Last week, my indiscreet non-techie colleague encountered his yet-another-virus-attack experience. There should be nothing big as he had an antivirus product installed. However, after casually spending his routines for some days; beverages and snacks and tons of unproductive applications running from his laptop, he felt that his laptop became much slower than usual and also exercised some strange behaviors. He later asked me to investigate the oddities and construe what was actually going on.
To my surprise, normal simple procedure in detecting and destroying virus, trojan, and other malware didn’t work at the time. Antivirus reported nothing but the strange behaviors persisted. Still being unsatisfied and puzzled, i tried to verify antivirus’ finding by conducting online scanning and here the mystery started to unravel.
To make it short, my friend’s laptop was infected with TDSS rootkit. This rootkit is a combination of trojan and adware. Reported first time by Sophos, this attack has gained its notoriety as one of the hot trojan and malware attacks in November.
If you happen to experience symptoms below, you might infer that you have been infected by TDSS rootkit:
- Slow browser
Your browser unusually loads slower than it should be. Even though browser is the only application you run, the speed is still slow, invalidating assumption that the slow loading is caused by insufficient memory
- Continuous high CPU percentage for System Idle Process
If you press Ctrl-Alt-Del and see the list of running processes, you will notice that “System Idle Process” consumes most of the CPU cycles, usually more than 90%
- Denied access to some files and folders
If you enable System Restore, you will notice that if you click the folder “System Volume Information” that resides in the root directory of each drive, you will get message “Access is Denied”. You can also check some other files in system32 folder and raise the same message.
- Redirection of results from search engine and unavailability to access antivirus and security websites
If you try to search for remedy for the infection and type words related to antivirus like “virus removal, trojan removal, TDSS, antivirus vendors, etc” you will notice that every time you click the link from the result page you will be redirected to another search engine, that is bediddle (bediddle.com) or some other page that is different from the real link.
You are also disabled from accessing antivirus providers’ websites and circumvented from conducting online scan.
- Antivirus doesn’t work or only seems to work
If you try to scan using your antivirus, it will say your system is safe. This is actually not true. Try updating your virus database definition and you will see error reported by the update engine. Also, if you want to install a new renowned antivirus, you will always fail the installation.
After some trials and errors, I found out a solution that actually worked and removed all the infection. Credit to a thread starter in bullguard forum who recommended malwarebytes and also provided some tricky steps in the removal process. I’d like to recap the process and later add my remarks and some additional info you may need.
The removal process is as follows:
- Download malwarebytes from an uninfected computer.
- Put the installation file in a USB flash disk and rename the installation file into setup.exe. The rootkit has its dictionary of security products. This step is necessary to prevent the rootkit from detecting the installation file will be used to extinguish itself.
- Turn on or reboot the infected computer in normal mode
- Transfer the file to the infected computer and run the setup file.
Note 1: Change the installation folder into something else like Malwar or Malware. Also give different name for the program folder in Start Menu. This is necessary to prevent the recognition from the rootkit dictionary.
Note 2:In the last step of installation, make sure to uncheck the launch and database definition update. We will do it later
- Go to the folder where the program is installed and rename file mbam.exe into something else like mab.exe
- We will update the database definition of malwarebytes. Click the mab.exe then select “Update” tab. Wait until the app is updated with the latest database.
- Restart the infected computer in safe mode
Note: you can go into safe mode by pressing F8 after the first beep or before the Windows logo appears on your monitor
- In safe mode, run mab.exe from the app folder and execute the full scan. You will need to wait for 2 or 3 hours or more, depending on the number of files in your drives. The scan should find file TDSSeoqh.dll which is the root source of the infection.
- After scan finishes, reboot your computer in normal mode.
- Again, run mab.exe from the app folder and execute full scan. In this step, more trojan files will be found. The removal app will ask you to restart your computer in order to remove the files. However, before you proceed, go to the app folder and rename mab.exe into its original mbam.exe.
- After restart, you should have been cleaned from the infection. It must be a brighter day. Congrats to yourself.
Besides malwarebyte, you might also find some of these tools useful:
I used this tool before malwarebytes. It could detect the rootkit but it was unable to fully clean the system. It gave up deleting file TDSSeoqh.dll and instead quarantining its clone in vain. However, this tool provides comprehensive log which can be very useful for you, especially the “file with hidden attributes” part.
- Spybot S&D
This tool is a privacy software that lets you watch unwanted program from modifying your system. Every time a program tries to modify a registry, it will prompt you asking whether to approve the action or not. This tool can be a little cumbersome and vexing for non-techie. But basically, it’s a system saver.
Besides the tools, you may also invest some time in modifying your windows explorer configuration, especially the configuration for viewing files and folders from the windows explorer. You can modify the options by clicking the “Tools” > “Folder Options” > “View” and then change some default values like unchecking the option to hide extension for known files, unchecking the option to hide system files, and choose the option to show the hidden files. This way, you will find it easier to notice a malicious program trying to hamper with your system.
