TDSS trojan also known as Backdoor.Tidserv [PCTools], Backdoor.Tidserv.I!inf [Symantec], Rootkit.Win32.TDSS.y [Kaspersky Lab], Patched-SYSFile.a [McAfee], Mal/TDSSRt-A [Sophos], Virus:Win32/Alureon.F [Microsoft] is very dangerous. It installs onto your computer through a vulnerability in an already installed programs (mostly in InternetExplorer) or with the help of a rogue antispyware programs. Trojan TDSS uses rootkit-specific techniques designed to hide the software presence in the system. It is practically not detected by standard means Windows, you will not find its files on the disk, as well as writing about it in the Windows registry.
When installed, it will be configured to start automatically when Windows starts. While is running, TDSS (Backdoor.Tidserv, Alureon) trojan may:
- display a lot of popups and fake security alerts
- hijack Internet Explorer
- redirect search results in Google, Yahoo, MSN to non related sites
- block an access to security websites
- disable Windows Task Manager, Windows Security Center and Registry editor
What is more, TDSS, Backdoor.Tidserv, Alureon trojan blocks the ability to run a lot of antivirus and antispyware programs, including Malwarebytes Anti-Malware. Also it is usually installed in conjunction with a rogue antispyware programs.
If your computer is infected with the trojan, then use these removal instructions below, which will remove TDSS, Backdoor.Tidserv, Alureon trojan and any associated malware for free.
Symptoms in a RootRepeal Log
Hidden Services
——————-
Service Name: H8SRTd.sys
Image Path: C:\WINDOWS\system32\drivers\H8SRTnfvywoxwtx.sys
Service Name: _VOIDd.sys
Image PathC:\WINDOWS\system32\drivers\_VOIDaabmetnqbf.sys
Use the following instructions to remove TDSS, Backdoor.Tidserv, Alureon trojan.
1. Use TDSSKiler by Kaspersky lab to detect and remove a rootkit.
2. Use Malwarebytes Anti-malware to remove TDSS, Backdoor.Tidserv, Alureon rootkits associated malware.
1. Use TDSSKiler by Kaspersky lab to detect and remove the TDSS rootkit.
Download TDSSKiller from th link above.
Right click to it and select Extract all. Follow the prompts.
Open TDSSKiller folder. Double click the TDSSKiller icon to run it. You will a screen like below.
Click Start scan button to start scanning and disinfection process. Once the process is complete, your computer will be rebooted.
2. Use Malwarebytes Anti-malware to remove TDSS, Backdoor.Tidserv, Alureon rootkits associated malware.
Download MalwareBytes Anti-malware from the following link.
MalwareBytes Anti-malware download link.
Close all programs and Windows on your computer. Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded you will see window similar to the one below.
Click Scan Now button. It will start scanning your computer for TDSS, Backdoor.Tidserv, Alureon infection associated malware. This procedure can take some time, so please be patient.
When the scan is complete you will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.
Make sure that everything is checked, and click Remove Selected for start TDSS, Backdoor.Tidserv, Alureon associated malware removal process. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
Note: if you need help with the instructions, then post your questions in our Spyware Removal forum.
TDSS, Backdoor.Tidserv, Alureon trojan creates the following files:
C:\Windows\System32\TDSS[RANDOM CHARACTERS].tmp
C:\Windows\System32\drivers\TDSS[RANDOM CHARACTERS].sys
C:\Windows\System32\TDSS[RANDOM CHARACTERS].sys
C:\Windows\System32\TDSS[RANDOM CHARACTERS].dat
C:\Windows\System32\TDSS[RANDOM CHARACTERS].log
C:\Windows\System32\TDSSserv.sys
C:\Windows\System32\TDSSerrors.log
C:\Windows\System32\TDSSservers.dat
C:\Windows\System32\TDSSl.dll
C:\Windows\System32\TDSSlog.
