TDSS Trojan and Bediddle Adware – Hindsight Removal Guide

Last week, my indiscreet non-techie colleague encountered his yet-another-virus-attack experience. There should be nothing big as he had an antivirus product installed. However, after casually spending his routines for some days; beverages and snacks and tons of unproductive applications running from his laptop, he felt that his laptop became much slower than usual and also exercised some strange behaviors. He later asked me to investigate the oddities and construe what was actually going on.

To my surprise, normal simple procedure in detecting and destroying virus, trojan, and other malware didn’t work at the time. Antivirus reported nothing but the strange behaviors persisted. Still being unsatisfied and puzzled, i tried to verify antivirus’ finding by conducting online scanning and here the mystery started to unravel.

To make it short, my friend’s laptop was infected with TDSS rootkit. This rootkit is a combination of trojan and adware. Reported first time by Sophos, this attack has gained its notoriety as one of the hot trojan and malware attacks in November.

If you happen to experience symptoms below, you might infer that you have been infected by TDSS rootkit:

  • Slow browser
    Your browser unusually loads slower than it should be. Even though browser is the only application you run, the speed is still slow, invalidating assumption that the slow loading is caused by insufficient memory
  • Continuous high CPU percentage for System Idle Process
    If you press Ctrl-Alt-Del and see the list of running processes, you will notice that “System Idle Process” consumes most of the CPU cycles, usually more than 90%
  • Denied access to some files and folders
    If you enable System Restore, you will notice that if you click the folder “System Volume Information” that resides in the root directory of each drive, you will get message “Access is Denied”. You can also check some other files in system32 folder and raise the same message.
  • Redirection of results from search engine and unavailability to access antivirus and security websites
    If you try to search for remedy for the infection and type words related to antivirus like “virus removal, trojan removal, TDSS, antivirus vendors, etc” you will notice that every time you click the link from the result page you will be redirected to another search engine, that is bediddle (bediddle.com) or some other page that is different from the real link.
    You are also disabled from accessing antivirus providers’ websites and circumvented from conducting online scan.
  • Antivirus doesn’t work or only seems to work
    If you try to scan using your antivirus, it will say your system is safe. This is actually not true. Try updating your virus database definition and you will see error reported by the update engine. Also, if you want to install a new renowned antivirus, you will always fail the installation.

Advertisement

After some trials and errors, I found out a solution that actually worked and removed all the infection. Credit to a thread starter in bullguard forum who recommended malwarebytes and also provided some tricky steps in the removal process. I’d like to recap the process and later add my remarks and some additional info you may need.

The removal process is as follows:

  1. Download malwarebytes from an uninfected computer.
  2. Put the installation file in a USB flash disk and rename the installation file into setup.exe. The rootkit has its dictionary of security products. This step is necessary to prevent the rootkit from detecting the installation file will be used to extinguish itself.
  3. Turn on or reboot the infected computer in normal mode
  4. Transfer the file to the infected computer and run the setup file.
    Note 1: Change the installation folder into something else like Malwar or Malware. Also give different name for the program folder in Start Menu. This is necessary to prevent the recognition from the rootkit dictionary.
    Note 2:In the last step of installation, make sure to uncheck the launch and database definition update. We will do it later
  5. Go to the folder where the program is installed and rename file mbam.exe into something else like mab.exe
  6. We will update the database definition of malwarebytes. Click the mab.exe then select “Update” tab. Wait until the app is updated with the latest database.
  7. Restart the infected computer in safe mode
    Note: you can go into safe mode by pressing F8 after the first beep or before the Windows logo appears on your monitor
  8. In safe mode, run mab.exe from the app folder and execute the full scan. You will need to wait for 2 or 3 hours or more, depending on the number of files in your drives. The scan should find file TDSSeoqh.dll which is the root source of the infection.
  9. After scan finishes, reboot your computer in normal mode.
  10. Again, run mab.exe from the app folder and execute full scan. In this step, more trojan files will be found. The removal app will ask you to restart your computer in order to remove the files. However, before you proceed, go to the app folder and rename mab.exe into its original mbam.exe.
  11. After restart, you should have been cleaned from the infection. It must be a brighter day. Congrats to yourself.

Besides malwarebyte, you might also find some of these tools useful:

  • SDFix
    I used this tool before malwarebytes. It could detect the rootkit but it was unable to fully clean the system. It gave up deleting file TDSSeoqh.dll and instead quarantining its clone in vain. However, this tool provides comprehensive log which can be very useful for you, especially the “file with hidden attributes” part.
  • Spybot S&D
    This tool is a privacy software that lets you watch unwanted program from modifying your system. Every time a program tries to modify a registry, it will prompt you asking whether to approve the action or not. This tool can be a little cumbersome and vexing for non-techie. But basically, it’s a system saver.

