Backdoor.Tidserv
Backdoor.Tidserv is a Trojan horse that allows remote unauthorized access on infected computer by creating a backdoor port. Backdoor.Tidserv remains undetected from the system with its utilization of highly sophisticated rootkit techniques. Once inside the computer, this Trojan can redirect Internet browser’s search result to predetermined web address.
Alias: Backdoor:W32/TDSS, BKDR_TDSS, Win32/Alureon, Trojan-Dropper.Win32.TDSS, Packed.Win32.TDSS
Damage Level: High
Systems Affected: Windows 9x, 2000, XP, Vista
How to Remove Backdoor.Tidserv:
FIRST AID TO STOP Backdoor.Tidserv:
Contaminated system will suffer from maliciously modified Windows registry and corrupted system files. System Restore can reinstate clean system files by restoring the configuration to an earlier date. If a restore point was created before you got infected with Backdoor.Tidserv, please run System Restore and select a saved restore point.
Backdoor.Tidserv REMOVAL TOOL:
1. Download the tool FixTDSS.exe from Symantec web site.
2. Save it to a desired location.
3. After download completes, disconnect the computer from Internet.
4. Computers who are running under operating system Windows ME and Windows XP must disable System Restore.
5. Reboot Windows in Safe Mode.
- After turning on the power, press F8 on the keyboard.
- Select Safe Mode from the menu.
6. Go to FixTDSS.exe download location on your hard drive.
7. Double click FixTDSS.exe to run the tool.
8. Let the tool thoroughly scan the computer and perform another scan after rebooting Windows in normal mode.
MANUAL REMOVAL OF Backdoor.Tidserv:
1. Update installed anti-virus application to have the latest definition file and virus pattern.
2. Reboot computer in Safe Mode
- After turning on the power, press F8 on the keyboard.
- Select Safe Mode from the menu.
3. Thoroughly scan the system and clean/delete all infected file(s). Please see below.
4. Delete/Modify any values added to the registry if present. Refer to associated Windows Registry Entries.
- Click on Start. Search or Run regedit.exe to begin registry editor.
Note: You may refer to links on sidebar for a complete tutorial on Safe Mode and Registry Editor.
5. Exit registry editor and restart Windows.
ADDITIONAL TOOLS AND PROGRAMS:
Scan with Norton Power Eraser:
A free removal tool from Norton Antivirus was developed to remove virus and unfamiliar threats without using the traditional AV signatures. Download the tool and start scanning with Norton Power Eraser.
Technical Details and Additional Information:
Other functionalities of this Trojan:
- Backdoor.Tidserv will download, decrypt and execute files from a distant server.
- It can log search strings from an infected PC and sends gathered data to a remote computer.
- This worm will manipulate Master Boor Record to load itself first when system has started.
Malicious Files Added by Backdoor.Tidserv:
%ProgramFiles%\Internet Explorer\[RANDOM FILE NAME].dll
%ProgramFiles%\Movie Maker\[RANDOM FILE NAME].dll
C:\Documents and Settings\All Users\Application Data \[RANDOM FILE NAME].dll
Associated Windows Registry Entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\H8SRTd.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSServ
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSServ.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TDSServ.sys
