TDSS trojan also known as Backdoor.Tidserv [PCTools], Backdoor.Tidserv.I!inf [Symantec], Rootkit.Win32.TDSS.y [Kaspersky Lab], Patched-SYSFile.a [McAfee], Mal/TDSSRt-A [Sophos], Virus:Win32/Alureon.F [Microsoft] is very dangerous. It installs onto your computer through a vulnerability in an already installed programs (mostly in InternetExplorer) or with the help of a rogue antispyware programs. Trojan TDSS uses rootkit-specific techniques designed to hide the software presence in the system. It is practically not detected by standard means Windows, you will not find its files on the disk, as well as writing about it in the Windows registry.
When installed, it will be configured to start automatically when Windows starts. While is running, TDSS (Backdoor.Tidserv, Alureon) trojan may:
- display a lot of popups and fake security alerts
- hijack Internet Explorer
- redirect search results in Google, Yahoo, MSN to non related sites
- block an access to security websites
- disable Windows Task Manager, Windows Security Center and Registry editor
What is more, TDSS, Backdoor.Tidserv, Alureon trojan blocks the ability to run a lot of antivirus and antispyware programs, including Malwarebytes Anti-Malware. Also it is usually installed in conjunction with a rogue antispyware programs.
If your computer is infected with the trojan, then use these removal instructions below, which will remove TDSS, Backdoor.Tidserv, Alureon trojan and any associated malware for free.
Symptoms in a RootRepeal Log
Hidden Services
——————-
Service Name: H8SRTd.sys
Image Path: C:\WINDOWS\system32\drivers\H8SRTnfvywoxwtx.sys
Service Name: _VOIDd.sys
Image PathC:\WINDOWS\system32\drivers\_VOIDaabmetnqbf.sys
Use the following instructions to remove TDSS, Backdoor.Tidserv, Alureon trojan.
1. Use TDSSKiler by Kaspersky lab to detect and remove a rootkit.
2. Use Malwarebytes Anti-malware to remove TDSS, Backdoor.Tidserv, Alureon rootkits associated malware.
1. Use TDSSKiler by Kaspersky lab to detect and remove the TDSS rootkit.
Download TDSSKiller from th link above.
Right click to it and select Extract all. Follow the prompts.
Open TDSSKiller folder. Double click the TDSSKiller icon to run it. You will a screen like below.
Click Start scan button to start scanning and disinfection process. Once the process is complete, your computer will be rebooted.
2. Use Malwarebytes Anti-malware to remove TDSS, Backdoor.Tidserv, Alureon rootkits associated malware.
Download MalwareBytes Anti-malware from the following link.
MalwareBytes Anti-malware download link.
Close all programs and Windows on your computer. Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded you will see window similar to the one below.
Click Scan Now button. It will start scanning your computer for TDSS, Backdoor.Tidserv, Alureon infection associated malware. This procedure can take some time, so please be patient.
When the scan is complete you will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.
Make sure that everything is checked, and click Remove Selected for start TDSS, Backdoor.Tidserv, Alureon associated malware removal process. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
Note: if you need help with the instructions, then post your questions in our Spyware Removal forum.
TDSS, Backdoor.Tidserv, Alureon trojan creates the following files:
C:\Windows\System32\TDSS[RANDOM CHARACTERS].tmp
C:\Windows\System32\drivers\TDSS[RANDOM CHARACTERS].sys
C:\Windows\System32\TDSS[RANDOM CHARACTERS].sys
C:\Windows\System32\TDSS[RANDOM CHARACTERS].dat
C:\Windows\System32\TDSS[RANDOM CHARACTERS].log
C:\Windows\System32\TDSSserv.sys
C:\Windows\System32\TDSSerrors.log
C:\Windows\System32\TDSSservers.dat
C:\Windows\System32\TDSSl.dll
C:\Windows\System32\TDSSlog.
