audio Copy
2008-10-31 22:27 --------- d-----w c:\users\Jason\AppData\Roaming\AccurateRip
2008-10-29 06:29 2,927,104 ----a-w c:\windows\explorer.exe
2008-10-26 06:51 --------- d-----w c:\users\Jason\AppData\Roaming\AdobeUM
2008-10-26 05:28 --------- d-----w c:\programdata\NVIDIA
2008-10-26 05:06 --------- d-----w c:\users\Jason\AppData\Roaming\Toshiba
2008-10-26 05:05 --------- d-----w c:\program files\Common Files\Apple
2008-10-25 17:55 174 --sha-w c:\program files\desktop.ini
2008-10-25 06:02 2,560 ----a-w c:\windows\AppPatch\AcRes.dll
2007-03-02 07:11 262,144 ----a-w c:\programdata\ntuser.dat
.

((((((((((((((((((((((((((((( snapshot_2008-12-25_19.23.14.80 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-26 02:21:21 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-12-26 02:49:22 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-12-26 02:21:21 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-12-26 02:49:22 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-12-26 01:17:56 103,850 ----a-w c:\windows\System32\perfc009.dat
+ 2008-12-26 02:47:29 103,266 ----a-w c:\windows\System32\perfc009.dat
- 2008-12-26 01:17:56 618,258 ----a-w c:\windows\System32\perfh009.dat
+ 2008-12-26 02:47:29 617,272 ----a-w c:\windows\System32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2006-11-06 11:46 2854912 --a------ c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2006-11-06 11:46 2854912 --a------ c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-03 959976]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-20 411768]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-06-20 1316136]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2006-11-06 49168]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-01-13 81920]
"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2006-11-01 413696]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-07 1261336]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"RtHDVCpl"="RtHDVCpl.exe" [2007-01-18 c:\windows\RtHDVCpl.exe]
"NDSTray.exe"="NDSTray.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-11-06 11:34 52224 c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\vio\dvacm.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1401326566-726982139-648884469-1003]
"EnableNotificationsRef"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1401326566-726982139-648884469-1004]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{6C82A5B3-3D35-4E85-A15A-ACF2135A04E8}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{1B5C9107-2782-412C-B447-A2008F98A794}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{F7E62053-18E1-4C96-ABB3-6F546EA6BC79}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{CCBC5AF6-B290-4583-8B66-C1FB8963A4C5}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= c:\toshiba\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\toshiba\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger

R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\DRIVERS\pssnap.sys [2008-05-20 15328]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-07 97928]
S3 IJY;IJY;c:\users\Jason\AppData\Local\Temp\IJY.exe []
S3 WEQNWB;WEQNWB;c:\users\Jason\AppData\Local\Temp\WEQNWB.exe []
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-07 231704]
S4 ReflectService;Macrium Reflect Image Mounting Service;"c:\program files\Macrium\Reflect\ReflectService.exe" [2008-08-06 216032]
S4 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite 2009\RpcAgentSrv.exe [2008-10-25 98488]
.
Contents of the 'Scheduled Tasks' folder

2008-12-26 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2008-10-29 17:58]
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-25 19:49:23
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\Jason\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(420)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll

- - - - - - - > 'Explorer.exe'(1824)
c:\program files\Protector Suite QL\farchns.dll
c:\program files\Protector Suite QL\infra.dll
.
r Running Proce
.
c:\windows\HelpPane.exe
.
**************************************************************************
.
Completion time: 2008-12-25 19:54:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-26 02:54:23
ComboFix2.txt 2008-12-26 02:40:08
ComboFix3.txt 2008-12-26 02:26:33
ComboFix4.txt 2008-12-26 00:30:33

Pre-Run: The system cannot find message text for message number 0x2379 in the message file for Application.
Post-Run: 136,740,679,680 bytes free

178 --- E O F --- 2008-12-26 02:11:25


Report •

#9
December 26, 2008 at 15:20:41
Download Registry Search and doubleclick to start it. Enter TDSSS in the top box and click "Ok". Notepad will be opened with text in it (the file will be saved in the program's folder as well). Post this text.

Report •

#10
December 27, 2008 at 01:11:13
Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.6.0

; Results at 12/27/2008 12:15:04 AM for strings:
; 'tdsss'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV.SYS]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV.SYS\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV.SYS\0000]
"Service"="TDSSserv.sys"
"DeviceDesc"="TDSSserv.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_TDSSSERV.SYS]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_TDSSSERV.SYS\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_TDSSSERV.SYS\0000]
"Service"="TDSSserv.sys"
"DeviceDesc"="TDSSserv.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV.SYS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV.SYS\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV.SYS\0000]
"Service"="TDSSserv.sys"
"DeviceDesc"="TDSSserv.sys"

[HKEY_USERS\S-1-5-21-1401326566-726982139-648884469-1003\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]
"LastKey"="Computer\\HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\Root\\LEGACY_TDSSSERV.SYS"

; End Of The Log...

Does this mean the trojan is still being loaded into memory or are these just vestigial references to the deleted files? As I mentioned, every time I ran ComboFix it would keep listing the Legacy_TDSSSERV.SYS driver in the log.


Report •

#11
December 27, 2008 at 12:10:42
Run this registry edit then run the same registry search again and post its log. We may have to do this a different way.

Open notepad (Start Menu > Run > Type notepad and press "ok".

Copy and paste everything into notepad between the x's making regedit4 the top line.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV.SYS]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_TDSSSERV.SYS]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV.SYS]

[-HKEY_USERS\S-1-5-21-1401326566-726982139-648884469-1003\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]
"LastKey"=-

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it Fix.reg then save it to your desktop.