HKEY_CURRENT_USER\Software\Mozilla\affid=
HKEY_CURRENT_USER\Software\Mozilla\subid=
HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT\injectors
HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS
precisesecurity
Sep 19, 2008 @ 01:09:20
1. Temporarily Disable System Restore (Windows Me/XP/Vista/7) . [how to]
2. Update the virus definitions.
3. Reboot Windows in Safe Mode. [how to]
4. Run a full system scan and clean/delete all infected file(s)
5. Delete/Modify any values added to the registry. [how to edit registry]
Navigate to and delete the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\”build” = “standart”
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\”serversdown” = “1″
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\”type” = “pop-up”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata\”affid” = “39″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata\”asubid” = “v2test7″
Navigate to and delete the following registry subkeys:
HKEY_LOCAL_MACHINE\SYSTEM\Current ControlSet\Services\TDSServ
HKEY_LOCAL_MACHINE\SYSTEM\Current ControlSet\Control\SafeBoot\Minimal\TDSServ.sys
HKEY_LOCAL_MACHINE\SYSTEM\Current ControlSet\Control\SafeBoot\Network\TDSServ.sys
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\version
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\connections
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\injector
6. Exit registry editor and restart Windows.
7. In order to make sure that threat is completely eliminated, carry out a full scan of your system using AntiVirus and Antispyware Software. Another way to delete the virus using various Antivirus Program without the need to install can be done with Online Virus Scanner.
Brian
Nov 10, 2008 @ 16:58:40
All the above reg. listings are not in the registry. I can’t delete what’s not there? Is there another option?
Tyler
Nov 10, 2008 @ 20:13:18
What antivirus software shall i install that works on safe mode? Because my Norton wont work on safe mode it sends me to the Internet to scan but I can’t get a connection.
kamal
Nov 12, 2008 @ 09:55:27
I could not see all the above reg on my computer but i could see LEGACY_TDSSSERV.SYS in \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001 and
\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002.
I could not delete or rename LEGACY_TDSSSERV.SYS.
When I tried to rename the ControlSet001 it creates another one.
what do you advice me to do.
pat
Nov 17, 2008 @ 06:25:32
I am having the same problem as Brian. are there any other options or is it possible that my antivirus software caught it early?
Pedro
Nov 17, 2008 @ 20:07:03
I had the same problem as everyone (could not find registry keys). I was running Symantec anti-virus software. A buddy of mine mentioned Malwarebytes. This seemed to do the trick. I installed it via CD-ROM in safe mode (could not use the Internet to download it). Problem free for three days.
JN
Nov 18, 2008 @ 14:15:33
To remove the LEGACY_TDSSSERV.SYS you will have to logon in Safe mode and then open the registry. Right click on the LEGACY_TDSSSERV.SYS key or group and go to Permission… and allow yourself Full Control by checking the Full Control’s box.
Steve
Nov 24, 2008 @ 19:01:57
Downloaded Malwarebytes, ran a full scan and it sorted it. No other input was required. Running Norton Antivirus and it rated it as too risky to remove, Manual removal was recommended but same problems found as Brian, Pat and Pedro.
Sri
Nov 25, 2008 @ 20:24:47
Set your cookies to high or block everything in the Internet options
1.Right click My computer>Hardware>Device Manager
2.In Device Manager click view>Show hidden devices
3.In Non-plug and play drivers disable TDSS.sys or related drivers.
4.Restart computer.
5.Now regedit and delete all TDSS related entries.(If you are not able to delete some entries right click and grant yourself full access for the entry)
6.Run the Norton and AVG with Rookit settings ON.
Emil Kuelz
Dec 16, 2008 @ 23:05:32
The PC I am working on has the BACKDOOR.TIDSERV!INF malware/Trojan. Norton 360 does not know how to get rid of it. Although on some scans it finds it and neutralizes it, it comes back later. In order to keep the computer operating I’ve had to disable a lot of startup exe’s and some system services. When I attempt to follow some of the instructions stated previously I have not for example found any TDSS keys or otherwise in the registry, yet this computer has the virus. When I searched the registry for TDS not TDSS and there are many search results I came across the key C:\MC\HC_C_U\software\Microsoft\search assistant\acmru\5603\*tds*.*. Does anyone that knows more than I about the registry know if this suspicious key could have anything to do with this Trojan.
Mike
Dec 30, 2008 @ 03:27:33
Sri’s instructions worked for me perfectly.
Once you disable the Rootkit, Anti-virus and Anti-malware apps that were blocked before will clean up the rest of it.
