TDSS trojan also known as Backdoor.Tidserv [PCTools], Backdoor.Tidserv.I!inf [Symantec], Rootkit.Win32.TDSS.y [Kaspersky Lab], Patched-SYSFile.a [McAfee], Mal/TDSSRt-A [Sophos], Virus:Win32/Alureon.F [Microsoft] is very dangerous. It installs onto your computer through a vulnerability in an already installed programs (mostly in InternetExplorer) or with the help of a rogue antispyware programs. Trojan TDSS uses rootkit-specific techniques designed to hide the software presence in the system. It is practically not detected by standard means Windows, you will not find its files on the disk, as well as writing about it in the Windows registry.
When installed, it will be configured to start automatically when Windows starts. While is running, TDSS (Backdoor.Tidserv, Alureon) trojan may:
- display a lot of popups and fake security alerts
- hijack Internet Explorer
- redirect search results in Google, Yahoo, MSN to non related sites
- block an access to security websites
- disable Windows Task Manager, Windows Security Center and Registry editor
What is more, TDSS, Backdoor.Tidserv, Alureon trojan blocks the ability to run a lot of antivirus and antispyware programs, including Malwarebytes Anti-Malware. Also it is usually installed in conjunction with a rogue antispyware programs.
If your computer is infected with the trojan, then use these removal instructions below, which will remove TDSS, Backdoor.Tidserv, Alureon trojan and any associated malware for free.
Symptoms in a RootRepeal Log
Hidden Services
——————-
Service Name: H8SRTd.sys
Image Path: C:\WINDOWS\system32\drivers\H8SRTnfvywoxwtx.sys
Service Name: _VOIDd.sys
Image PathC:\WINDOWS\system32\drivers\_VOIDaabmetnqbf.sys
Use the following instructions to remove TDSS, Backdoor.Tidserv, Alureon trojan.
1. Use TDSSKiler by Kaspersky lab to detect and remove a rootkit.
2. Use Malwarebytes Anti-malware to remove TDSS, Backdoor.Tidserv, Alureon rootkits associated malware.
1. Use TDSSKiler by Kaspersky lab to detect and remove the TDSS rootkit.
Download TDSSKiller from th link above.
Right click to it and select Extract all. Follow the prompts.
Open TDSSKiller folder. Double click the TDSSKiller icon to run it. You will a screen like below.
Click Start scan button to start scanning and disinfection process. Once the process is complete, your computer will be rebooted.
2. Use Malwarebytes Anti-malware to remove TDSS, Backdoor.Tidserv, Alureon rootkits associated malware.
Download MalwareBytes Anti-malware from the following link.
MalwareBytes Anti-malware download link.
Close all programs and Windows on your computer. Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded you will see window similar to the one below.
Click Scan Now button. It will start scanning your computer for TDSS, Backdoor.Tidserv, Alureon infection associated malware. This procedure can take some time, so please be patient.
When the scan is complete you will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.
Make sure that everything is checked, and click Remove Selected for start TDSS, Backdoor.Tidserv, Alureon associated malware removal process. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
Note: if you need help with the instructions, then post your questions in our Spyware Removal forum.
TDSS, Backdoor.Tidserv, Alureon trojan creates the following files:
C:\Windows\System32\TDSS[RANDOM CHARACTERS].tmp
C:\Windows\System32\drivers\TDSS[RANDOM CHARACTERS].sys
C:\Windows\System32\TDSS[RANDOM CHARACTERS].sys
C:\Windows\System32\TDSS[RANDOM CHARACTERS].dat
C:\Windows\System32\TDSS[RANDOM CHARACTERS].log
C:\Windows\System32\TDSSserv.sys
C:\Windows\System32\TDSSerrors.log
C:\Windows\System32\TDSSservers.dat
C:\Windows\System32\TDSSl.dll
C:\Windows\System32\TDSSlog.