C:\Windows\System32\TDSSmain.dll
C:\Windows\System32\TDSSinit.dll
C:\Windows\System32\TDSSlog.dll
C:\Windows\System32\TDSSadw.dll
C:\Windows\System32\TDSSpopup.dll
TDSS, Backdoor.Tidserv, Alureon trojan creates the following registry keys and values
HKEY_LOCAL_MACHINE\SOFTWARE\TDSSserv
HKEY_LOCAL_MACHINE\SOFTWARE\TDSSserv\connections
HKEY_LOCAL_MACHINE\SOFTWARE\TDSSserv\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSSserv\injector
HKEY_LOCAL_MACHINE\SOFTWARE\TDSSserv\versions
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys
Apparently there is a variant of TDSserv that does not respond to this treatment. The rootkit rewrites itself every time you boot windows. Avenger can\’t even find it on reboot and it does not exist in safe or recovery mode. It comes back to life only in real mode.
I have no complaints. I just wanted to let you know how amazingly good your instructions were. having searched high and low on the web your was the only answer that worked for me. Thanks so much and keep up the good work. This solution was excellent!
It appeared to work well…..found tdsserv when A*G, S*YBOT and P*STPATROL wouldn\’t…..ironically once it did tag it….A*G pops up and warns me of a infection. Thanks for the help.
Successful fix, and it was good that I was able to find it here, because most of the computers I have found with this version of the virus have had to be wiped and rebuilt.
Thank you so much for these instructions. I was pulling my hair out for two hours trying to kill this stupid thing!
Man am I glad I found your instructions. I have been successful cleaning the fake antivirus off machines before, but this rootkit nearly ate my lunch. Thanks for the help!
You need to use a combination of SDfix and superantispyware prelease version, the normal version apparently doesnt work.
SDfix must be run in safe mode.
Gato
thanks so much only thing that worked to kill the trojan.tdsserv virus thanks
thank so much it worked
AWWWWESOME PROGRAM..Thanks
this stuff really works. hell yeah…… that virus is long gone now.
This worked!!!Thank you!
Your the KING! I lost 2 hours of my life trying to unscrew this… your writeup had me back up in a short order. Thanks a bunch.
Thanks so much for this; mcafee, avg and spybot all failed to either detect or eliminate this flippin little pest, i really appreciate the help
Everything worked as u told me untill the instal process of the malware ended and it said:
Run-time error ‘372’:
Failed to load control vbalGird’ from vbalsgird6.ocx. Your version of valsgird6.ocx may be outdated and …
I see u know every tiny detail and u really know what this TDSsrv is about…
Please, I really need your help. thanks 😐
Matei, please follow these steps. I will help you.
Thanks so much, I as well spent hours trying to get rid of this until I found your post.
Great program. Completely nuked the TDSServ virus.
What erked me was that two supposedly Grade A security software apps in Spyware Doctor and NOD32 were quite useless in dealing with this pest.
Ahh, as most people have said, thank you.
thank you so much. it was really helpful
Wonderful. It really worked. Thanks
Thank you so much! You saved me from tearing all my hair out due to overwhelming stress hahaha.
I had the same problem, and Malwarebytes software wouldn’t run. But after disabling the driver and removing it per your instructions, I was about to use exterminateit! to remove it.
I spent over two days battling with this, trying all sorts of antivirus including avg and kapersky. This was such a malicious program, and hard to remove.
YOU MADE IT EASY. YOU HAVE MY UNDYING THANKS, AND I HAVE SAID A PRAYER FOR YOU.
Many thanx!!!
I was at a loss til I found your very helpful step by step guide!
Many thanks as others have said! I was totally lost until I found your post. Very easy to follow and do. Thanks again and Merry Christmas!!
Your a god thank yyou
Thank you so much!!! You are my hero! I was pulling my hair out with this nasty thing. Your instructions were perfect and did the trick!
Thank you so much, this was preventing me from running malware bytes. Once I removed this driver I was able to complete the system clean up. Once again, thanks!
Hey, just wanted to say, thanks so much for your fix, ..and after performing it, i can now run the malwarebytes scan. I installed the malwarebytes in a arbitrary location after using your fix, and then scanned. thankyou!!
Your a god, Nothing else to say.
Saved me from 27 Trojans.