Removing TDSS virus

Intel / D845glva
February 16, 2009 at 19:30:09
Specs: Microsoft Windows XP Professional, 2.599 GHz / 1021 MB
Close to a month ago, I downloaded a torrent and opened the contents. I'm pretty sure now that Symantec AntiVirus popped up with a message warning me, but I didn't really absorb it and chose not to heed whatever it was saying, closing it. Shortly afterwards I noticed that my google results were redirecting to suspicious locations, so I scanned the computer with Symantec, and sure enough, it came up with tdss files.

I performed full scans a couple of times, each time having the antivirus clean, delete or move what it could; after the second or third time the google results stopped redirecting and my computer seemed to operate fine. But I distinctly remember that for a couple of files, it asked to reboot and still could not perform any requested actions. I meant to post on these forums then, but I kept procrastinating until now. Meanwhile, Symantec has stopped asking for reboots but does prompt me to download some updates and check if quarantined items can be cleaned or deleted now. So far no luck with that. And, I just checked: Symantec's AntiVirus SFV tells me the 52 files it recorded in the history are missing now (log is below).

My question is, have I done enough to remove any threat, or should I be doing more? I looked at some previous cases on these forums and it seemed like getting rid of the virus was a long, involved and individualized process, so I wanted to confirm.

Symantec AntiVirus SFV log:
QuickSFV v2.36
Risk
Downloader
Backdoor.Tidserv!inf
Backdoor.Tidserv!inf
Backdoor.Tidserv!inf
Backdoor.Tidserv
Backdoor.Tidserv!inf
Downloader
Bloodhound.Exploit.213
Trojan Horse
Backdoor.Tidserv
Backdoor.Tidserv!inf
Backdoor.Tidserv!inf
Backdoor.Tidserv
Backdoor.Tidserv!inf
Backdoor.Tidserv
Backdoor.Tidserv!inf
Backdoor.Tidserv
Backdoor.Tidserv!inf
Backdoor.Tidserv!inf
Backdoor.Tidserv!inf
Backdoor.Tidserv!inf
Backdoor.Tidserv!inf
Backdoor.Tidserv!inf
Downloader
Backdoor.Tidserv!inf
Downloader
Backdoor.Tidserv!inf
Backdoor.Tidserv!inf
Backdoor.Tidserv!inf
Backdoor.Tidserv!inf
Packed.Generic.200
Packed.Generic.200
Backdoor.Tidserv!inf
Backdoor.Tidserv!inf
Backdoor.Tidserv!inf
Backdoor.Tidserv!inf
Trojan Horse
Backdoor.Tidserv!inf
Backdoor.Tidserv!inf
Trojan Horse
Trojan Horse
Backdoor.Tidserv
Backdoor.Tidserv!inf
Backdoor.Tidserv!inf
Packed.Generic.200
Trojan Horse
Trojan Horse
Backdoor.Tidserv!inf
Backdoor.Tidserv
Backdoor.Tidserv!inf
Backdoor.Tidserv!inf
52 files checked
There were 52 missing files


See More: Removing TDSS virus

Report •


#1
February 16, 2009 at 19:36:35
I think you are still infected.

Depending opun the variant of the google redirect malware this may temporaryily help with the redirects:

Click on Start, click Run, and then type devmgmt.msc and click OK
On the View menu click on Show hidden devices
Browse to Non-Plug and Play Drivers and click the + sign to the left, you should see something like TDSSserv.sys in that list.
Highlight that driver and right click on it and select DISABLE - NOT uninstall.
Now RESTART your computer.

Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

Rename the setup file, mbam-setup.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename mbam-setup.exe to tool.exe> click save.

1. Double Click tool.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.


If Malwarebytes installed but will not run navigate to this folder:

C:\Programs Files\Malwarebytes' AntiMalware

Rename all the .exe files in the MAlwarebytes' Anti-Malware folder and try to run it again.

Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This

Rename the setup file, HJTInstall.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename HJTInstall.exe to tools.exe> click save.
1. Save " tools.exe" to your desktop.
2. Double click on tools.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


Report •

#2
February 16, 2009 at 20:02:25
TDSS is a trojan that is also known as TDSS SERV or Trojan.Backdoor.Tid Serv. ok heres a manual removal guide for removing the TDSS
http://darfuns.com/remove-trojan-td...

Report •

#3
February 17, 2009 at 20:41:39
I tried following the steps to deal with the redirect (even though it stopped a long time ago after I used Symantec), but couldn't find TDSSserv.sys or anything similar.

I downloaded Malware but couldn't find the way to rename it before, so I just renamed the setup file after it finished downloading. I also renamed the folder to tool.. not sure if that accomplished anything.

In any case I did the quick scan and it detected a couple of misnomers. Since it asked for a reboot I decided to delay posting the log which popped up. However, during the reboot process I got a black screen that said something like, "Invalid system disk. Please correct and press any button to continue". I do have a slave drive, if that's relevant; I can get it switched with the primary drive for me if it's needed. Meanwhile I can't access the computer as I keep on getting that message even if I restart (I'm using another computer to post this). What should I do?


Report •

Related Solutions

#4
February 18, 2009 at 14:30:00
Switch it with the primary drive and see if it will boot.

Report •

#5
February 22, 2009 at 09:44:07
Hello, I belive I have a similar problem with my computer. My Norton Antivirus discovered this naughty little virus called "packed.generic.200", and shortly after I got some trojans and crap aswell. Now I keep getting redirected on the internet, aswell as having all internet advertisement replaced with adds for viagra pills.

I would appriciate any help I can get.


Report •

#6
February 22, 2009 at 10:08:34
Qwazin, please start a thread of your own and we will try to help. Just state the problem as you did here, do not post any logs yet please.

Report •


Ask Question