Backdoor.Tidserv
Backdoor.Tidserv is a Trojan horse that allows remote unauthorized access on infected computer by creating a backdoor port. Backdoor.Tidserv remains hidden from the system with its use of advanced rootkit techniques. Once inside the computer, this Trojan can redirect Internet browser’s search result to a set of web addresses. Upon visiting said web sites, the Trojan will display pop-up ads and fake virus scanners to promote a rogue security product.
Alias: Backdoor:W32/TDSS, BKDR_TDSS, Win32/Alureon, Trojan-Dropper.Win32.TDSS, Packed.Win32.TDSS
Damage Level: High
Systems Affected: Windows 9x, 2000, XP, Windows Vista
Characteristics
When Backdoor.Tidserv is installed on the computer, it will complete a task of providing support for authors behind this attack and aims to gain revenue in a sham manner. Hence, the Trojan will control system’s Internet browser to visit web sites that are relevant to moneymaking format. It is the root cause of propagating rogue security software, which installs self on computer without of user’s permission.
The Trojan is using a rootkit techniques wherein it able to hide its presence and evade virus scanners. The same method also conceals Backdoor.Tidserv’s activity inside the system. Critical changes made to system and damaging of targeted software may not be visible to ordinary user.
To expand its control over the infected computer, Backdoor.Tidserv will replace the Master Boot Record (MBR) with own code that ensures loading of the Trojan when Windows starts. This process is found on latest variants of Tidserv that adopts the MBR manipulation from Trojan.Mebroot. The procedure of loading the harmful code during boot up process is evident that Trojan can bypass even strict security measures of the target computer.
Backdoor.Tidserv will also perform other malicious activities including the following:
- Drop several malicious files
- Download, decrypt and execute files
- Delete files
- Add or modify Windows registry entries
- Connect to a remote computer update its configuration file
Distribution
The Trojan spreads primarily via the Internet. It utilizes popular web sites and social networking sites where naïve visitors are most targeted. It requires user to click on malicious links posted on these sources. Typically, Backdoor.Tidserv will entice user to click on these links by producing sensational reports about politics, celebrities and other topic, which might be of user’s interests.
Additionally, Backdoor.Tidserv will make use of loose security measures provided by peer-to-peer network communication to spread its copy. The Trojan will embed its code to counterfeit programs and may also disguise as software update to lure its victims.
Added Registry Entries:HKEY_CURRENT_USER\Software\Mozilla\affid= HKEY_CURRENT_USER\Software\Mozilla\subid= HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT\injectors HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT HKEY_LOCAL_MACHINE\SOFTWARE\TDSS HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\H8SRTd.sys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSServ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSServ.sys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TDSServ.sysAssociated Files and Folders:
%System%\spool\prtprocs\[TEMPORARY FILE NAME].tmp (Initial executable file) %System%\drivers\TDSServ.sys %System%\TDSS[RANDOM VALUE].log %System%\TDSS[RANDOM VALUE].dat %System%\TDSS[RANDOM VALUE].dll %System%\drivers\H8SRTd.sys
How to Remove Backdoor.Tidserv
Backdoor.Tidserv Removal Tool:
1. Download the tool FixTDSS.exe from Symantec web site.
2. Save it to a desired location.
3. After download completes, disconnect the computer from Internet.
4. Computers who are running under operating system Windows ME and Windows XP must disable System Restore.
5. Reboot Windows in Safe Mode.
- After turning on the power, press F8 on the keyboard.
- Select Safe Mode from the menu.
6. Go to FixTDSS.exe download location on your hard drive.
7. Double click FixTDSS.exe to run the tool.
8. Let the tool thoroughly scan the computer and perform another scan after rebooting Windows in normal mode.
Brian
Nov 10, 2008 @ 16:58:40
All the above reg. listings are not in the registry. I can’t delete what’s not there? Is there another option?
Tyler
Nov 10, 2008 @ 20:13:18
What antivirus software shall i install that works on safe mode? Because my Norton wont work on safe mode it sends me to the Internet to scan but I can’t get a connection.
kamal
Nov 12, 2008 @ 09:55:27
I could not see all the above reg on my computer but i could see LEGACY_TDSSSERV.SYS in \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001 and
\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002.
I could not delete or rename LEGACY_TDSSSERV.SYS.
When I tried to rename the ControlSet001 it creates another one.
what do you advice me to do.
pat
Nov 17, 2008 @ 06:25:32
I am having the same problem as Brian. are there any other options or is it possible that my antivirus software caught it early?
Pedro
Nov 17, 2008 @ 20:07:03
I had the same problem as everyone (could not find registry keys). I was running Symantec anti-virus software. A buddy of mine mentioned Malwarebytes. This seemed to do the trick. I installed it via CD-ROM in safe mode (could not use the Internet to download it). Problem free for three days.