Stuart
Jan 07, 2009 @ 16:41:06
My Anti virus showed it had blocked this virus but couldn’t delete it. Later on I tried again and it seemed to do it. The registry shows no files with ‘TDSS’ in at all. However I now don’t seem to be able to download new definition files for ad-aware (possibly Norton too). I did stop the virus downloading after about 10 seconds and had some temp files I deleted (also in the registry). Could it have just added something to prevent the definition files downloading and, if so, where is it so I can get rid of it.
Andy
Jan 14, 2009 @ 13:31:16
My Antivirus says that it removed this virus but I have had problems ever since such as being redirected when browsing among other browser problems. Does this mean that although Norton though it had it sorted, the worm still managed to embed itself in? Should I run download Malwarebytes or something?
Greg
Jan 21, 2009 @ 13:44:04
Thank you all for this great info. I just got this virus 2 days ago and I’m looking up for information on how to get rid of it. I will try all the things that were mentioned above. Thanks all.
Christie
Jan 29, 2009 @ 02:09:43
Question!
I don’t know much about computers.
But under Sri’s directions he says:
“5.Now regedit and delete all TDSS related entries.(If you are not able to delete some entries right click and grant yourself full access for the entry)”
Should it say TDSS or does TDSS indicate a type of entry that would be listed under another name?
I can’t find anything that actually says TDSS, but I have no idea if that’s supposed to just indicate a general type of entry to look for.
Please help!
Christie
Jan 29, 2009 @ 02:11:18
It also mentioned in step 3! if that makes any difference.
Andrew
Jan 31, 2009 @ 09:55:44
Guys, I simply ran “malwarebytes”. It’s a freeware and it sorted out this problem completely for me.
Paul
Feb 01, 2009 @ 06:08:37
I just finished installing and running malwarebytes. It worked like a charm and removed a lot of frustration.
Tad
Mar 30, 2009 @ 23:19:18
I can’t find any TDSS under plug and play eithere. I have malwarebytes but it doesn’t see any issues. All looks clear to me. Should I try another software?
hagfish502
Apr 18, 2009 @ 20:06:41
My computer has been recently attacked by this in the last day or 2… It attacked my computer while i was Searching through wowwiki.com… I noticed how there was about 10 things that have been blocked by my Norton AntiVirus, then i believe Norton asked me to shut down my computer. When i logged back on, my anti virus refused to start up. I tried to reinstall it but, i get an Just-in-time error around 90%, it asks me to click OK or CANCEL… If i click eithere it auto shuts down my comp… This couple of days had made my Internet slow, and i get TONS of pop-ups (even with my pop-up blocker). It seems to have gotten better, Norton says the threat is gone, but my Internet is still a little slow.
Tim
Apr 30, 2009 @ 01:44:35
I cant get Internet on my PC so i transfer all the software from another computer i tried use malwarebytes but it wont open. and i tried the thing sir said but a cant find TDSS.I tried 7 programs and i cant get rid of it. help
Adam
May 17, 2009 @ 17:45:01
None of what has been suggested above is working for me. I’ve tried installing malwarebytes but I can’t run the program. I can’t get to sites like Microsoft Update or Spybot any longer. My computer will freeze if I’m connected to the Internet. I only found one of the files in my registry that is listed above and deleted it. I’m to the point where I am thinking about reformatting my computer. Please help!!
Adam
May 17, 2009 @ 17:56:33
I’ve now lost access to my files. When I attempt to open my c:\ drive, nothing happens.
precisesecurity
May 18, 2009 @ 01:40:29
Adam,
Prevent the computer from having internet access. To download tools such as malwarebytes, please use other uncompromised computer. Rename the malwarebytes installer, the virus might prevent the original filename to run. After installation, reboot your computer in safemode and scan it.
