TDSS, or TDL3, is the name of a family of rootkits for the Windows operating system that downloads and execute other malware, delivers advertisements to your computer, and block programs from running. This rootkit infects your computer in various ways that include replacing hard disk drivers with malicious versions. Once a computer is infected, TDSS will be invisible to Windows and anti-malware programs while downloading and executing further malware and delivering advertisements to your computer. This particular infections is detected under various names depending on the particular anti-virus vendor. A list of vendors and their detection names for TDSS can be found below.
Definition Name |
Anti-virus Vendor |
Packed.Win32.TDSS, Rootkit.Win32.TDSS | Kaspersky Lab |
Mal/TDSSPack, Mal/TDSSPk | Sophos |
Trojan:Win32/Alureon | Microsoft |
Packed.Win32.Tdss | Ikarus |
W32.Tidserv, Backdoor.Tidserv | Symantec |
Trojan.TDSS | MalwareBytes’ |
Backdoor:W32/TDSS | F-Secure |
BKDR_TDSS | Trend Micro |
Rootkit.TDss | BitDefender |
Generic Rootkit.d | McAfee |
While infected, the files and services associated with TDSS will be invisible, but there are symptoms that the TDSS infection may display. These symptoms include:
- Google search result links will be redirected to unrelated sites. When
you search through Google and click on one of the search results, instead
of going to the correct page you will instead be redirected to an advertisement.
It should be noted that some of the domains you are redirected to are legitimate
companies, but that may have affiliates that promote their products in a dubious
manner.
- The inability to run various programs. When you attempt to run certain
programs, you will not receive an error, but they simply will not start. TDSS
has a configuration setting called disallowed that contains
a large list of programs that it will not allow to execute. It does this so
that you cannot launch anti-virus and anti-malware programs that may help
you remove this infection.
- The inability to access various sites. For example, at the time of this
writing TDSS is blocking access to BleepingComputer.com as well as other computer
help and security sites.
- Web browsing is slower than normal. When starting your web browser or browsing the web, you may find that web pages load slower.
As you can see, the TDSS rootkit is an intrusive infection that takes over
your machine and is very difficult to remove. Thankfully, Kaspersky Labs has
released a tool called TDSSKiller that can be used to remove most variants of
TDSS from your computer. We do, though, need to perform some steps in order
to get the program to work. These steps are described in the removal guide below.
TDSS, Alureon, or TDL3 Rootkit Removal Options
Self Help Guide
If you are uncomfortable making changes to your computer or following these steps, do not worry! Instead you can get free one-on-one help by asking in the forums.
- The first thing you need to do is download tdsskiller from the following
link and save it to your desktop.
TDSSKiller Download Link - https://www.bleepingcomputer.com/download/tdsskiller/
When you get to the above page, please click on the Download EXE button to download the file. If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.
Once the file has completed downloading, you should now have the TDSSKiller icon on your desktop as shown below.
- Before you can run TDSSKiller, you first need to rename it so that you
can get it to run. To do this, right-click on the TDSSKiller.exe
icon that should now be on your Desktop and select Rename.
You can now edit the name of the file and should name it a random name with
the .com extension. For example, 123.com or 23kjasd123.com. If a random name does not work, please try renaming it as iexplore.com and attempt to run it again.
- Once the file is renamed, you should double-click on it to launch it. When
you run the program, Windows may display a warning similar to the image shown
below.
If you receive this warning, please click on the Run button to allow TDSSKiller to run. If you did not receive this warning, then TDSSKiller should have started and you can proceed to step 6. - TDSSKiller will now start and display the welcome screen as shown below.
At this screen click on the Start scan button to have TDSSKiller scan your computer for the TDSS infection. - TDSSKiller will now scan your computer for the TDSS infection. When the
scan has finished it will display a result screen stating whether or not the
infection was found on your computer. If it was found it will display a screen
similar to the one below.
To remove the infection simply click on the Continue button and TDSSKiller will attempt to clean the infection. If it does not say Cure, leave it at the default action of Skip and press the Continue button. Do not change it to Delete or Quarantine as it may delete infected files that are required for Windows to operate properly. - When it has finished cleaning the infection you will see a report stating
whether or not it was successful as shown below.
As you can see from the above screen, TDSSKiller was able to clean the TDSS infection, but requires a reboot to finish the cleaning process. Click on the Reboot now button to reboot your computer and finish the removal of the TDSS infection from your computer. - I now suggest that you scan your computer using MalwareBytes' to remove
any traces that may still be present. A tutorial on how to use MalwareBytes'
can be found here:
MalwareBytes' Anti-Malware Tutorial - If TDSSKiller was unable to remove the TDSS infection, even though it detected
it but was unable to cure it, then you should follow the steps here to request
assistance from one of our malware removal experts:
Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help