How to remove TDSSserv trojan (TDSSserv.sys), clbdriver.sys and seneka.sys - usually associaed with Windows Antivirus - Bicester Computers Support Forum

laurentio · Tweet this Post! #1 29th January 2009, 08:58 AM

Trojan.TDSSserv (TDSSserv.sys) also known as Trojan Backdoor.Tidserv is a trojan horse that may represent security risk for the infected computer.

The trojan uses rootkit-specific techniques designed to hide the software presence in the system and also blocks user access to security websites. Once running, this trojan will display a fake security alerts that tells you to install a rogue antispyware application to delete the infection. These alerts are a fake and should be ignored!
Use the following instructions to remove trojan TDSSserv (trojan Backdoor.Tidserv).

Step 1: Disable TDSSserv trojan driver.

Right click the My computer icon. If you are using the non classic Start menu, then right click My computer icon on your Start button menu.
Click Properties.
Click Hardware Tab.
Click Device Manager.
In the top menu, click View and click Show Hidden Drivers.
Scroll down to non Plug and Play drivers.
Click + at left.
In the list of drivers right click TDSSserv.sys or TDSSxyz.sys where xyz are random characters, clbdriver.sys, seneka or seneka.sys.
Click Disable.
Click YES for confirm.
Close all windows and reboot your computer.

Step 2: Delete TDSSserv trojan driver.

Download Avenger from here and unzip to your desktop.
Run Avenger, copy,then paste the following text in Input script Box:
Drivers to delete:
TDSSserv.sys
clbdriver.sys
seneka.sys
seneka

Then click on ‘Execute’.
You will be asked Are you sure you want to execute the current script?. Click Yes.
You will now be asked First step completed — The Avenger has been successfully set up to run on next boot. Reboot now?. Click Yes.
Your PC will now be rebooted.

It is very important to run the above software-steps other wise Malwarebyte won't run. Another solution would be this:
Go Device Manager (right click My Computer on desktop, Properties, Hardware Tab, Device Manager Button)
Then,
Menus>View>show Hidden Devices look under NoN Plug and Play Drivers for TDSS and disable it. (dont uninstall it). Reboot. Now you can run Malwarebytes\’ Anti-Malware.

Step 3: Remove TDSSserv trojan files and any associated malware.

Download Malwarebytes Anti-Malware (MBAM). The program designed to quickly detect, destroy and prevent malware, spyware, trojans.
Once downloaded, close all programs and Windows on your computer (including this one).
Double-click on the icon named mbam-setup.exe to install the application.
When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select “Perform Quick Scan”, then click Scan.
MBAM will now start scanning your computer for malware. This process may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
MBAM will now delete all of the files and registry keys and add them to the quarantine.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The trojan TDSSserv creates the following files:

%Temp%\file.exe
%Temp%\TDSS[RANDOM CHARACTERS].tmp
%System%\drivers\TDSS[RANDOM CHARACTERS].sys
%System%\TDSS[RANDOM CHARACTERS].sys
%System%\TDSS[RANDOM CHARACTERS].dat
%System%\TDSS[RANDOM CHARACTERS].log
%System%\TDSSserv.sys
%System%\TDSSerrors.log
%System%\TDSSservers.dat
%System%\TDSSl.dll
%System%\TDSSlog.
%System%\TDSSmain.dll
%System%\TDSSinit.dll
%System%\TDSSlog.dll
%System%\TDSSadw.dll
%System%\TDSSpopup.dll

Extra tools to consider:
ComboFix and SDFIx