Backdoor.Tidserv

1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. Update the virus definitions.
3. Reboot computer in SafeMode [how to]
4. Run a full system scan and clean/delete all infected file(s)
5. Delete/Modify any values added to the registry. [how to edit registry]
Navigate to and delete the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\”build” = “standart”
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\”serversdown” = “1″
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\”type” = “popup”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata\”affid” = “39″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata\”asubid” = “v2test7″

Navigate to and delete the following registry subkeys:
HKEY_LOCAL_MACHINE\SYSTEM\Current ControlSet\Services\TDSServ
HKEY_LOCAL_MACHINE\SYSTEM\Current ControlSet\Control\SafeBoot\Minimal\TDSServ.sys
HKEY_LOCAL_MACHINE\SYSTEM\Current ControlSet\Control\SafeBoot\Network\TDSServ.sys
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\version
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\connections
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\injector

6. Exit registry editor and restart the computer.
7. In order to make sure that threat is completely eliminated from your computer, carry out a full scan of your computer using AntiVirus and Antispyware Software. Another way to delete the virus using various Antivirus Program without the need to install can be done with Online Virus Scanner.

All the above reg. listings are not in the registry. I can’t delete whats not there? is there another option?

What antivirus software shall i install that works on safemode? because my norton wont work on safemode it sends me to the internet to scan but i cant get a connection.

please help

I could not see all the above reg on my computer but i could see LEGACY_TDSSSERV.SYS in \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001 and
\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002.

I could not delete or rename LEGACY_TDSSSERV.SYS.

When I tried to rename the ControlSet001 it creates another one.

what do you advice me to do.

I am having the same problem as Brian. are there any other options or is it possible that my antivirus software caught it early?

I had the same problem as everyone (could not find registry keys). I was runnig symantec anti-virus software. A buddy of mine mentioned Malwarebytes. This seemed to do the trick. I installed it via CD-ROM in safe mode (could not use the internet to download it). Problem free for three days.

To remove the LEGACY_TDSSSERV.SYS you will have to logon in Safe mode and then open the registry. Right click on the LEGACY_TDSSSERV.SYS key or group and go to Permission… and allow yourself Full Control by checking the Full Control’s box.

Downloaded Malwarebytes, ran a full scan and it sorted it. No other input was required. Running Norton Antivirus and it rated it as too risky to remove, Manual removal was recommended but same problems found as Brian, Pat and Pedro.

Set your cookies to high or block everything in the internet options
1.Right click My computer>Hardware>Device Manager
2.In Device Manager click view>Show hidden devices
3.In Non-plug and play drivers disable TDSS.sys or related drivers.
4.Restart computer.
5.Now regedit and delete all TDSS related entries.(If you are not able to delete some entries right click and grant yourself full access for the entry)
6.Run the Norton and AVG with Rookit settings ON.

The PC I am working on has the BACKDOOR.TIDSERV!INF malware/trojan. Norton 360 does not know how to get rid of it. Although on some scans it finds it and neutralizes it, it comes back later. In order to keep the computer operating I’ve had to disable a lot of startup exe’s and some system services. When I attempt to follow some of the instructions stated previously I have not for example found any TDSS keys or otherwise in the registry, yet this computer has the virus. When I searched the registry for TDS not TDSS and there are many search results I came across the key C:\MC\HC_C_U\software\microsoft\search assistant\acmru\5603\*tds*.*. Does anyone that knows more than I about the registry know if this suspicious key could have anything to do with this trojan

Sri’s instructions worked for me perfectly.

Once you disable the Rootkit, Anti-virus and Anti-malware apps that were blocked before will clean up the rest of it.

My Anti virus showed it had blocked this virus but couldn’t delete it. Later on I tried again and it seemed to do it. The registry shows no files with ‘TDSS’ in at all. However I now don’t seem to be able to download new definition files for ad-aware (possibly Norton too). I did stop the virus downloading after about 10 seconds and had some temp files I deleted (also in the registry). Could it have just added something to prevent the definition files downloading and, if so, where is it so I can get rid of it.

My Antivirus says that it removed this virus but I have had problems ever since such as being redirected when browsing among other browser problems. Does this mean that although Norton though it had it sorted, the worm still managed to embed itself in? Should I run download malwarebytes or something? So annoying!!

