Do you have pop-ups or your computer infected with trojan or spyware ? Learn how to ask us for help, click here!

How to remove TDSS, Backdoor.Tidserv, Alureon trojan/rootkit

TDSS trojan also known as Backdoor.Tidserv [PCTools], Backdoor.Tidserv.I!inf [Symantec], Rootkit.Win32.TDSS.y [Kaspersky Lab], Patched-SYSFile.a [McAfee], Mal/TDSSRt-A [Sophos], Virus:Win32/Alureon.F [Microsoft] is very dangerous. It installs onto your computer through a vulnerability in an already installed programs (mostly in InternetExplorer) or with the help of a rogue antispyware programs. Trojan TDSS uses rootkit-specific techniques designed to hide the software presence in the system. It is practically not detected by standard means Windows, you will not find its files on the disk, as well as writing about it in the Windows registry.

When installed, it will be configured to start automatically when Windows starts. While is running, TDSS (Backdoor.Tidserv, Alureon) trojan may:

  • display a lot of popups and fake security alerts
  • hijack Internet Explorer
  • redirect search results in Google, Yahoo, MSN to non related sites
  • block an access to security websites
  • disable Windows Task Manager, Windows Security Center and Registry editor

What is more, TDSS, Backdoor.Tidserv, Alureon trojan blocks the ability to run a lot of antivirus and antispyware programs, including Malwarebytes Anti-Malware. Also it is usually installed in conjunction with a rogue antispyware programs.

If your computer is infected with the trojan, then use these removal instructions below, which will remove TDSS, Backdoor.Tidserv, Alureon trojan and any associated malware for free.

Symptoms in a RootRepeal Log

Hidden Services
——————-
Service Name: H8SRTd.sys
Image Path: C:\WINDOWS\system32\drivers\H8SRTnfvywoxwtx.sys
Service Name: _VOIDd.sys
Image PathC:\WINDOWS\system32\drivers\_VOIDaabmetnqbf.sys

Use the following instructions to remove TDSS, Backdoor.Tidserv, Alureon trojan.

Download TDSSKiller from here and unzip to your desktop.

Open TDSSKiller folder. Double click the TDSSKiller icon to start scanning Windows registry for Rootkit TDSS. If it is found, the you will see a screen similar to the one below.


TDSSKiller

Type delete and press Enter. Once TDSSKiller has finished removing rootkit TDSS, you will see a windows as shown below.


TDSSKiller

Type Y and press Enter. Your computer will be rebooted.

Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.

Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded you will see window similar to the one below.

malwarebytes-antimalware1
Malwarebytes Anti-Malware Window

Select Perform Quick Scan, then click Scan, it will start scanning your computer for TDSS, Backdoor.Tidserv, Alureon trojan infection. This procedure can take some time, so please be patient.

When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.


Malwarebytes Anti-malware, list of infected items

Make sure that everything is checked, and click Remove Selected for start TDSS, Backdoor.Tidserv, Alureon trojan removal process. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

Note: if you need help with the instructions, then post your questions in our Spyware Removal forum.

TDSS, Backdoor.Tidserv, Alureon trojan creates the following files:

C:\Windows\System32\TDSS[RANDOM CHARACTERS].tmp
C:\Windows\System32\drivers\TDSS[RANDOM CHARACTERS].sys
C:\Windows\System32\TDSS[RANDOM CHARACTERS].sys
C:\Windows\System32\TDSS[RANDOM CHARACTERS].dat
C:\Windows\System32\TDSS[RANDOM CHARACTERS].log
C:\Windows\System32\TDSSserv.sys
C:\Windows\System32\TDSSerrors.log
C:\Windows\System32\TDSSservers.dat
C:\Windows\System32\TDSSl.dll
C:\Windows\System32\TDSSlog.
C:\Windows\System32\TDSSmain.dll
C:\Windows\System32\TDSSinit.dll
C:\Windows\System32\TDSSlog.dll
C:\Windows\System32\TDSSadw.dll
C:\Windows\System32\TDSSpopup.dll

TDSS, Backdoor.Tidserv, Alureon trojan creates the following registry keys and values

HKEY_LOCAL_MACHINE\SOFTWARE\TDSSserv
HKEY_LOCAL_MACHINE\SOFTWARE\TDSSserv\connections
HKEY_LOCAL_MACHINE\SOFTWARE\TDSSserv\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSSserv\injector
HKEY_LOCAL_MACHINE\SOFTWARE\TDSSserv\versions
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys

November 5, 2008 on 1:15 am | In Rootkit, Trojan, Tutorials - HowTo | 167 Comments |


167 Comments »

RSS feed for comments on this post.

  1. Apparently there is a variant of TDSserv that does not respond to this treatment. The rootkit rewrites itself every time you boot windows. Avenger can\’t even find it on reboot and it does not exist in safe or recovery mode. It comes back to life only in real mode.

    Comment by Cliff — November 22, 2008 #

  2. I have no complaints. I just wanted to let you know how amazingly good your instructions were. having searched high and low on the web your was the only answer that worked for me. Thanks so much and keep up the good work. This solution was excellent!