Adam
May 18, 2009 @ 02:58:33
I did just as you suggested, and even in safe mode, malwarebytes doesn’t run.
precisesecurity
May 28, 2009 @ 00:52:24
MBAM has free version that you can use to remove the threat. But I suggest you buy the Full Version beacuse it will protect you. Remember, prevention is better than cure.
http://www.precisesecurity.com/tools-resources/adware-tools/malwarebytes-anti-malware
dar313
Jun 10, 2009 @ 13:04:30
Rename the malware bytes exe to something like ab.exe and then try to run it!
Bekah
Jun 18, 2009 @ 17:00:33
My system just recovered from this virus, Norton should automatically detect and remove the main part but it drops other viruses onto the system before this happens. One of those blocked me from using anti virus software such as Malwarebytes and Spybot Search and Destroy. System restore was also prevented from working. I managed to remove the virus and the results of the other viruses connected to it by using ComboFix then doing full scans with Malwarebytes, Norton and spybot.
Please note these virus also drops key-loggers so if you did visit any websites such as your bank account, paypal, ebay etc. I suggest checking them from another machine and changing their details and do not revisit them until the virus on your main machine is gone.
Hugo
Jul 05, 2009 @ 06:45:59
I’m also having trouble with this virus. I tried following the instructions up top, but I can’t even turn off ‘system restore’. When I right click ‘My computer’ in order to turn off ‘system restore’, nothing happens.
I’ve also downloaded malwarebytes, but when I try to install it, I get a fake, though official looking, pop up saying the application is infected and won’t start to prevent trouble.
I really don’t know what to do. Can anyone help?
Cheater
Oct 15, 2009 @ 11:18:22
You are all waisting your time. Just forget to remove this virus
Trevor
Dec 14, 2009 @ 17:50:04
I have this virus too And Malwarebytes doesn’t see it let alone remove.
Also I can’t start in safe mode – I get the blue screen & it reboots.
Can someone post updated instructions?
Thanks for your help.
Pj
Dec 20, 2009 @ 12:08:07
Bit defender never sorted out anything as it was already infected by Backdoor.Tidserv.I had symantec online scanner to perform a full scan and it detected Backdoor.Tidserv plus Trojan.ByteVerify.
My hotmail was attacked. The password was changed and every single detail inside such as secret question and date of birth.
recommend not to go through anything serious something as your bank account soon you get suspicious.
Sly_Old_Mole
Mar 21, 2010 @ 13:33:03
I have remove this many times & this is my way.
First run:
Norman TDSS Cleaner:
norman.com/support/support_tools/77201/en
&/or
How to remove the TDSS, TDL3, or Alureon rootkit using TDSSKiller:
bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller
Al
Apr 02, 2010 @ 00:54:10
i think run it in safe mode with networking then run a synmantec scan i tried that and now my computer works better than my first day using it
Al
Apr 02, 2010 @ 00:54:10
i think run it in safe mode with networking then run a synmantec scan i tried that and now my computer works better than my first day using it
hidnrage
Jul 05, 2010 @ 16:42:29
picked it up while browsing wowwiki.com. it wouldnt let me run any programs at all kept throwing out prompt saying everything was infected n shutn it down.
however ya do it get hold of autoruns for windows. this program allows ya to see hidden entries in registry. boot into safe mode run autoruns. hit esc to cancel scan. go to Options check the option to hide microsoft entries then start the scan. look under the Everything tab. ull see a random entry like XCVSDWERWE.exe or somethin with no publisher name. delete it and reboot.
go to options in ur browswer of choice and disable the proxy server setting av setup. then dl and run Malware Bytes to move any misc bits of the program
angela
Jan 05, 2011 @ 05:49:34
I don’t see these files in the registry. Maleware doesn’t see it, nor does anything else I’ve run. I’ve had this for MONTHS. I am about to pull my hair out. I don’t know what else to do.
I’m afraid to download another program because I have no idea who to trust. Right now I don’t trust any random software. Is there a way to manually remove it? What are all the possible names this virus goes by? I will search every file individually until I find it.
Desperately looking for all possible file names for this virus,
Angela