Besides the tools, you may also invest some time in modifying your windows explorer configuration, especially the configuration for viewing files and folders from the windows explorer. You can modify the options by clicking the “Tools” > “Folder Options” > “View” and then change some default values like unchecking the option to hide extension for known files, unchecking the option to hide system files, and choose the option to show the hidden files. This way, you will find it easier to notice a malicious program trying to hamper with your system.

30 thoughts on “TDSS Trojan and Bediddle Adware – Hindsight Removal Guide

  1. Bernie

    I too have the same problem. However my computer would not start in safe mode. All I see is safe mode printed at 4 corners. How do I fix this? Thanks

    Reply
  2. Tech Admin Post author

    Hi Bernie,
    If you couldn’t see the desktop in safe mode, it means explorer.exe was not loaded. You can try to manually run it by pressing Ctrl+Alt+Del to pop Task Manager up and from the menu bar, select File > New Task (Run…) and type explorer.exe

    If it doesn’t work, you might consider fixing your Windows installation by rebooting your PC using Windows installation CD and then choose the option to repair currently installed Windows.

    Reply
  3. Kenneth

    “If you press Ctrl-Alt-Del and see the list of running processes, you will notice that “System Idle Process” consumes most of the CPU cycles, usually more than 90%”

    This i actually the resources NOT beeing used at the moment, but otherwise a nice guide. Had to help a friend with this problem.

    Reply
  4. Mark

    I had a similar problem but I wasn’t able to boot in normal mode. I kept getting the blue screen of death with ‘STOP: 0x0000008E etc.’ message. I used Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) from safe mode and when it rebooted the machine it was able to catch the infected registry and .dll files before they were able to crash the boot sequence. I used malwarebytes afterwards and found 10 more infected files. Everything seem to be cool now.
    Hope this helps anyone who’s pulling their hair out with this one.

    Reply
  5. Tech Admin

    Hi Mark,
    Thanks for sharing your experience. About the blue screen, my only comment is Combofix author has already put the caution as consideration for someone before he decides to use the tool 🙂

    But it’s great to know your problem is now solved.

    Reply
  6. LYD

    I got infected by this and Vundo. AVG kept most of it off but wouldn’t stop it becoming re-infected. Used combofix and this got the job done very well. Recommended App for removing TDSS. Ran Malware and removed a few more and the since then nothing!!! WAHOO!!!

    Pain in the A$$!!!

    Reply
  7. Cyndi

    Thank you! Thank you! My son inadvertently downloaded this and a ton of other viruses from various websites and on Christmas day…I was trying unsuccessfully to fix it. I came across your site at work & took it home, followed your directions and Viola! Finally, all the 132 viruses gone between you and another antivirus program. Cannot thank you enough!

    Reply
  8. Tech Admin Post author

    @Lyd
    Thank you for sharing your experience

    @Cyndi
    It’s glad to know that this article helped you get rid of the problem. I project to keep writing useful info and articles on this blog. So, please stay tune 🙂

    Reply
  9. Karen

    I can’t get into safe mode. I hit F8 on the reboot, but now my screen is stuck on “Windows is starting up…”. Any suggestions?
    Thanks

    Reply
  10. Dee

    I had a similar infection. I was never able to go into safe mode while infected. Because one of the files infected was C:\WINDOWS\system32 indicating the folder and not a file. It was never able to be deleted. I also did not know that when I renamed mbam… I needed to change it back before restarting the computer. Therefore, malwarebytes never fully cleaned my computer because it could not find mbam. I had to use combofix and it combined with sdfix fixed my safe mode option.

    Another issue was the fake BSOD’s which occurred when I tried to run a search and when I booted in safe mode. After cleaning the system, deleting old restore points and creating a new restore point, installing antispyware and antivirus software, and installing a firewall on my friend’s computer; windows XP start up is extremely slow and the sound files on start up skip. I am thinking that I need to uninstall combofix and recovery console. Any ideas would be much appreciated. Thanks for the post and replies.

    Reply
  11. Mindaugas

    Dear Sir,

    Thanks a lot for help. After reading instructions in your page I was able to remove unfriendly guest “tdss” from my computer.

    Many Thanks and best wishes for the New Year!

    Mindaugas

    Reply
  12. Ken

    My infected computer would not allow me to update Malwarebytes even with the name change. I am scanning with the original files. Will I need to redo the scan when/if the computer allows me too. I am 15 min into scan so nothing to add on fix.