    Comment by Mike — November 28, 2008 #

  3. It appeared to work well…..found tdsserv when A*G, S*YBOT and P*STPATROL wouldn\’t…..ironically once it did tag it….A*G pops up and warns me of a infection. Thanks for the help.

    Comment by Duce — December 1, 2008 #

  4. Successful fix, and it was good that I was able to find it here, because most of the computers I have found with this version of the virus have had to be wiped and rebuilt.

    Comment by captjack — December 2, 2008 #

  5. Thank you so much for these instructions. I was pulling my hair out for two hours trying to kill this stupid thing!

    Comment by scott — December 2, 2008 #

  6. Man am I glad I found your instructions. I have been successful cleaning the fake antivirus off machines before, but this rootkit nearly ate my lunch. Thanks for the help!

    Comment by sherree — December 5, 2008 #

  7. You need to use a combination of SDfix and superantispyware prelease version, the normal version apparently doesnt work.
    SDfix must be run in safe mode.

    Gato

    Comment by Gato — December 10, 2008 #

  8. thanks so much only thing that worked to kill the trojan.tdsserv virus thanks

    Comment by Charles — December 11, 2008 #

  9. thank so much it worked

    Comment by Charles — December 11, 2008 #

  10. AWWWWESOME PROGRAM..Thanks

    Comment by Jeff — December 12, 2008 #

  11. this stuff really works. hell yeah…… that virus is long gone now.

    Comment by Thomas — December 12, 2008 #

  12. This worked!!!Thank you!

    Comment by Greg — December 13, 2008 #

  13. Your the KING! I lost 2 hours of my life trying to unscrew this… your writeup had me back up in a short order. Thanks a bunch.

    Comment by Fred — December 13, 2008 #

  14. Thanks so much for this; mcafee, avg and spybot all failed to either detect or eliminate this flippin little pest, i really appreciate the help

    Comment by tim — December 13, 2008 #

  15. Everything worked as u told me untill the instal process of the malware ended and it said:
    Run-time error ’372′:
    Failed to load control vbalGird’ from vbalsgird6.ocx. Your version of valsgird6.ocx may be outdated and …
    I see u know every tiny detail and u really know what this TDSsrv is about…
    Please, I really need your help. thanks :|

    Comment by Matei — December 14, 2008 #

  16. Matei, please follow these steps. I will help you.

    Comment by Patrik — December 15, 2008 #

  17. Thanks so much, I as well spent hours trying to get rid of this until I found your post.

    Comment by Chris — December 15, 2008 #

  18. Great program. Completely nuked the TDSServ virus.
    What erked me was that two supposedly Grade A security software apps in Spyware Doctor and NOD32 were quite useless in dealing with this pest.

    Comment by smitch — December 15, 2008 #

  19. Ahh, as most people have said, thank you.

    Comment by Bob — December 16, 2008 #

  20. thank you so much. it was really helpful

    Comment by shahed — December 17, 2008 #

  21. Wonderful. It really worked. Thanks

    Comment by Jack — December 17, 2008 #

  22. Thank you so much! You saved me from tearing all my hair out due to overwhelming stress hahaha.

    Comment by Lalique — December 21, 2008 #

  23. I had the same problem, and Malwarebytes software wouldn’t run. But after disabling the driver and removing it per your instructions, I was about to use exterminateit! to remove it.

    I spent over two days battling with this, trying all sorts of antivirus including avg and kapersky. This was such a malicious program, and hard to remove.
    YOU MADE IT EASY. YOU HAVE MY UNDYING THANKS, AND I HAVE SAID A PRAYER FOR YOU.

    Comment by David Reilly — December 22, 2008 #

  24. Many thanx!!!
    I was at a loss til I found your very helpful step by step guide!

    Comment by rachael — December 23, 2008 #

  25. Many thanks as others have said! I was totally lost until I found your post. Very easy to follow and do. Thanks again and Merry Christmas!!

    Comment by Terry — December 23, 2008 #

  26. Your a god thank yyou

    Comment by Kevin — December 25, 2008 #

  27. Thank you so much!!! You are my hero! I was pulling my hair out with this nasty thing. Your instructions were perfect and did the trick!

    Comment by NancyB — December 26, 2008 #

  28. Thank you so much, this was preventing me from running malware bytes. Once I removed this driver I was able to complete the system clean up. Once again, thanks!

    Comment by Charles N. — December 27, 2008 #

  29. Hey, just wanted to say, thanks so much for your fix, ..and after performing it, i can now run the malwarebytes scan. I installed the malwarebytes in a arbitrary location after using your fix, and then scanned. thankyou!!

    Comment by eric — December 27, 2008 #

  30. Your a god, Nothing else to say.

    Saved me from 27 Trojans.

    Comment by RinaLover| — December 27, 2008 #

  31. WOW…I nice end to a frustrating problem. Instructions worked as layed out and I seem to be TDSS free…Thanks!!!!!!!!!

    Comment by tim — December 29, 2008 #

  32. Great article and nasty trojan – I couldn’t have started system in normal mode, only safe worked. A lot of security pages were blocked and I was also unable to use system recovery. You helped me out of big trouble, thanks! :)

    Comment by Lukasz — December 30, 2008 #

  33. It did work for me without downloading malware bytes, Thx for registry strings

    Comment by DFINC — December 30, 2008 #

  34. Hi, please help
    I followed the above instructions correctly but when avenger went into reboot, my computer is in a startup loop. when windows starts to load it blacks out and attempts to start again.