JN
Nov 18, 2008 @ 14:15:33
To remove the LEGACY_TDSSSERV.SYS you will have to logon in Safe mode and then open the registry. Right click on the LEGACY_TDSSSERV.SYS key or group and go to Permission… and allow yourself Full Control by checking the Full Control’s box.
Steve
Nov 24, 2008 @ 19:01:57
Downloaded Malwarebytes, ran a full scan and it sorted it. No other input was required. Running Norton Antivirus and it rated it as too risky to remove, Manual removal was recommended but same problems found as Brian, Pat and Pedro.
Sri
Nov 25, 2008 @ 20:24:47
Set your cookies to high or block everything in the Internet options
1.Right click My computer>Hardware>Device Manager
2.In Device Manager click view>Show hidden devices
3.In Non-plug and play drivers disable TDSS.sys or related drivers.
4.Restart computer.
5.Now regedit and delete all TDSS related entries.(If you are not able to delete some entries right click and grant yourself full access for the entry)
6.Run the Norton and AVG with Rookit settings ON.
Emil Kuelz
Dec 16, 2008 @ 23:05:32
The PC I am working on has the BACKDOOR.TIDSERV!INF malware/Trojan. Norton 360 does not know how to get rid of it. Although on some scans it finds it and neutralizes it, it comes back later. In order to keep the computer operating I’ve had to disable a lot of startup exe’s and some system services. When I attempt to follow some of the instructions stated previously I have not for example found any TDSS keys or otherwise in the registry, yet this computer has the virus. When I searched the registry for TDS not TDSS and there are many search results I came across the key C:\MC\HC_C_U\software\Microsoft\search assistant\acmru\5603\*tds*.*. Does anyone that knows more than I about the registry know if this suspicious key could have anything to do with this Trojan.
Mike
Dec 30, 2008 @ 03:27:33
Sri’s instructions worked for me perfectly.
Once you disable the Rootkit, Anti-virus and Anti-malware apps that were blocked before will clean up the rest of it.
Stuart
Jan 07, 2009 @ 16:41:06
My Anti virus showed it had blocked this virus but couldn’t delete it. Later on I tried again and it seemed to do it. The registry shows no files with ‘TDSS’ in at all. However I now don’t seem to be able to download new definition files for ad-aware (possibly Norton too). I did stop the virus downloading after about 10 seconds and had some temp files I deleted (also in the registry). Could it have just added something to prevent the definition files downloading and, if so, where is it so I can get rid of it.
Andy
Jan 14, 2009 @ 13:31:16
My Antivirus says that it removed this virus but I have had problems ever since such as being redirected when browsing among other browser problems. Does this mean that although Norton though it had it sorted, the worm still managed to embed itself in? Should I run download Malwarebytes or something?
Greg
Jan 21, 2009 @ 13:44:04
Thank you all for this great info. I just got this virus 2 days ago and I’m looking up for information on how to get rid of it. I will try all the things that were mentioned above. Thanks all.
Christie
Jan 29, 2009 @ 02:09:43
Question!
I don’t know much about computers.
But under Sri’s directions he says:
“5.Now regedit and delete all TDSS related entries.(If you are not able to delete some entries right click and grant yourself full access for the entry)”
Should it say TDSS or does TDSS indicate a type of entry that would be listed under another name?
I can’t find anything that actually says TDSS, but I have no idea if that’s supposed to just indicate a general type of entry to look for.
Please help!
Christie
Jan 29, 2009 @ 02:11:18
It also mentioned in step 3! if that makes any difference.
Andrew
Jan 31, 2009 @ 09:55:44
Guys, I simply ran “malwarebytes”. It’s a freeware and it sorted out this problem completely for me.
Paul
Feb 01, 2009 @ 06:08:37
I just finished installing and running malwarebytes. It worked like a charm and removed a lot of frustration.
Tad
Mar 30, 2009 @ 23:19:18
I can’t find any TDSS under plug and play eithere. I have malwarebytes but it doesn’t see any issues. All looks clear to me. Should I try another software?
hagfish502
Apr 18, 2009 @ 20:06:41
My computer has been recently attacked by this in the last day or 2… It attacked my computer while i was Searching through wowwiki.com… I noticed how there was about 10 things that have been blocked by my Norton AntiVirus, then i believe Norton asked me to shut down my computer. When i logged back on, my anti virus refused to start up. I tried to reinstall it but, i get an Just-in-time error around 90%, it asks me to click OK or CANCEL… If i click eithere it auto shuts down my comp… This couple of days had made my Internet slow, and i get TONS of pop-ups (even with my pop-up blocker). It seems to have gotten better, Norton says the threat is gone, but my Internet is still a little slow.