    Reply
  13. DP

    If you are getting the blue screen of death on every restart, use the windows CD and choose to repair the installed version of windows. This brings up a command line interface. Go to the windows/system 32 directory (Type: CD C:\WINDOWS\SYSTEM32) and delete anything that starts with TDSS (Type DEL TDSS*.*) then change to drivers directory (CD DRIVERS) and do the same. This will allow you to restart without getting the blue screen. Now install “Malwarebytes’ Anti-Malware” software and do a full scan. Delete everything it finds. System should get back to normal, but it would be eventually a good idea to backup all data, do a format and reinstall and choose a very good anti-virus and adware/malware software program. Hope this helps. DP

    Reply
  14. Luke

    Hello,
    I seem to have been infected with this TDSS virus u speak of. I have a slow browser and i constantly get redirected to beddidle or other random websites.

    i have been following your removal advice exacly as u have writen it. However, when running the initial scan in safe mode my pc bluescreens about 3mins into the scan and restarts =(

    i notice other people have used combofix to help the problem, but upon visiting the combofix website i am reluctant to use the program as i am relitivly inexperianced and i am scared about seriously damaging something

    is there anything you could suggest that might help? I would forever be in your debt =)

    Reply
  15. Luke

    NVM…i decided to try a quick scan instead of a full scan and it seems to have solved the problem =)

    thanks alot for the software recomendation =D

    Reply
  16. Pingback: Unstable system | keyongtech

  17. KTimbo

    I also have the bediddle spyware. It opens a new window into firefox to search for terms I have searched for in Google or Blackle or other search engines.

    I don’t have the original Windows 2000 disks since I bought this computer used.

    Can I still do the fix with malwarebytes?

    What do I do if the computer does not reboot after installing malwarebytes?

    Is it essential to download the fix to another computer, what happens if you download to the infected one directly?

    My son signed up for GameVance. Mistake! This is a horrible company that puts its own ads up in highlighted text–on any and every website you may be on!!–to click on when you hover the mouse over the text.

    Now Internet Explorer shuts down with an error that reads:
    “Runtime error! Program: Program files\Internet Explorer\Iexplore.exe
    This application has requested the Runtime to terminate it in an unusual way. Please contact the application’s support team for more information.”

    When I press “OK” button, IE shuts down.

    So I installed Mozilla Firefox. It works well but for the Bediddle popup problem. (I get “97%” for System Idle Resources listed under Task Manager. Is this a good figure?)

    All of this is a gross invasion of my privacy and computer resources, and I want the US govt. and all governments to work together to shut down these spam/virus/spyware companies.
    How can I report them and get action?

    Reply
  18. USMarine

    I have a question.
    After I have scanned it in safe mode and it finds the root trojan, do I delete it or do I just reboot my computer and scan again?

    Reply
  19. Scotty

    http://technet.microsoft.com/en-us/library/cc938610.aspx

    Be aware of the Idle process when monitoring processor usage. The Idle process runs a thread on each processor. This thread runs when the system is not already running the thread of an active user or system process. System Monitor and Task Manager both use the Idle process to calculate time when the processor is not busy. You can see processor time for the Idle process on the Processes tab in Task Manager (called the System Idle Process) or by tracking the Process(Idle)\% Processor Time counter in System Monitor. Notice that the Total instance for this counter includes processor time for the Idle process. To measure the Idle process, use the Process(Idle)\% Processor Time counter, or use the Processes tab in Task Manager. Zero idle time could mean that the processor is handling a lot of work, but it could also mean that the processor or central processing unit (CPU) is overloaded.

    What does the high Sytem Idle Process usage have to do with the infection?

    Reply
  20. Scott

    I am infected with the TDSS trojan. I moved the renamed MBAM.exe file from my flash drive to my desktop and selected Run as Admistrator. It says “The InstallShield Engine (iKernel.exe) could not be installed. The system cannot find the file specified.”

    I went to C/Program Files/Common Files/InstallShield/Engine/6/Intel32.

    The IKernel application is there. Any idea how to solve this issue so I can run the Setup.Exe, but nothing happens if I try to run the app?

    Thanks

    Reply
  21. Tiff

    Hi, great solutions, I haven’t met a virus/malware this tough before.

    I’ve managed to disable part of it, and remove part of it, but I can’t do any searches on yahoo without the page being re-directed, it was the same with google too, but I’ve managed to fix that one. This rotten little bugger has allowed more malicious content to find its way into my computer as well. I’m about at my wits end. I really need to extend the life of this computer at least another year, but it’s getting tired (had it since ’03, Compaq Persario) and these new viruses and malware programs are really kicking its butt.

    Reply
  22. Pingback: Platform Wedge

Leave a Reply

Your email address will not be published. Required fields are marked *