    What can I do to fix this.

    Comment by Steve h — December 31, 2008 #

  35. A heartfelt thankyou! Killed the trojan in one evening! This works!

    Comment by Bean Counter — December 31, 2008 #

  36. Bless you! This really works! These remedies saved my PC! And the trojan and virus was permanently deleted in less than 3 hours! You are a Life Saver!

    Comment by Bean Counter — December 31, 2008 #

  37. Thank you so much! I was driving myself nuts trying to get rid of this.

    Comment by Erin — December 31, 2008 #

  38. Thank you so much! I was driving myself nuts trying to get rid of this!

    Comment by Erin — December 31, 2008 #

  39. i have a problem.. after that i have re booted the computer and checked that the TDSsserv is gone i still can`t acces the websites were i can download avenger and malwerebytes.. any ideas for what to do?

    Comment by tommy — January 1, 2009 #

  40. We are having the exact same symptons mentioned at the beginning of this thread, but there is no TDSServ files located on the server.

    It is probably named something else. Any idea how I can identify it?

    Thanks,

    Comment by Greg — January 2, 2009 #

  41. Please follow these steps. I will help you.

    Comment by Patrik — January 2, 2009 #

  42. I just wanted to say thank you very much and this worked and i love u :)

    Comment by Tameem — January 4, 2009 #

  43. I had a variant that left files starting with “seneka???”. Nothing worked, although combofix detected it. However, every reboot combofix would detect it again. Here is how I fixed it. Only run this way if you are in the combofix reboot cycle and nothing else works!:

    1) Run combofix. If it detects the root kit write down the file names.

    2) Let combofix reboot your machine

    3) Boot into the Recovery Console (either from startup or from the XP CD)

    4) Login and at the command prompt type “fixmbr”. Answer ‘Y’ to the prompt.

    5) Go to the first directory identified by combofix. For example, on my machine it was

    c:\windows\system32\drivers\senekanisovjkq.sys

    so I typed “cd \windows\system32\drivers”

    6) do a directory listing to find all related files. BE CAREFUL TO USE ENOUGH CHARACTERS TO UNIQUELY IDENTIFY RELATED FILES! If you are not sure, I do not recommend that you proceed.

    dir seneka*.*

    7) Delete each file, one at a time (‘del’ in Recovery Console does not support wildcards).

    8) Repeat step 7 for all directories identified by combofix.

    9) Reboot normally

    10) Allow combofix to run again.

    11) Follow instructions

    Comment by Rick — January 5, 2009 #

  44. Rick, thank you for the information.

    Comment by Patrik — January 5, 2009 #

  45. I have a problem with the trojan too I did tried to follow the firts step displayed in this forum but it didn’t work for me because de files didn’t appear. So the name of the virus is Seneka971e7.tmp Please Help I already did a system restore and lost all of my pictures and important info.

    Comment by Daimara — January 5, 2009 #

  46. If in the list of drivers you have found Seneka971e7.tmp, than disable it. If you need help, then read and follow these steps.

    Comment by Patrik — January 5, 2009 #

  47. I am cannot boot my pc in normal mode only in safe mode and when the only option i have in device manager is unistall \

    Comment by Loco — January 6, 2009 #

  48. Then try it.

    Comment by Patrik — January 6, 2009 #

  49. thank’s God bless you from Puerto Rico it work’s perfect

    Comment by p123dro — January 7, 2009 #

  50. Fantastic ! 4 days of banging my head against .tmp files, backdoor detections by symantec antivirus, deleting, rebooting just to have everything come back after reboot. Your instruction worked a treat. After running MBAM and rebooting I re-ran symantec and everything is clear. Very cool. I had to reboot a couple of times but my computer looks clean as a bell. THANK YOU …life saver.

    Comment by Paul — January 11, 2009 #

  51. thank you Iam glad I found this site.

    Comment by brian — January 11, 2009 #

  52. Thank you, Thank you, Thank you!!!!!!!!

    I fought with this POS for 12 hours.

    Comment by John — January 12, 2009 #

  53. Thanks Bro! You’re the BEST! 4.5 hours of wasted time until I found your instructions.

    Comment by Randy N — January 14, 2009 #

  54. Downloaded Avenger but when the exe is executed Winrar throw up cannot execute, any ideas???

    Comment by Richard911 — January 18, 2009 #

  55. Download avenger file to your Desktop, rigth click to avenger and select Extract.

    Comment by Patrik — January 18, 2009 #

  56. I found seneka but it comes up as a temp file. I looked on my computer none of the regs are in there.
    When I try to remove it everything I try it shuts down my computer. I tried all the software on this and many other sights. I use Macafee and a couple other malware things shredders don’t work. And I have to much stuff to reload.

    Comment by jeff — January 20, 2009 #

  57. YOU ARE THE BESTTTTTTTTTTTTTT!!!!!!!!!!!!!!!!!!

    thanks for sharing

    Comment by Mike-O — January 20, 2009 #

  58. Jeff, read and follow these steps.

    Comment by Patrik — January 21, 2009 #

  59. Thank you veryyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy much. really you are Brilliant.
    You save many computers.