Tim
Apr 30, 2009 @ 01:44:35
I cant get Internet on my PC so i transfer all the software from another computer i tried use malwarebytes but it wont open. and i tried the thing sir said but a cant find TDSS.I tried 7 programs and i cant get rid of it. help
Adam
May 17, 2009 @ 17:45:01
None of what has been suggested above is working for me. I’ve tried installing malwarebytes but I can’t run the program. I can’t get to sites like Microsoft Update or Spybot any longer. My computer will freeze if I’m connected to the Internet. I only found one of the files in my registry that is listed above and deleted it. I’m to the point where I am thinking about reformatting my computer. Please help!!
Adam
May 17, 2009 @ 17:56:33
I’ve now lost access to my files. When I attempt to open my c:\ drive, nothing happens.
precisesecurity
May 18, 2009 @ 01:40:29
Adam,
Prevent the computer from having internet access. To download tools such as malwarebytes, please use other uncompromised computer. Rename the malwarebytes installer, the virus might prevent the original filename to run. After installation, reboot your computer in safemode and scan it.
Adam
May 18, 2009 @ 02:58:33
I did just as you suggested, and even in safe mode, malwarebytes doesn’t run.
precisesecurity
May 28, 2009 @ 00:52:24
MBAM has free version that you can use to remove the threat. But I suggest you buy the Full Version beacuse it will protect you. Remember, prevention is better than cure.
http://www.precisesecurity.com/tools-resources/adware-tools/malwarebytes-anti-malware
dar313
Jun 10, 2009 @ 13:04:30
Rename the malware bytes exe to something like ab.exe and then try to run it!
Bekah
Jun 18, 2009 @ 17:00:33
My system just recovered from this virus, Norton should automatically detect and remove the main part but it drops other viruses onto the system before this happens. One of those blocked me from using anti virus software such as Malwarebytes and Spybot Search and Destroy. System restore was also prevented from working. I managed to remove the virus and the results of the other viruses connected to it by using ComboFix then doing full scans with Malwarebytes, Norton and spybot.
Please note these virus also drops key-loggers so if you did visit any websites such as your bank account, paypal, ebay etc. I suggest checking them from another machine and changing their details and do not revisit them until the virus on your main machine is gone.
Hugo
Jul 05, 2009 @ 06:45:59
I’m also having trouble with this virus. I tried following the instructions up top, but I can’t even turn off ‘system restore’. When I right click ‘My computer’ in order to turn off ‘system restore’, nothing happens.
I’ve also downloaded malwarebytes, but when I try to install it, I get a fake, though official looking, pop up saying the application is infected and won’t start to prevent trouble.
I really don’t know what to do. Can anyone help?
Cheater
Oct 15, 2009 @ 11:18:22
You are all waisting your time. Just forget to remove this virus
Trevor
Dec 14, 2009 @ 17:50:04
I have this virus too And Malwarebytes doesn’t see it let alone remove.
Also I can’t start in safe mode – I get the blue screen & it reboots.
Can someone post updated instructions?
Thanks for your help.
Pj
Dec 20, 2009 @ 12:08:07
Bit defender never sorted out anything as it was already infected by Backdoor.Tidserv.I had symantec online scanner to perform a full scan and it detected Backdoor.Tidserv plus Trojan.ByteVerify.
My hotmail was attacked. The password was changed and every single detail inside such as secret question and date of birth.
recommend not to go through anything serious something as your bank account soon you get suspicious.
Sly_Old_Mole
Mar 21, 2010 @ 13:33:03
I have remove this many times & this is my way.
First run:
Norman TDSS Cleaner:
norman.com/support/support_tools/77201/en
&/or
How to remove the TDSS, TDL3, or Alureon rootkit using TDSSKiller:
bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller
Al
Apr 02, 2010 @ 00:54:10
i think run it in safe mode with networking then run a synmantec scan i tried that and now my computer works better than my first day using it
Al
Apr 02, 2010 @ 00:54:10
i think run it in safe mode with networking then run a synmantec scan i tried that and now my computer works better than my first day using it
hidnrage
Jul 05, 2010 @ 16:42:29
picked it up while browsing wowwiki.com. it wouldnt let me run any programs at all kept throwing out prompt saying everything was infected n shutn it down.
however ya do it get hold of autoruns for windows. this program allows ya to see hidden entries in registry. boot into safe mode run autoruns. hit esc to cancel scan. go to Options check the option to hide microsoft entries then start the scan. look under the Everything tab. ull see a random entry like XCVSDWERWE.exe or somethin with no publisher name. delete it and reboot.
go to options in ur browswer of choice and disable the proxy server setting av setup. then dl and run Malware Bytes to move any misc bits of the program
angela
Jan 05, 2011 @ 05:49:34
I don’t see these files in the registry. Maleware doesn’t see it, nor does anything else I’ve run. I’ve had this for MONTHS. I am about to pull my hair out. I don’t know what else to do.
I’m afraid to download another program because I have no idea who to trust. Right now I don’t trust any random software. Is there a way to manually remove it? What are all the possible names this virus goes by? I will search every file individually until I find it.
Desperately looking for all possible file names for this virus,
Angela