C:\Windows\System32\TDSSmain.dll
C:\Windows\System32\TDSSinit.dll
C:\Windows\System32\TDSSlog.dll
C:\Windows\System32\TDSSadw.dll
C:\Windows\System32\TDSSpopup.dll
TDSS, Backdoor.Tidserv, Alureon trojan creates the following registry keys and values
HKEY_LOCAL_MACHINE\SOFTWARE\TDSSserv
HKEY_LOCAL_MACHINE\SOFTWARE\TDSSserv\connections
HKEY_LOCAL_MACHINE\SOFTWARE\TDSSserv\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSSserv\injector
HKEY_LOCAL_MACHINE\SOFTWARE\TDSSserv\versions
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys
I am having a problem removing TDSS from a client’s computer. Following your excellent instructions, I downloaded and ran TDSSKiller, version 2.3.2.2 (6/30/2010). Results: Services – none found; Drivers – c:\Windows\System32\Drivers\ACPIEC.sys infected by TDSS Rootkit. Said it would be cured with reboot. Upon reboot, first time hung on Windows splash screen with progress bar cycling. After 5-10 minutes I forced power off. Powered back on, got Blue Screen IRQL_NOT_LESS_OR_EQUAL
Stop 0x0000000A (0x00000101, 0x00000002, 0x00000001, 0x806E6A2A). Powered off and tried again. Blue Screen again with all same numbers except first number in parentheses was 0x7153624F. Attempted to start in safe mode, Blue Screen again 0x0000000A (0x00000001, 0x00000002, 0x00000001, 0x80701A2A). Booted again using Last Known Good Configuration and booted ok but of course Mal/TDSSRt-A was back. Ran TDSSKiller again with similar results (Blue Screen on first reboot after TDSSKiller) but slightly different register numbers reported. Help, please.
Bill, open a new topic in our Spyware removal forum. I will help you.
POSSIBLE SNAGs & A FIXes: Snag 1 – The trojan didn’t allow me to download tdsskiller (wouldn’t allow access to the site)via your link. FIX 1 – I downloaded it onto a flash drive via another PC. Snag 2 – When I tried 3 times to copy it over to the infected PC, each time the trojan allowed only a corrupted file or a shell of one(0 kbs in size). FIX 2 – Fool the trojan by renaming the tdsskiller exe file while it’s on the flash drive before moving it over to the infected PC. (I used iomega.exe) After that, there should be no problem running it as in the aforementioned instructions.
Thank you so much for your help. This trojan was sure a tough little bas…rd to contend with.
Best of luck to everyone.
Desorow
I have screwed aroung with this thing for 2 months. I followed your advice & it is fixed! Thank you!!!
Dear Patrik,
Can I copy my MSword, excel, jpegs, movie files onto flash drive & onto another laptop safely? does this trojan infect data files? or only system files? you told someone that their pen drive might be infected.. can that happen if they copy pictures,etc. or only if they copy windows files, other system files? please let me know ASAP! many thanks.
aiman, the trojan don`t infect any files.
hi i scanned my cpu with the program you told me but and it found nothing but i think i still have the virus as i keep getting redirected
Lij, probably your computer is infected with another version of redirect trojan. Start a new topic in our spyware removal forum. I will help you to remove this malware.
Your instructions helped me get rid of TDSS – thanks so much.
Hi, I tried to run TDSSKiller but my computer says that the file is infected and cannot be opened. I tried renaming the file on an USB stick and copying it to my computer but it still did the same thing. I also tried running it in Safe Mode (not sure if that would work) but the program would not even run. Do I have TDSS or is it something else? Thanks for your help.
BA, looks like a malware blocks TDSSKiller from running. Start a new topic in our Spyware removal forum. I will try to help you.
Wanted to share:
I work for a small IT dept. One of the girls called me from BstBy. Said she took her computer in and they found a virus (TDSSServ. it turned out)
She said they wanted to charge her $200 for the cleaning. I stopped her and her bring it to me. I followed your instructions and her computer is working again.
Thank you
I have read comments that some of the older TDSS cures such as (perhaps) this one will not work properly with Windows 7. I have Windows 7 with the first major update, (downloaded from microsoft)
Will using the fix on this website work with my computer, or crash it?
John, TDSSKiller supports all Windows 32-bit and 64-bit systems.
how long does it take 4 tdsskiller 2 scan 4 the virus?
D615,
a few minutes.
McAfee found the Trojan. I downloaded the Trojan killer, ran it, but nothing was found to get rid of. Now what?
Hi I see so many have been able to get rid of this trojan but I am having the same trouble as another fellow. I followed the plan exact and I do not see the black screen. It finds infected files but it is not a black screen. I then reboot and when I install malwarebytes and start to scan the scanner goes away like before. I know I have this trojan because I had AVG and it found it but crashed AVG and it has not worked since this happened. Is there anyway you can help?
Thanks
I can’t open tdsskiller, please help. ive renamed it everything under the sun to try to help it avoid detection, but it only goes onto ‘this programme needs your permission to continue’ and when i give it permission nothing happens, literally nothing.
So i downloaded combofix, temporarily disabled some antispyware stuff to let it run, renamed it etc – again, it gets to needing my permission, i give it permission and then it looks as though it is scanning something but then disappears, occasionally with a final beep, and one time it told me that something could not be found. that’s it. please help me, its driving me insane.