    Comment by Ehab — January 22, 2009 #

  60. Thank you so much. My pc got so jammed up I couldnt download Avanger or Malware. So I downloaded them to a USB memory stick on another PC and then booted them on the infected PC from stick… Brilliant got on and followed your excellent instructions. Now working again properly.
    I dont understand why an up to date McAfee didnt sort it out first, its supposed to.
    Anyway thanks again for well worded instructions

    Comment by Huw — January 27, 2009 #

  61. THANK YOU!!!!
    after downloading every other software known to man, i found this site. followed your easy to follow instructions and with the help of Avenger/Malware i got rid of “spyware protect 2009″. i really appreciate your time and effort you have put into this!
    my sanity…..you saved it

    Comment by David — January 27, 2009 #

  62. Thanks for the fix! You said their goal was to trick us into buying their fake antispyware right? So why can’t we track where the money is sent to and catch them?

    Comment by Derek — January 28, 2009 #

  63. i use Stopzille and it find Vundo.p How can i remove it?

    Comment by AJ — January 28, 2009 #

  64. Derek, its not simple task. They use offshore billing.

    Comment by Patrik — January 28, 2009 #

  65. AJ, if your computer infected with trojan Vundo, then follow these steps.

    Comment by Patrik — January 28, 2009 #

  66. LOOKS GOOD

    Comment by Bho — January 28, 2009 #

  67. i LIKE IT

    Comment by Bho — January 28, 2009 #

  68. Love you man!
    Very straight forward.

    Comment by Tony — January 29, 2009 #

  69. Thank you so much. My pc got so jammed up I couldnt download Avanger or Malware. So I downloaded them to a USB memory stick on another PC and then booted them on the infected PC from stick… Brilliant got on and followed your excellent instructions. Now working again properly.
    Thank you very much for sharing!

    -Rondo-
    from Budapest (HUNGARY)

    Comment by Rondo — February 1, 2009 #

  70. Ok, I took everything written above into account, downloaded mbam and spyware doctor (mbam finds nothing, spyware doc finds Trojan.TDSServ but is completely incapable of fixing it). Interesting thing is that there are no drivers to disable at all (in no plug n play drivers). I even did full win xp reinstall afterwards (formatted C only though, other two partitions were left as before – is that the trick?). Anyway, after reinstall I still can`t acess disks through shortcuts (says something like cannot find RECYCLER\\S-8-3-79-10009757-100013345-100016285-5959.com), though explore works on them nicely though. Spyware doc still detects same trojan. All this happens on another desktop that has no link to the internet, but my computer does so I downloaded programs and installed them on that machine using USB stick.
    How can this thing be so persistent? I`m thinking about completely replacing that machune`s HDD with a new one (it is only 80Gb and quite old). Just don`t tell me that this stupid Trojan hides itself on the motherboard through some incredible hacker`s magic…
    Anyway, some info can be useful, and well, I`m mostly interested if full format of all 3 partitions can remove that pest. Luckily, that other machine was mostly gaming desktop, so it didn`t have much in a way of important data…

    Comment by Rexus — February 1, 2009 #

  71. Looks like your computer was reinfected with autorun.inf trojan (probably you have attached infected usb drive). Please follow these steps.

    Comment by Patrik — February 1, 2009 #

  72. It was actually a innocent looking keygen that caused the infection. And about steps to solution…there are no drivers (in non plug n play drivers), avenger reports an error (could not set driver image path) after reboot in txt file, then computer reboots itself all of a sudden (really fast after i see avenger`s report) BUT!, mbam finds 2 infections afterward and i removed them…do I have to manually remove those %system%TDsomething files too? (where to find them anyway?)

    Comment by Rexus — February 1, 2009 #

  73. Yeah I found where those files on the list are supposed to be, and there are none of those listed in step 3…mbam supposedly removed infections, but spyware doc still reports them. Also, now it sometimes reports that it blocked access attempt to some Trojan-PWS.Bancos.PWN…

    What is going on? The TDSServ that I`m tampering with, is like some ghost version, I can`t find any drivers or files mentioned in steps 1 and 3…Symptoms persist. Just tell me if full disk format will do the trick, it is perfectly viable option for me.

    Comment by Rexus — February 1, 2009 #

  74. Rexus, please follow these steps. I will check you computer.

    Comment by Patrik — February 1, 2009 #

  75. hi there, it’s been a while now that i get this TDSSERV thing coming back everyday and i keep deleting it, i get registry entries that keeps coming back, none of the files listed in step 1 and step 3 are present… please help!