Double click Fix.reg (or right click and choose Merge) and it will ask if you want to merge the contents into the registry, choose Yes.


Report •

#12
December 27, 2008 at 14:34:40
I did as you said. It said the changes were made to the registry. I rebooted and the log came up with this:

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.6.0

; Results at 12/27/2008 2:04:39 PM for strings:
; 'tdsss'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV.SYS]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV.SYS\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV.SYS\0000]
"Service"="TDSSserv.sys"
"DeviceDesc"="TDSSserv.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_TDSSSERV.SYS]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_TDSSSERV.SYS\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_TDSSSERV.SYS\0000]
"Service"="TDSSserv.sys"
"DeviceDesc"="TDSSserv.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV.SYS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV.SYS\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV.SYS\0000]
"Service"="TDSSserv.sys"
"DeviceDesc"="TDSSserv.sys"

; End Of The Log...


Report •

#13
December 27, 2008 at 17:09:03
Once you get SDFix downloaded go offline, turn off your antivirus, and turn off any antispyware that you have, run SDFix from safe mode and restart the Antivirus before you get back on line to post the log.

Download SDFix.exe and save it to your Desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re-enable the protection again afterwards before connecting to the Internet.

1.Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
2. Open the c:\SDFix folder and double click RunThis.cmd to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
3. Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
4. Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt


Report •

#14
December 28, 2008 at 10:32:18
That didn't go quite like it was supposed to. I attempted to run the "RunThis" batch file in safe mode, but a blue window would only come up for a moment and then disappear. Not sure if the malware was killing the process or something else was an issue. I tried running the "catchme" executable in the folder, but the scan came up with nothing. Here's the log of that:


catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-28 10:55:47
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Report •

#15
December 28, 2008 at 13:13:45
Do you still have avenger installed, if not download it again.

Please download “Avenger” by swandog46 to your desktop from this link http://swandog46.geekstogo.com/avenger.zip

Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

Copy all the text contained in the code box below between the X's to your Clipboard by highlighting it and pressing (Ctrl+C):
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Drivers to unload:
TDSSSERV.SYS


Registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV.SYS

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_TDSSSERV.SYS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV.SYS

Files to delete:
c:\windows\system32\drivers\TDSSSERV.SYS
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
Click in the window labeled Input Scrupt Here and paste the text copied to the clipboard into it by pressing (Ctrl+V).
Click the Execute button
Answer "Yes" twice when prompted.

The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

Check and see if they were deleted.


Report •

#16
January 2, 2009 at 00:38:30
Ok, finally got back to this. I ran the Avenger scripts. Here's the log I got back:


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\TDSSSERV.SYS" not found!
Deletion of driver "TDSSSERV.SYS" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV.SYS" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_TDSSSERV.SYS" deleted successfully.

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV.SYS" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV.SYS" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\drivers\TDSSSERV.SYS" not found!
Deletion of file "c:\windows\system32\drivers\TDSSSERV.SYS" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.
-----

So I'm a little confused in that it said it didn't find the drivers to terminate them. Does that mean they eluded the scan or they're actually gone for good now? I ran the Registry Search again and it didn't pick up anything under "tdss" or "tdsss" and Malwarebytes turned up negative as well. ComboFix wouldn't run as it said it had expired. SDFix still wasn't able to run. Like before, it brought up a blue screen for half a second then died.

So should I consider this completely gone now or are there still places it could be hiding? Thanks!


Report •

#17
January 2, 2009 at 10:37:52
Your computer is clean, some clean up that you need to do.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.


Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

You computer appears to be clean

Navigate to and delete this folder:

C:\SDFix

Delete Avenger from your desktop.

Go to start> run> type in combofix /u (note the space after combofix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Go to start> control panel> add/remove programs and uninstall these programs:

Hijack This

Malwarebytes

You should keep AFT Cleaner and run it weekly.


You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

How is the computer operating?


Report •

#18
January 15, 2009 at 10:58:07
Hey, first off id jus like 2 say thanks 4 all the adivce and tips posted here, v.helpful!

Bascially, i had the same problem as Jase in that i couldn't find an option 2 merely disable TDSSserv.sys once running Devmgmt.msc - downloading, renaming all the .exe files and consequently running matlwarebyets seems to have worked well, as i am no longer randomly redirected and system is running at normal(ish) speed.

Although a 2nd malwarebytes scan has come up with nothing, i can not locate the file in my C:\\windows\system32\drivers folder or in the registry i can still located TDSSserv.sys when i run Devmgmt.msc., when i rick click and selcet properties, heres what is says:

"This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)

Click 'Check for solutions' to send data about this device to Microsoft and to see if there is a solution available."

I hope its all done with and the person that made this is in jail right now but jus wanted 2 make sure my computer was no longer at risk.

Thanks again, keep up the good work :) (p.s. sorry 4 any typos)


Report •

#19
February 9, 2009 at 07:59:50
Thank you for keeping this post up. I had the same issue with the tdsserv virus and I believe it is completely gone. BUT I have another problem. Some where along the line I havemade my control panel unable to be accessed. I try to open it, the screen pops up and then it is gone. I am using Vista. What should I do?

Report •

#20
February 9, 2009 at 08:10:31
Todd13 and philluk, you guys should probably just start new threads with your problems. These threads that are further down the forum list tend to get missed by the admins and it seems to make it easier for them to deal with problems when they're self-contained in their own thread.

@jabuck, I forgot to check back on this, but I just wanted to say thank you so much for all your help. I really, really appreciated it and couldn't have gotten all that junk off my computer without your help. Thank you!


Report •

#21
February 9, 2009 at 14:22:29
Glad we could help Jase and thanks for the advise given to the new posters.

Report •


Ask Question