TDSS, Alureon, Tidserv, TDL3 removal instructions using TDSSKiller utility

Wednesday, March 3, 2010

TDSS, Alureon, Tidserv, TDL3 removal instructions using TDSSKiller utility

Tell your friends:

TDSS also known as Alureon [Microsoft], Tidserv [Symantec] or TDL3, TDL4 is a family of malicious software that obscures the fact that a system has been compromised. Such malware effectively hide its presence in a system and may download and install additional malicious software onto your computer. That's why TDSS removal is essential. TDSS, Alureon rootkit is usually distributed through the use of misleading websites such as fake video sites of bogus online scanners. It may enter a system through software vulnerabilities too. The bad news is that, once active, TDSS or Tidserv won't be visible to Windows. I mean you won't find any files related to this infection. So obviously it can't be removed manually.

Usually, Backdoor.Tidserv, Alureon rootkit is able to conceal in the system any processes and files on a disk as well as registry keys described in its configuration. Most of the time it installs own hidden drivers and services as well into the system. For example: H8SRTd.sys or _VOIDd.sys. Such hidden services can be revealed using GMER utility.

You may suspect that your computer is infected with TDSS malware if you encounter at least one of the following symptoms:

Internet Explorer is hijacked
Google search result links redirects to totally unrelated or harmful sites that host malicious software or display misleading advertisements, pop-ups and etc.
You can't access security related websites. This is commonly used method by nearly all widely spread malware in order to protect itself from being removed.
You can't launch antivirus and antispyware programs. TDSS TDL3 rootkit blocks security software too for an obvious reason. Also note that it may block any other software not only security related.
Certain Windows system tools are disabled. Task Manager, Registry Editor and others.

If you are reading this article then your computer is probably infected with TDSS malware. It goes without saying that that you should remove this virus from your computer as soon as possible. Thankfully, there is a very useful tool called TDSSKiller from Kasperky Lab. It's free and it removes malware from Rootkit.Win32.TDSS malware family (including TDL1, TDL2, TDL3 and TDL4) quite successfully. For more information visit the official TDSSKiller utility page. We also wrote a short guide on how to setup and run TDSSKiller on Windows machines. Please follow the instructions below. If you have any questions don't hesitate and ask or leave a comment. Good luck and be safe!

TDSS, Alureon, Tidserv, TDL3, TDL4 removal instructions using TDSSKiller utility:

1. Download the file TDSSKiller.exe and execute it. If you can't launch it then rename it to explorer.exe or iexplore.exe. If that fails too, then you will have to change file extension from *.exe to *.com. For example: test123.com.

NOTE: some users make mistakes when changing file extensions. You have to make sure that extension for know file types are not hidden. Otherwise you will get something like test123.com.exe which is the same test123.exe file not test123.com and it won't work. Read how to make extensions of known file types visible below.

a) Double-click on the "My Computer" icon.
b) Select "Tools" from menu and click "Folder Options".
c) Select the "View" tab. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types". Click OK button.

d) Now you can rename TDSSKiller.exe to random.com.

2. Double-click on it to launch TDSSKiller utility. If you receive Windows security warning, please click on the "Run" button to allow TDSSKiller to run.

3. Click the "Start scan" button and wait for the scan be over.

Click Continue.

Reboot your computer to remove the rootkit.

4. Finally, download recommended anti-malware software (direct download) and run a full system scan to remove this rootkit from your computer.

TDSS, Alureon, Tidserv, TDL3, TDL4 files and registry values:

Files:

C:\WINDOWS\system32\drivers\RDPCDD.sys
C:\WINDOWS\_VOID[random]\
C:\WINDOWS\_VOID[random]\_VOIDd.sys
C:\WINDOWS\system32\drivers\_VOID[random].sys
C:\WINDOWS\system32\drivers\UAC[random].sys
C:\WINDOWS\system32\UAC[random].dll
C:\WINDOWS\system32\uacinit.dll
C:\WINDOWS\system32\UAC[random].db
C:\WINDOWS\system32\UAC[random].dat
C:\WINDOWS\system32\uactmp.db
C:\WINDOWS\system32\_VOID[random].dll
C:\WINDOWS\system32\_VOID[random].dat
C:\WINDOWS\Temp\_VOID[random].tmp
C:\WINDOWS\Temp\UAC[random].tmp
%Temp%\UAC[random].tmp
%Temp%\_VOID[random].tmp
C:\Documents and Settings\All Users\Application Data\_VOIDmainqt.dll

Registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_VOIDd.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_VOID[random
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys

Please share this information with other people:

20 comments:

Anonymous said...: Having altered the name of the .exe file I still cant run it, I blue screen every time I try. Should this be done in safe mode or normal mode?; March 26, 2011 at 11:01 AM
Anonymous said...: Had the same problem, go to this link at symantec
http://www.symantec.com/security_response/writeup.jsp?docid=2010-090608-3309-99
or if they block the link go to symantec and look up "Backdoor.Tidserv Removal Tool" it saved my bacon today.; April 3, 2011 at 10:01 PM
Anonymous said...: Great help. After some search and even trying Computer Associates support (which is good for nothing, but only to try to sell you more services) your solution saved the day. Thank you.; April 18, 2011 at 12:24 PM
Anonymous said...: Thanks! I downloaded the FixTDSS.exe file from Symantec, turned off Windows XP System Restore, ran the exe file and my problem is solved. In the past TDSSKiller.exe has worked for me, but I couldn't get it to run this time. Renaming the file didn't help, nor did running in safe mode.; April 26, 2011 at 7:46 PM
Anonymous said...: Kudos, after trying several other things, the Symantec link got it done.

Thanks!; April 27, 2011 at 8:23 AM
Bruce Fontaine said...: yes, this version 2.4.21.0 seems to not want to run, even when renaming it with a .com or anything.
I have 32-bit and I read it might not run on 64 so that's not the problem.
I extraced the file from .zip, no password seems to be necessary.
I tried Safe Mode too.
Why doesn't it run?; April 30, 2011 at 9:21 AM
Admin said...: The utility supports 32-bit and 64-bit operation systems. The utility can be run in Normal Mode and Safe Mode. I think that TDDSKiller must be run as administrator. Make sure that you have the administrative privileges on Windows. Good luck!; April 30, 2011 at 9:34 AM
Anonymous said...: I was also able to get rid of the malware using the symantec tool, the TDDS killer wasnt running no matter how I renamed it. Thanks; June 19, 2011 at 11:37 PM
Anonymous said...: Thank you so much for that FixTDSS link! I spent countless hours running countless anti-virus and rootkit tools and none of them worked.; July 6, 2011 at 11:14 AM
Anonymous said...: Thank you for symantec link!!; July 7, 2011 at 10:56 PM
Anonymous said...: Hello,
I went to the link http://www.symantec.com/security_response/writeup.jsp?docid=2010-090608-3309-99
and ran the program and after a search FixTDSS came back with 'Backdoor.Tidserv has not be found on your computer'. Yet all the popups from Cloud Protection keep appearing and I know my laptop is still infected by Cloud Protection. I have no idea what to do or how to remove it. Please help; October 11, 2011 at 10:29 AM
Anonymous said...: Thank you, thank you, thank you!!! These instructions worked flawlessly!; October 13, 2011 at 11:47 AM
Anonymous said...: TDSSKiller wouldn't run for me even when renamed. I removed the drive and attached to another system and ran TDSSKiller against it. The MBR was fixed and when I reinstalled the drive in the original system, all was OK.; November 30, 2011 at 6:33 AM
Anonymous said...: okay potentially dump question but . . . the virus is blocking me from opening the internet at all so how do I download the TDSSKiller then? or access any links?; December 1, 2011 at 11:49 AM
Admin said...: No, that's not a dumb question. Usually, it doesn't block web browsers. Reboot your computer in safe mode with networking, download TDSSKiller and run it.; December 1, 2011 at 1:43 PM
Anonymous said...: Hi,I have the same problem.and I followed all steps listed above.i was able to reboot the computer,as said in the last but one step.But as said in the last step that,downloading an anti-malware software (Stop zilla)could not able to remove the file privacy.exe that is temporarily disabled.I was able to do all my operations now,but the file is still existing in my laptop.Can you please help me out in removing that file.????; December 2, 2011 at 5:17 PM
Anonymous said...: 1) Copy the taskmgr.exe (taskmgr) to this directory
C:\WINDOWS\System32\
and paste it on your desktop

2) Rename taksmgr.exe (taskmgr to pRivacy.exe (pRivacy)

3) Open the renamed file and go to processes tab
locate the privacy.exe [right click then open file location] before ending the process.
then you can delete it.; December 4, 2011 at 8:51 PM
Anonymous said...: Yaaaay!!! Thanks sooooo much! Many Blessings to you!; December 27, 2011 at 1:04 PM
Anonymous said...: Got to #3 right click then open file location. It would do nothing else . Can you help? Threat Tidserv Activity, steel there.; January 15, 2012 at 10:14 PM
Anonymous said...: copy TDSSKiller.exe to usb drive
than rename TDSSKiller.exe on usb drive to 12kill.exe or 123.com and run from usb drive; January 16, 2012 at 4:06 PM