    Comment by DrumHeadz83 — February 3, 2009 #

  76. DrumHeadz83, please follow these steps.

    Comment by Patrik — February 3, 2009 #

  77. Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:21:51 AM, on 2/4/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16762)
    Boot mode: Normal

    Comment by DrumHeadz83 — February 4, 2009 #

  78. DrumHeadz83, please make a new topic at Spyware removal forum and include your HijackThis log in to your message.

    Comment by Patrik — February 4, 2009 #

  79. It would seem that blasted thing is removed; machine is working without problems for several days now…seems that mbam combined with spyware doc fixed it, though I still can`t acess disk partitions via shortcuts (must use explore). Other than that, it`s OK. Oh, and I did have an infected USB (ended up in trash can, it`s several years old 256 mb stick) that I used to transfer stuff to the other computer… lack of antivirus program on that machine complicated things. Anyway if things go haywire again I`ll post HijackThis log on the forum…thanks for the help

    Comment by Rexus — February 4, 2009 #

  80. Okay. So again what if the list of files/drivers given at the top aren’t listed? This is frustrating. Why does nobody simply tell you what files are to be found instead of saying …

    Comment by Leech — February 13, 2009 #

  81. Leech, looks like a new version of TDSSserv trojan is not listed in the drivers list. Skip step 1 and go to step2 or follow these steps.

    Comment by Patrik — February 13, 2009 #

  82. Thanks for the great help, one new thing to add, rename the installer .exe and the program .exe to a random name.exe of the Malware’s util

    Comment by Sam — February 16, 2009 #

  83. I’m trying to follow this procedure but fail at the first step as I can’t access the device manager. When I ‘right click’ my computer I can click the properties section but nothing happens so I can’t even do step one. Any help would be great as this is getting horrendous. Thanks

    Comment by Paul — February 21, 2009 #

  84. Paul, skip first step.

    Comment by Patrik — February 21, 2009 #

  85. Everythings going fine apart from needing to purchase MalwareremovalBot, now I’ve got no qualms about doing that but for some reason my payment can’t be processed so I’m stuck again. is there a free trial version I can use?

    Comment by Paul — February 21, 2009 #

  86. MalwareremovalBot is not Malwarebytes Anti-malware. When you have opened Malwarebytes Antimalware page, then scroll down for a download link.

    Comment by Patrik — February 21, 2009 #

  87. My bad, I’ve d/l the proper one & its fixed some problems but there’s still nothing in the control panel :(

    I’ve pasted a hijackthis log here http://myantispyware.com/forum/post6344.html#6344

    Any help would be greatly accepted, thanks

    Comment by Paul — February 21, 2009 #

  88. Very strange I post here & it appears that I’ve double posted but my posts disappear until I post a new one then they all show up again (until I visit the page again & they’ve gone again)

    Comment by Paul — February 21, 2009 #

  89. We have gotten to the point where the malwarebytes is to remove the offenses but it wants us to buy the program to do so. Did the rest of you have to buy the $30 program to remove this mess?

    Comment by Anna — February 27, 2009 #

  90. Anna, you have made a mistake, looks like you have downloaded a Malwareremovalbot, its not Malwarebytes Anti-malware. When you have opened Malwarebytes Anti-malware page, then scroll down for a download link.

    Comment by Patrik — February 27, 2009 #

  91. Thank you so much!!!!! I couldn’t get Malwarebytes to work until I got Avenger…it really saved the day…thanks again!!

    Comment by starla — March 11, 2009 #

  92. when i click on the “non-plug and play drivers” the trojan isn’t there. what do i do?
    Can someone please help me!!!??

    Comment by estevao — March 14, 2009 #

  93. estevao, then skip fisrt step.

    Comment by Patrik — March 14, 2009 #

  94. you should skip the bs and just dl malwarebytes. only thing that worked as i could not find the drivers in plug and play and avenger didnt work. i did a scan with malwarebytes and can you believe it? its fixed thank the good nonexistet lord!

    Comment by snatchgrab — March 18, 2009 #

  95. How much success have people had with putting the infected hard drive in another computer as a slave then being able to run Malwarebytes and virus software on the slaved drive?

    Comment by Mike — March 18, 2009 #

  96. Mike, using the method you can remove only infected files, but can`t fix malware registry entries.

    Comment by Patrik — March 19, 2009 #

  97. Thanks for the response.

    Is getting rid of the infected files usually enough to get Malwarebytes, Spybot to then launch?

    Any way to load the registry on the slave drive?

    Comment by Mike — March 19, 2009 #

  98. P.S.

    The biggest problem I’m encountering is that when a machine is infected, it prevents anything from running i.e. combofix,mbam, spybot etc. The old tricks of renaming the executable or launch in compatibility mode don’t seem to work anymore.

    Comment by Mike — March 19, 2009 #

  99. Malwarebytes is a minimum, scan a drive also with any good antivirus or online scanner.

    No way to load the registry, but after removing infected files, insert a drive to back, boot computer in the safe mode and perform a scan with Malwarebytes.

    Comment by Patrik — March 19, 2009 #

  100. Here a new trick :) Use Recovery console for disabling hidden trojan drivers. Its really work.

    Comment by Patrik — March 19, 2009 #

  101. for getting malwarebytes to work, i finally had success going into windows explorer, finding the mbam.exe file, and manually changing the extension to mbam.bat … i then clicked on it, and if finally loaded…

    this, after changing the setup file name just to get it to install…

    Comment by Jeff — March 31, 2009 #

  102. This is a persistant one.

    Like someone mentioned previously i had to resort to a full rebuild and reformat of C: but i left the other partition D: alone as it just has music and pictures on. (and a virus perhaps)

    Restart and reinstall of Spyware Doctor and in installing the SP3 it blocks TDSServ – great. Do the steps 1 to 3 above and after the avenger execute step it crashs and Spyware Doc blocks another Trojan. PWS.Bancos.PWN so now going to Hijack this for more help…

