TDSS trojan also known as Backdoor.Tidserv [PCTools], Backdoor.Tidserv.I!inf [Symantec], Rootkit.Win32.TDSS.y [Kaspersky Lab], Patched-SYSFile.a [McAfee], Mal/TDSSRt-A [Sophos], Virus:Win32/Alureon.F [Microsoft] is very dangerous. It installs onto your computer through a vulnerability in an already installed programs (mostly in InternetExplorer) or with the help of a rogue antispyware programs. Trojan TDSS uses rootkit-specific techniques designed to hide the software presence in the system. It is practically not detected by standard means Windows, you will not find its files on the disk, as well as writing about it in the Windows registry.
When installed, it will be configured to start automatically when Windows starts. While is running, TDSS (Backdoor.Tidserv, Alureon) trojan may:
- display a lot of popups and fake security alerts
- hijack Internet Explorer
- redirect search results in Google, Yahoo, MSN to non related sites
- block an access to security websites
- disable Windows Task Manager, Windows Security Center and Registry editor
What is more, TDSS, Backdoor.Tidserv, Alureon trojan blocks the ability to run a lot of antivirus and antispyware programs, including Malwarebytes Anti-Malware. Also it is usually installed in conjunction with a rogue antispyware programs.
If your computer is infected with the trojan, then use these removal instructions below, which will remove TDSS, Backdoor.Tidserv, Alureon trojan and any associated malware for free.
Symptoms in a RootRepeal Log
Hidden Services
——————-
Service Name: H8SRTd.sys
Image Path: C:\WINDOWS\system32\drivers\H8SRTnfvywoxwtx.sys
Service Name: _VOIDd.sys
Image PathC:\WINDOWS\system32\drivers\_VOIDaabmetnqbf.sys
Use the following instructions to remove TDSS, Backdoor.Tidserv, Alureon trojan.
1. Use TDSSKiler by Kaspersky lab to detect and remove a rootkit.
2. Use Malwarebytes Anti-malware to remove TDSS, Backdoor.Tidserv, Alureon rootkits associated malware.
1. Use TDSSKiler by Kaspersky lab to detect and remove the TDSS rootkit.
Download TDSSKiller from th link above.
Right click to it and select Extract all. Follow the prompts.
Open TDSSKiller folder. Double click the TDSSKiller icon to run it. You will a screen like below.
Click Start scan button to start scanning and disinfection process. Once the process is complete, your computer will be rebooted.
2. Use Malwarebytes Anti-malware to remove TDSS, Backdoor.Tidserv, Alureon rootkits associated malware.
Download MalwareBytes Anti-malware from the following link.
MalwareBytes Anti-malware download link.
Close all programs and Windows on your computer. Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded you will see window similar to the one below.
Click Scan Now button. It will start scanning your computer for TDSS, Backdoor.Tidserv, Alureon infection associated malware. This procedure can take some time, so please be patient.
When the scan is complete you will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.
Make sure that everything is checked, and click Remove Selected for start TDSS, Backdoor.Tidserv, Alureon associated malware removal process. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
Note: if you need help with the instructions, then post your questions in our Spyware Removal forum.
TDSS, Backdoor.Tidserv, Alureon trojan creates the following files:
C:\Windows\System32\TDSS[RANDOM CHARACTERS].tmp
C:\Windows\System32\drivers\TDSS[RANDOM CHARACTERS].sys
C:\Windows\System32\TDSS[RANDOM CHARACTERS].sys
C:\Windows\System32\TDSS[RANDOM CHARACTERS].dat
C:\Windows\System32\TDSS[RANDOM CHARACTERS].log
C:\Windows\System32\TDSSserv.sys
C:\Windows\System32\TDSSerrors.log
C:\Windows\System32\TDSSservers.dat
C:\Windows\System32\TDSSl.dll
C:\Windows\System32\TDSSlog.
C:\Windows\System32\TDSSmain.dll
C:\Windows\System32\TDSSinit.dll
C:\Windows\System32\TDSSlog.dll
C:\Windows\System32\TDSSadw.dll
C:\Windows\System32\TDSSpopup.dll
TDSS, Backdoor.Tidserv, Alureon trojan creates the following registry keys and values
HKEY_LOCAL_MACHINE\SOFTWARE\TDSSserv
HKEY_LOCAL_MACHINE\SOFTWARE\TDSSserv\connections
HKEY_LOCAL_MACHINE\SOFTWARE\TDSSserv\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSSserv\injector
HKEY_LOCAL_MACHINE\SOFTWARE\TDSSserv\versions
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys
Thank you so much!!!!! I couldn’t get Malwarebytes to work until I got Avenger…it really saved the day…thanks again!!
when i click on the “non-plug and play drivers” the trojan isn’t there. what do i do?
Can someone please help me!!!??
estevao, then skip fisrt step.
you should skip the bs and just dl malwarebytes. only thing that worked as i could not find the drivers in plug and play and avenger didnt work. i did a scan with malwarebytes and can you believe it? its fixed thank the good nonexistet lord!
How much success have people had with putting the infected hard drive in another computer as a slave then being able to run Malwarebytes and virus software on the slaved drive?