C:\Windows\System32\TDSSmain.dll
C:\Windows\System32\TDSSinit.dll
C:\Windows\System32\TDSSlog.dll
C:\Windows\System32\TDSSadw.dll
C:\Windows\System32\TDSSpopup.dll
TDSS, Backdoor.Tidserv, Alureon trojan creates the following registry keys and values
HKEY_LOCAL_MACHINE\SOFTWARE\TDSSserv
HKEY_LOCAL_MACHINE\SOFTWARE\TDSSserv\connections
HKEY_LOCAL_MACHINE\SOFTWARE\TDSSserv\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSSserv\injector
HKEY_LOCAL_MACHINE\SOFTWARE\TDSSserv\versions
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys
Thank you very much. What a step by step explanation. It is of great help.
it didnt work for me when i tried the 1st step of right clicking properties of my computer it keeps showing C:\WINDOWS\system32\rundll32.exe and it does the same thing when i try to click an option in my control pannell plz help
sergio, skip first step.
Hi guys! firstlyjust got to say a big thank you and what a great site. I just removed that dreaded Google installer, I thought I was looking at a format and software re-build, keep up the great work, Sean
thanks a lot for the instructions, works for me…
Dude, I’ve had this freaking virus for MONTHS, and neither McAffe nor AVG could get rid of it. Just found these instructions, and now it’s gone. THANKS MAN!
Thanks man! You’re instructions are a life saver.
Thank you so much!
After I figured out how to remove Antivirus XP 2010, I still could not update my Malwarebytes and all the other antivirus programs. The TDSSkiller worked and now I can update, scan, and be rid of these POS!
Hi it is telling me that the cure has failed – what do i do now. I have windows 7
Try run TDSSKiller once again, if it does not help, then open a new topic in our Spyware removal forum.
Patrik, you are awesome! I think that program you recommended took care of it. It found some infected file and then after reboot, I did another scan (it didn’t come up with anything). My computer still moves rather slow but at least, I am no longer getting the Tidserv warnings from Norton anymore and I can visit websites again that were blocked before (not to mention the svchost.exe spikes are gone). Thank you very much again for being one of the good guys and sharing your knowledge with us. This site will be the first one I recommend to anyone else I know who has any problems in the future.
~{Backdoor.Tidserv!inf}~ TDSSkiller nailed it.
Just wanted to say thank you! I have been chasing this bug for about two weeks. After trying numerous programs that got rid of, or contained portions of it – this wiped it out very quickly. I was able to connect to windows update and use windows defender, both of which virus disabled. Thank you for the easy to follow instructions….. {Dave}
Thanks – been trying to suss this out for 2 nights. Removal tool worked beautifully. Thank you!
Thank you! Thank you! Thank you! This is the only thing that worked. Hoping it’s gone for good
ive gone about trying to get the rootkits removed, but every program including these steps always end with “program not compatible with x64 bit operating systems..” any idea where to find a compatable and comparable fix?
dabeachmon, you have tried run Malwarebytes ?
A total of about 15 minutes…now my cpu is back! Thanks.
Help, please! I can’t download TDSSkiller, and my computer restarts when I want to run Malwarebytes’ Anti-Malware! Also, avast! seems to be turned off, and I can’t turn it on!
Tia, try Safe mode with networking to download TDSSKiller. Also you can use another PC to download this file and move it using flash or cd disk to your computer.
If I follow these directions will this nasty virus/trojan or whatever it is stop redirecting me to other websites every time I type something in and click on a link on any search engine I get on?? Please seriously I’ve had this problem since the following Sunday and the website redirects are very annoying!!!
MJ, yes looks like your computer is infected with TDSS troja, then TDSSKiller should fix your problem.
I can’t download the TDSS Killer, even whilst in Safe Mode with Networking. Noticed I could download on another PC and transfer. Would I have to download the TDSS Killer even then? Or could I go straight to Malwarebytes?
Sam, try run Malwarebytes. If it`s blocked, then you need use TDSSKiller.
Will this same removal process work with the virus: Win32/Alureon.H ? slightly different to the F version.
It does the same thing as in: search results redirects to non related sites etc. Thanks for your feedback in advance.
Nick, yes try the instructions.
My AVAST 5 found today some kind of template attached to mbam.exe and put in in quarantine the file , i want to know about this kind of shell exploit found by avast…..ty very much!
catguy, probably your computer infected with a virus like virut. Scan your computer with Kaspersky online scanner.
I think this is exactly what I need, but the program refused to run with my x64 processor. I have Windows 7, intel core i3. I NEED HELP!
Jabberwocky, start a new topic in our Spyware removal forum. I will check your PC.
I was having a problem for 2 wks trying to remove the trojan. I tried everything on the web. This was the only progrm that worked.