    Comment by Barrett — April 5, 2009 #

  103. I downloaded and installed Avenger; copy script and then Execute – then a warning from Spyware Doctor sayng Trojan.PWS.Bacons was blocked. Akso, MBAM didnt find anything wrong, althought Spyware Doctor reported 3 TDSServ infections… Any sugestions?
    Thnx…

    Comment by Dan — April 12, 2009 #

  104. Dan, its false alert. Please disable Spyware Doctor before running Avenger.

    Comment by Patrik — April 13, 2009 #

  105. i cant locate the files from the list of drivers from step 1. every 5 secs a box appears saying ‘the virus scanner detected a trojan but could not remove it’ file: c:\windows.explorer.exe, trojan: tdssserv.q.
    Someone please help, i cant get rid of it.

    Comment by Graham — April 16, 2009 #

  106. Graham, please follow these steps.

    Comment by Patrik — April 16, 2009 #

  107. Graham, I have the same exact problem and it just appeared on my laptop yesterday.

    I tried malware to scan it but malware didn’t find anything. I already posted my HJT log. Hopefully I can get some help soon.

    Comment by Jenson — April 17, 2009 #

  108. I cannot find any of the following when I get this far

    In the list of drivers right click TDSSserv.sys or TDSSxyz.sys where xyz are random characters, clbdriver.sys, gaopdxserv.sys, seneka or seneka.sys.

    Can anyone help? is it under anything else?

    Comment by Rob — April 17, 2009 #

  109. I obvoiusly have the TDSSServ.Q – my anivirus NORM is reporting explorer.exe to be contaminated.

    But I don’t have any of the named hidden drives in Device Manager and therefore can’t disable anything there.

    This leads to MBAM not finding anything :(

    What to do??

    Comment by Martin — April 17, 2009 #

  110. sorry, I didn’t pay attention that newest post were at the bottom :)

    Comment by Martin — April 17, 2009 #

  111. i have the same problem as martin, can anyone help me?

    Comment by jaimy — April 17, 2009 #

  112. Hiya! I have the exactly the same problem as Martin… do we have to wait for the virus to be installed? I was thinkik, cause my Norm says that it cant delete the virus but that my system is not infected, but then i ran a scan, and it said that there was a trojan in my hardrive, so i suppose is that one. It may be that it needs to instale first for it to appear? Im confused, but im also scared to use my computer for important things…

    Comment by Angel — April 17, 2009 #

  113. I got the TDSSServ.Q yesterday, 16 of april. When I log in the screen gets black, but the white arrow mouse is seeing. And When press ctrl+alt+delete the mask manager works. When I then logen with my guset account at vista I get into system. But then i noticed that the Fxxxxg virus hast knockde out the net work. I use Norman antivirus and it cantel fixed this.
    Please helå, Marcus from Sweden

    Comment by Marcus — April 17, 2009 #

  114. had the same problem. seems like a false alarm occured in norman these last days:
    http://eforum.idg.se/viewmsg.asp?entriesid=1135811
    (in swedish)

    Comment by Maria — April 19, 2009 #

  115. Maria, yes look like it is a false alert.

    Comment by Patrik — April 19, 2009 #

  116. I used the Malwarebytes Anti-Malware, it’s found viruses and deleted them. My antivirus and defender were updated. Cool, I reboot my computer, open Explorer, and my AntiVir says I’ve got a SAME virus. I scanned again my computer, but Malwarebytes Anti-Malware didn’t find anything. What I Should do now?

    Comment by a — May 19, 2009 #

  117. Probably your computer infected with autorun.inf trojan. Try Flash Disinfector or ask help at our forum.

    Comment by Patrik — May 20, 2009 #

  118. Thankyou Patrick, You are a gentleman and a scholar. I have been struggling with this for the last 12 hours it is 3 a.m and i’m very sleepy. Spyware doctor first detected that i had 2 trojans (Trojan.TDDSServ + Trojan.DNS_Changer) which were put into quarantine. But still my P.C was going crazy. My comp. usage was at 100% and was running very slow. All of my anti-virus were disabled (norton,mbam,superantispyware) but spyware doc still ran but did not pick up the hidden driver, which in my case was named \

    Comment by Edd — May 30, 2009 #

  119. Just a follow up to my post yesterday. Although Avenger removed the hidden driver and all my antivirus were reactivated. Each time I rebooted my p.c superantispyware was picking up the virus again. I did more googling and came up with a program called unhijackthis. the software can be used for free on a 30day fully featured trial. It is simple to use and finally as freed me of this virus. I hope this helps anyone still struggling with this.

    Comment by Edd — May 31, 2009 #

  120. IMPORTANT its me again the software i used is UNHACKME sorry if you would like to edit my last post patrick my minds gone a bit numb fighting this virus, Edd

    Comment by Edd — May 31, 2009 #

  121. Thank you very much. What a step by step explanation. It is of great help.

    Comment by Anand — June 22, 2009 #

  122. it didnt work for me when i tried the 1st step of right clicking properties of my computer it keeps showing C:\WINDOWS\system32\rundll32.exe and it does the same thing when i try to click an option in my control pannell plz help

    Comment by sergio — August 23, 2009 #

  123. sergio, skip first step.