Mike, using the method you can remove only infected files, but can`t fix malware registry entries.
Thanks for the response.
Is getting rid of the infected files usually enough to get Malwarebytes, Spybot to then launch?
Any way to load the registry on the slave drive?
P.S.
The biggest problem I’m encountering is that when a machine is infected, it prevents anything from running i.e. combofix,mbam, spybot etc. The old tricks of renaming the executable or launch in compatibility mode don’t seem to work anymore.
Malwarebytes is a minimum, scan a drive also with any good antivirus or online scanner.
No way to load the registry, but after removing infected files, insert a drive to back, boot computer in the safe mode and perform a scan with Malwarebytes.
Here a new trick 🙂 Use Recovery console for disabling hidden trojan drivers. Its really work.
for getting malwarebytes to work, i finally had success going into windows explorer, finding the mbam.exe file, and manually changing the extension to mbam.bat … i then clicked on it, and if finally loaded…
this, after changing the setup file name just to get it to install…
This is a persistant one.
Like someone mentioned previously i had to resort to a full rebuild and reformat of C: but i left the other partition D: alone as it just has music and pictures on. (and a virus perhaps)
Restart and reinstall of Spyware Doctor and in installing the SP3 it blocks TDSServ – great. Do the steps 1 to 3 above and after the avenger execute step it crashs and Spyware Doc blocks another Trojan. PWS.Bancos.PWN so now going to Hijack this for more help…
I downloaded and installed Avenger; copy script and then Execute – then a warning from Spyware Doctor sayng Trojan.PWS.Bacons was blocked. Akso, MBAM didnt find anything wrong, althought Spyware Doctor reported 3 TDSServ infections… Any sugestions?
Thnx…
Dan, its false alert. Please disable Spyware Doctor before running Avenger.
i cant locate the files from the list of drivers from step 1. every 5 secs a box appears saying ‘the virus scanner detected a trojan but could not remove it’ file: c:\windows.explorer.exe, trojan: tdssserv.q.
Someone please help, i cant get rid of it.
Graham, please follow these steps.
Graham, I have the same exact problem and it just appeared on my laptop yesterday.
I tried malware to scan it but malware didn’t find anything. I already posted my HJT log. Hopefully I can get some help soon.
I cannot find any of the following when I get this far
In the list of drivers right click TDSSserv.sys or TDSSxyz.sys where xyz are random characters, clbdriver.sys, gaopdxserv.sys, seneka or seneka.sys.
Can anyone help? is it under anything else?
I obvoiusly have the TDSSServ.Q – my anivirus NORM is reporting explorer.exe to be contaminated.
But I don’t have any of the named hidden drives in Device Manager and therefore can’t disable anything there.
This leads to MBAM not finding anything 🙁
What to do??
sorry, I didn’t pay attention that newest post were at the bottom 🙂
i have the same problem as martin, can anyone help me?
Hiya! I have the exactly the same problem as Martin… do we have to wait for the virus to be installed? I was thinkik, cause my Norm says that it cant delete the virus but that my system is not infected, but then i ran a scan, and it said that there was a trojan in my hardrive, so i suppose is that one. It may be that it needs to instale first for it to appear? Im confused, but im also scared to use my computer for important things…
I got the TDSSServ.Q yesterday, 16 of april. When I log in the screen gets black, but the white arrow mouse is seeing. And When press ctrl+alt+delete the mask manager works. When I then logen with my guset account at vista I get into system. But then i noticed that the Fxxxxg virus hast knockde out the net work. I use Norman antivirus and it cantel fixed this.
Please helå, Marcus from Sweden
had the same problem. seems like a false alarm occured in norman these last days:
http://eforum.idg.se/viewmsg.asp?entriesid=1135811
(in swedish)
Maria, yes look like it is a false alert.
I used the Malwarebytes Anti-Malware, it’s found viruses and deleted them. My antivirus and defender were updated. Cool, I reboot my computer, open Explorer, and my AntiVir says I’ve got a SAME virus. I scanned again my computer, but Malwarebytes Anti-Malware didn’t find anything. What I Should do now?
Probably your computer infected with autorun.inf trojan. Try Flash Disinfector or ask help at our forum.
Thankyou Patrick, You are a gentleman and a scholar. I have been struggling with this for the last 12 hours it is 3 a.m and i’m very sleepy. Spyware doctor first detected that i had 2 trojans (Trojan.TDDSServ + Trojan.DNS_Changer) which were put into quarantine. But still my P.C was going crazy. My comp. usage was at 100% and was running very slow. All of my anti-virus were disabled (norton,mbam,superantispyware) but spyware doc still ran but did not pick up the hidden driver, which in my case was named \
Just a follow up to my post yesterday. Although Avenger removed the hidden driver and all my antivirus were reactivated. Each time I rebooted my p.c superantispyware was picking up the virus again. I did more googling and came up with a program called unhijackthis. the software can be used for free on a 30day fully featured trial. It is simple to use and finally as freed me of this virus. I hope this helps anyone still struggling with this.
IMPORTANT its me again the software i used is UNHACKME sorry if you would like to edit my last post patrick my minds gone a bit numb fighting this virus, Edd