Thank you all for this great info..I just got this virus 2 days ago and am looking up info on how to get rid of it, I will be trying all the things that were mentioned…grrrrrr viruses!!! thanks all!

Question!
I don’t know much about computers.
But under Sri’s directions he says:

“5.Now regedit and delete all TDSS related entries.(If you are not able to delete some entries right click and grant yourself full access for the entry)”

Should it say TDSS or does TDSS indicate a type of entry that would be listed under another name?
I can’t find anything that actually says TDSS, but I have no idea if that’s supposed to just indicate a general type of entry to look for.
Please help!

((it also mentions it in step 3!)) if that makes any difference..

Guys…I simply ran “malwarebytes”. It’s freeware and it sorted out this problem completely for me.

I just finished installing & running malwarebytes. WOW! It worked like a charm and removed a lot of frustration.

I cant find any TDSS under nonplug and play either … I have malware bytes but it doesnt see any issues all looks clear to it. should I try another software ?

My computer has been recently attacked by this in the last day or 2… It attacked my computer while i was Searching through wowwiki.com… I noticed how there was about 10 things that have been blocked by my Norton AntiVirus, then i belive Norton asked me to shut down my computer. When i logged back on, my anti virus refused to start up. I tried to re-instal it but, i get an Just-in-time error arround 90%, it asks me to click OK or CANCEL… If i click either it auto shuts down my comp… This couple of days had made my internet slow, and i get TONS of pop-ups (even with my pop-up blocker). It seems to have gotten better, Norton says the threat is gone, but my internet is still a little slow.

I cant get internet on my pc so i transfer all the software from another computer i tried use malwarebytes but it wont open. and i tried the thing sir said but a cant find TDSS.I tried 7 programs and i cant get rid of it. help

None of what has been suggested above is working for me. I’ve tried installing malwarebytes but I can’t run the program. I can’t get to sites like Microsoft Update or Spybot any longer. My computer will freeze if I’m connected to the Internet. I only found one of the files in my registry that is listed above and deleted it. I’m to the point where I am thinking about reformatting my computer. Please help!!

I’ve now lost access to my files. Wehn I attempt to open my c:\ drive, nothing happens.

Adam,

Prevent the computer from having internet access. To download tools such as malwarebytes, please use other uncompromised computer. Rename the malwarebytes installer, the virus might prevent the original filename to run. After installation, reboot your computer in safemode and scan it.

I did just as you suggested, and even in safe mode, malwarebytes doesn’t run.

MBAM has free version that you can use to remove the threat. But I suggest you buy the Full Version beacuse it will protect you. Remember, prevention is better than cure.

http://www.precisesecurity.com/tools-resources/adware-tools/malwarebytes-anti-malware/

rename the malware bytes exe to something like ab.exe and then try to run it!

My system just recovered from this virus, norton should automatically detect and remove the main part but it drops other viruses onto the system before this happens. One of those blocked me from using anti virus software such as Malwarebytes and Spybot Search and Destroy. System restore was also prevented from working. I managed to remove the virus and the results of the other viruses connected to it by using ComboFix then doing full scans with Malwarebytes, norton and spybot.

Please note these virus also drops keyloggers so if you did visit any websites such as your bank account, paypal, ebay etc. I suggest checking them from another machine and changing their details and do not revisit them until the virus on your main machine is gone.

I’m also having trouble with this virus. I tried following the instructions up top, but I can’t even turn off ’system restore’. When I right click ‘My computer’ in order to turn off ’system restore’, nothing happens.

I’ve also downloaded malwarebytes, but when I try to install it, I get a fake, though official looking, pop up saying the application is infected and won’t start to prevent trouble.

I really don’t know what to do. Can anyone help?

You are all waisting your time. Just forget to remove this virus

[...] is a generic identification for a Windows legitimate system driver files that have been modified by Backdoor.Tidserv and used to download and execute other malicious [...]

I have this virus too And Malwarebytes doesn’t see it let alone remove.
Also I can’t start in safe mode – I get the blue screen & it reboots.

Can someone post updated instructions?

Thanks for your help.

Bit defender never sorted out anything as it was already infected by Backdoor.Tidserv.I had symantec online scanner to perform a full scan and it detected Backdoor.Tidserv plus Trojan.ByteVerify.

My hotmail was attacked. The password was changed and every single detail inside such as secret question and date of birth.

recommend not to go through anything serious something as your bank account soon you get suspicious.