    Comment by Patrik — August 23, 2009 #

  124. Hi guys! firstlyjust got to say a big thank you and what a great site. I just removed that dreaded Google installer, I thought I was looking at a format and software re-build, keep up the great work, Sean

    Comment by Sean — December 9, 2009 #

  125. thanks a lot for the instructions, works for me…

    Comment by john — January 16, 2010 #

  126. Dude, I’ve had this freaking virus for MONTHS, and neither McAffe nor AVG could get rid of it. Just found these instructions, and now it’s gone. THANKS MAN!

    Comment by Anjelica — February 10, 2010 #

  127. Thanks man! You’re instructions are a life saver.

    Comment by TJ — March 8, 2010 #

  128. Thank you so much!

    After I figured out how to remove Antivirus XP 2010, I still could not update my Malwarebytes and all the other antivirus programs. The TDSSkiller worked and now I can update, scan, and be rid of these POS!

    Comment by Marike — March 17, 2010 #

  129. Hi it is telling me that the cure has failed – what do i do now. I have windows 7

    Comment by Faith Fulcher — March 21, 2010 #

  130. Try run TDSSKiller once again, if it does not help, then open a new topic in our Spyware removal forum.

    Comment by Patrik — March 21, 2010 #

  131. Patrik, you are awesome! I think that program you recommended took care of it. It found some infected file and then after reboot, I did another scan (it didn’t come up with anything). My computer still moves rather slow but at least, I am no longer getting the Tidserv warnings from Norton anymore and I can visit websites again that were blocked before (not to mention the svchost.exe spikes are gone). Thank you very much again for being one of the good guys and sharing your knowledge with us. This site will be the first one I recommend to anyone else I know who has any problems in the future.

    Comment by Jack — March 25, 2010 #

  132. ~{Backdoor.Tidserv!inf}~ TDSSkiller nailed it.
    Just wanted to say thank you! I have been chasing this bug for about two weeks. After trying numerous programs that got rid of, or contained portions of it – this wiped it out very quickly. I was able to connect to windows update and use windows defender, both of which virus disabled. Thank you for the easy to follow instructions….. {Dave}

    Comment by Dave D. — March 25, 2010 #

  133. Thanks – been trying to suss this out for 2 nights. Removal tool worked beautifully. Thank you!

    Comment by Dave F (NZ) — March 29, 2010 #

  134. Thank you! Thank you! Thank you! This is the only thing that worked. Hoping it’s gone for good

    Comment by E — April 2, 2010 #

  135. ive gone about trying to get the rootkits removed, but every program including these steps always end with “program not compatible with x64 bit operating systems..” any idea where to find a compatable and comparable fix?

    Comment by dabeachmon — April 3, 2010 #

  136. dabeachmon, you have tried run Malwarebytes ?

    Comment by Patrik — April 4, 2010 #

  137. A total of about 15 minutes…now my cpu is back! Thanks.

    Comment by tonganboi — April 11, 2010 #

  138. Help, please! I can’t download TDSSkiller, and my computer restarts when I want to run Malwarebytes’ Anti-Malware! Also, avast! seems to be turned off, and I can’t turn it on!

    Comment by Tia — April 14, 2010 #

  139. Tia, try Safe mode with networking to download TDSSKiller. Also you can use another PC to download this file and move it using flash or cd disk to your computer.

    Comment by Patrik — April 14, 2010 #

  140. If I follow these directions will this nasty virus/trojan or whatever it is stop redirecting me to other websites every time I type something in and click on a link on any search engine I get on?? Please seriously I’ve had this problem since the following Sunday and the website redirects are very annoying!!!

    Comment by MJ — April 14, 2010 #

  141. MJ, yes looks like your computer is infected with TDSS troja, then TDSSKiller should fix your problem.

    Comment by Patrik — April 15, 2010 #

  142. I can’t download the TDSS Killer, even whilst in Safe Mode with Networking. Noticed I could download on another PC and transfer. Would I have to download the TDSS Killer even then? Or could I go straight to Malwarebytes?

    Comment by Sam — April 17, 2010 #

  143. Sam, try run Malwarebytes. If it`s blocked, then you need use TDSSKiller.

    Comment by Patrik — April 18, 2010 #

  144. Will this same removal process work with the virus: Win32/Alureon.H ? slightly different to the F version.
    It does the same thing as in: search results redirects to non related sites etc. Thanks for your feedback in advance.

    Comment by Nick — May 13, 2010 #

  145. Nick, yes try the instructions.

    Comment by Patrik — May 15, 2010 #

  146. My AVAST 5 found today some kind of template attached to mbam.exe and put in in quarantine the file , i want to know about this kind of shell exploit found by avast…..ty very much!

    Comment by catguy — May 31, 2010 #

  147. catguy, probably your computer infected with a virus like virut. Scan your computer with Kaspersky online scanner.

    Comment by Patrik — June 1, 2010 #

  148. I think this is exactly what I need, but the program refused to run with my x64 processor. I have Windows 7, intel core i3. I NEED HELP!

