TDSS rootkit - How to remove?

 

TDSS Rootkit or TDSS is Trojan that is designed to work together with malware. Once this rootkit manages to get inside the system, it downloads and executes other threats, interrupts its victims with annoying ads and disables them from using security and other programs. It is known under several names, like Alureon, TDL3, TDL4, and is one of the most advanced and aggressive rootkits today.

Being designed to be one of those completely annoying infections, TDSS infection stays invisible and in the meanwhile lets more malware to come inside. While it stays unnoticed by legitimate anti-malware programs or Windows, its victims should pay attention to the signs that usually appear once this infection gets inside the system. One of those symptoms is annoying Google redirects when instead of reaching the website you want you are redirected to the other, commercial one in the most of the cases. Note that you shouldn’t fall for the products they promote because most of these websites are completely malicious ones. As we have already said, TDSS also disables you from starting various programs, like anti-virus and anti-spyware, because it has a large list of programs that are not allowed to execute. You also won’t be capable to access various websites as well because TDSS Trojan simply protects itself from being removed from the system.

TDSS usually uses regular driver names for their files. In some cases, original random drivers are replaced by this rootkit and malicious ones are installed. Older versions used predefined names like Tdssserv.sys or the ones listed below. In most of the cases you will not see any of these files under processes running, as rootkits protect their processes from being detected or listed. To prevent deletion, TDSS virus might infect MBR record (first sector of disk) as well, which is executed prior windows booting. This can be fixed by usage of windows boot cd or tools below.

As you see, TDSS means a serious problem for your computer, so you must eliminate it immediately after detection. If you have noticed this trojan on your computer, you should follow this guide to remove TDSS from your computer.

How to remove TDSS Rootkit infection:

  1. Download TDSSKiller from KasperskyLabs;
  2. Click on the TDSSKiller.exe icon and rename it to xxx.com (the virus hasn’t been found to block .com);
  3. Launch the program: double-click on the icon and choose ‘Run';
  4. TDSSKiller should find TDSS infection and eliminate it. Finally, reboot your computer by clicking on ‘Reboot Now’ button and finish the removal procedure.

More dedicated anti-Tdss tools can be found in our anti-rootkit tools section. However, TDSS Killer is the best as it works on both 32 and 64 bit windows system. An alternative approach is usage of Bootable scanner CDs, however the process is more cumbersome. These programs are booted from CDs or USB sticks and scan for TDSS and other parasites.

In addition, you should also run regular anti-virus and anti-malware programs and check the system for additional malware that could have been downloaded by TDSS rootkit. Spyhunter, Hitman Pro, are known to remove at least some versions of TDSS rootkit, Malwarebytes Anti-Malware has problems with them at the moment but will remove most of the other trojans.

There are cases when TDSS rootkit can not be removed even with TDSS killer or alternate OS Scanners. These cases are rare, and different alternate os scanner should solve the problem.

 

Automatic TDSS rootkit removal tools

 

Other tools

 
  1   0
    Spyhunter
  1   0
    Malwarebytes anti-rootkit
 
 
 
 
* Support is performed by Callstream.
 
 

Manual TDSS rootkit removal

 

Important Note: Although it is possible to manually remove TDSS rootkit, such activity can permanently damage your system if any mistakes are made in the process, as advanced spyware parasites are able to automatically repair themselves if not completely removed. Thus, manual spyware removal is recommended for experienced users only, such as IT specialists or highly qualified system administrators. For other users, we recommend using TDSSKiller or other tools found on 2-viruses.com.

Processes:
Files:

It is impossible to list all file names and locations of modern parasites. You can identify remaining parasites, other TDSS rootkit infected files and get help in TDSS rootkit removal by using TDSSKiller scanner. 

 
 
 
 
 
 
 
 
 
 
 
 

6 thoughts on “TDSS rootkit

  1. Pingback: ZeroAccess Rootkit - how to remove

  2. MadScientistMatt
     

    I’ve been trying to clean up an infection from one copy of TDSS, and found another symptom: It automatically deletes certain downloads, including the current Malwarebytes installer.

     
    1. admin
       
       
      Post author

      MadScientistMatt:
      try saving as different name first, something dot com, etc. In some cases it is worth scanning with Avira Boot CD or other alternate OS scanners. Additionally, MBAM is not really good against TDSS, TDSS Killer is the main tool people use, though there are similar tools from webroot, norman and combofix.

       
  3. Niels
     

    I just received it through opening a (expectably trustworthy) website. Could not use USB and my virusscanner (Avast Pro) and MBAM could not update anymore. After system recovery and reboot these things were possible again. Have run the TDSS removal tool from Kaspersky and it claimed to have removed the rootkit; however, other programs with this purpose are still extremely slow in scanning my computer (cancelled the Avast removal tool after it was busy for more than 2 hours, MBAM takes more than an hour for a ‘quick scan’ and currently HitmanPro is running for more than an hour now, still being stuck at 25%).

     
  4. Shakelford
     

    Install Linux.

    It’s free.

     
  5. Techee
     

    It is most important that you produce a disk image of your operating system disk partition when new and clean—to fall back on when all else fails. Now days these disk images can be kept up to date using differential/incremental backups to the 1st full backup disk image you made so restoration will include the last known preferences settings of your applications and program updates since the 1st disk image was made. Restoration can be undertaken through recovery boot disks and USB connected devices where your operating system may have crashed! Just make sure you don’t save your user files or disk image files on the same drive as your operating system. Choose another partition, or even better another physical drive or removable disk(s). Windows 7 has a built-in utility for creating disk image backups, but not sure if it allows differential/incremental back up updates to these VHD disk image files, or whether you can acquire a recovery boot disk to run a restoration using these VHD disk image files without starting windows? Google disk imaging and incremental backup programs to learn more!

     

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>