    Comment by Jabberwocky — June 15, 2010 #

  149. Jabberwocky, start a new topic in our Spyware removal forum. I will check your PC.

    Comment by Patrik — June 16, 2010 #

  150. I was having a problem for 2 wks trying to remove the trojan. I tried everything on the web. This was the only progrm that worked.

    Comment by Nae — June 16, 2010 #

  151. I am having a problem removing TDSS from a client’s computer. Following your excellent instructions, I downloaded and ran TDSSKiller, version 2.3.2.2 (6/30/2010). Results: Services – none found; Drivers – c:\Windows\System32\Drivers\ACPIEC.sys infected by TDSS Rootkit. Said it would be cured with reboot. Upon reboot, first time hung on Windows splash screen with progress bar cycling. After 5-10 minutes I forced power off. Powered back on, got Blue Screen IRQL_NOT_LESS_OR_EQUAL
    Stop 0x0000000A (0×00000101, 0×00000002, 0×00000001, 0x806E6A2A). Powered off and tried again. Blue Screen again with all same numbers except first number in parentheses was 0x7153624F. Attempted to start in safe mode, Blue Screen again 0x0000000A (0×00000001, 0×00000002, 0×00000001, 0x80701A2A). Booted again using Last Known Good Configuration and booted ok but of course Mal/TDSSRt-A was back. Ran TDSSKiller again with similar results (Blue Screen on first reboot after TDSSKiller) but slightly different register numbers reported. Help, please.

    Comment by Bill Clemens — July 21, 2010 #

  152. Bill, open a new topic in our Spyware removal forum. I will help you.

    Comment by Patrik — July 22, 2010 #

  153. POSSIBLE SNAGs & A FIXes: Snag 1 – The trojan didn’t allow me to download tdsskiller (wouldn’t allow access to the site)via your link. FIX 1 – I downloaded it onto a flash drive via another PC. Snag 2 – When I tried 3 times to copy it over to the infected PC, each time the trojan allowed only a corrupted file or a shell of one(0 kbs in size). FIX 2 – Fool the trojan by renaming the tdsskiller exe file while it’s on the flash drive before moving it over to the infected PC. (I used iomega.exe) After that, there should be no problem running it as in the aforementioned instructions.
    Thank you so much for your help. This trojan was sure a tough little bas…rd to contend with.
    Best of luck to everyone.
    Desorow

    Comment by Desorow — August 3, 2010 #

  154. I have screwed aroung with this thing for 2 months. I followed your advice & it is fixed! Thank you!!!

    Comment by mb — August 5, 2010 #

  155. Dear Patrik,
    Can I copy my MSword, excel, jpegs, movie files onto flash drive & onto another laptop safely? does this trojan infect data files? or only system files? you told someone that their pen drive might be infected.. can that happen if they copy pictures,etc. or only if they copy windows files, other system files? please let me know ASAP! many thanks.

    Comment by aiman — September 22, 2010 #

  156. aiman, the trojan don`t infect any files.

    Comment by Patrik — September 25, 2010 #

  157. hi i scanned my cpu with the program you told me but and it found nothing but i think i still have the virus as i keep getting redirected

    Comment by Lij — September 30, 2010 #

  158. Lij, probably your computer is infected with another version of redirect trojan. Start a new topic in our spyware removal forum. I will help you to remove this malware.

    Comment by Patrik — September 30, 2010 #

  159. Your instructions helped me get rid of TDSS – thanks so much.

    Comment by B — December 5, 2010 #

  160. Hi, I tried to run TDSSKiller but my computer says that the file is infected and cannot be opened. I tried renaming the file on an USB stick and copying it to my computer but it still did the same thing. I also tried running it in Safe Mode (not sure if that would work) but the program would not even run. Do I have TDSS or is it something else? Thanks for your help.

    Comment by BA — January 3, 2011 #

  161. BA, looks like a malware blocks TDSSKiller from running. Start a new topic in our Spyware removal forum. I will try to help you.

    Comment by Patrik — January 4, 2011 #

  162. Wanted to share:
    I work for a small IT dept. One of the girls called me from BstBy. Said she took her computer in and they found a virus (TDSSServ. it turned out)
    She said they wanted to charge her $200 for the cleaning. I stopped her and her bring it to me. I followed your instructions and her computer is working again.
    Thank you

    Comment by Scott — January 25, 2011 #

  163. I have read comments that some of the older TDSS cures such as (perhaps) this one will not work properly with Windows 7. I have Windows 7 with the first major update, (downloaded from microsoft)

    Will using the fix on this website work with my computer, or crash it?

    Comment by John van Gelderen — April 5, 2011 #

  164. John, TDSSKiller supports all Windows 32-bit and 64-bit systems.

    Comment by Patrik (Myantispyware admin) — April 7, 2011 #

  165. how long does it take 4 tdsskiller 2 scan 4 the virus?

    Comment by D615 — April 28, 2011 #

  166. D615,
    a few minutes.

    Comment by Patrik (Myantispyware admin) — May 1, 2011 #

  167. McAfee found the Trojan. I downloaded the Trojan killer, ran it, but nothing was found to get rid of. Now what?

    Comment by nick — May 11, 2011 #

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>


My Anti Spyware - Free antispyware programs and Spyware Removal Instructions.