I too have the same problem. However my computer would not start in safe mode. All I see is safe mode printed at 4 corners. How do I fix this? Thanks
If you couldn’t see the desktop in safe mode, it means explorer.exe was not loaded. You can try to manually run it by pressing Ctrl+Alt+Del to pop Task Manager up and from the menu bar, select File > New Task (Run…) and type explorer.exe
If it doesn’t work, you might consider fixing your Windows installation by rebooting your PC using Windows installation CD and then choose the option to repair currently installed Windows.
“If you press Ctrl-Alt-Del and see the list of running processes, you will notice that “System Idle Process” consumes most of the CPU cycles, usually more than 90%”
This i actually the resources NOT beeing used at the moment, but otherwise a nice guide. Had to help a friend with this problem.
I had a similar problem but I wasn’t able to boot in normal mode. I kept getting the blue screen of death with ‘STOP: 0x0000008E etc.’ message. I used Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) from safe mode and when it rebooted the machine it was able to catch the infected registry and .dll files before they were able to crash the boot sequence. I used malwarebytes afterwards and found 10 more infected files. Everything seem to be cool now.
Hope this helps anyone who’s pulling their hair out with this one.
Thanks for sharing your experience. About the blue screen, my only comment is Combofix author has already put the caution as consideration for someone before he decides to use the tool 🙂
But it’s great to know your problem is now solved.
I got infected by this and Vundo. AVG kept most of it off but wouldn’t stop it becoming re-infected. Used combofix and this got the job done very well. Recommended App for removing TDSS. Ran Malware and removed a few more and the since then nothing!!! WAHOO!!!
Pain in the A$$!!!
Thank you! Thank you! My son inadvertently downloaded this and a ton of other viruses from various websites and on Christmas day…I was trying unsuccessfully to fix it. I came across your site at work & took it home, followed your directions and Viola! Finally, all the 132 viruses gone between you and another antivirus program. Cannot thank you enough!
Thank you for sharing your experience
It’s glad to know that this article helped you get rid of the problem. I project to keep writing useful info and articles on this blog. So, please stay tune 🙂
I can’t get into safe mode. I hit F8 on the reboot, but now my screen is stuck on “Windows is starting up…”. Any suggestions?
I had a similar infection. I was never able to go into safe mode while infected. Because one of the files infected was C:\WINDOWS\system32 indicating the folder and not a file. It was never able to be deleted. I also did not know that when I renamed mbam… I needed to change it back before restarting the computer. Therefore, malwarebytes never fully cleaned my computer because it could not find mbam. I had to use combofix and it combined with sdfix fixed my safe mode option.
Another issue was the fake BSOD’s which occurred when I tried to run a search and when I booted in safe mode. After cleaning the system, deleting old restore points and creating a new restore point, installing antispyware and antivirus software, and installing a firewall on my friend’s computer; windows XP start up is extremely slow and the sound files on start up skip. I am thinking that I need to uninstall combofix and recovery console. Any ideas would be much appreciated. Thanks for the post and replies.
Thanks a lot for help. After reading instructions in your page I was able to remove unfriendly guest “tdss” from my computer.
Many Thanks and best wishes for the New Year!
My infected computer would not allow me to update Malwarebytes even with the name change. I am scanning with the original files. Will I need to redo the scan when/if the computer allows me too. I am 15 min into scan so nothing to add on fix.
If you are getting the blue screen of death on every restart, use the windows CD and choose to repair the installed version of windows. This brings up a command line interface. Go to the windows/system 32 directory (Type: CD C:\WINDOWS\SYSTEM32) and delete anything that starts with TDSS (Type DEL TDSS*.*) then change to drivers directory (CD DRIVERS) and do the same. This will allow you to restart without getting the blue screen. Now install “Malwarebytes’ Anti-Malware” software and do a full scan. Delete everything it finds. System should get back to normal, but it would be eventually a good idea to backup all data, do a format and reinstall and choose a very good anti-virus and adware/malware software program. Hope this helps. DP
Thanks for describing in such detail the way to remove the redirection to http://www.bediddle.com. I’m sure you saved me countless hours and much frustration. I think I picked up this bad boy from gamevance.
I seem to have been infected with this TDSS virus u speak of. I have a slow browser and i constantly get redirected to beddidle or other random websites.
i have been following your removal advice exacly as u have writen it. However, when running the initial scan in safe mode my pc bluescreens about 3mins into the scan and restarts =(
i notice other people have used combofix to help the problem, but upon visiting the combofix website i am reluctant to use the program as i am relitivly inexperianced and i am scared about seriously damaging something
is there anything you could suggest that might help? I would forever be in your debt =)
NVM…i decided to try a quick scan instead of a full scan and it seems to have solved the problem =)
thanks alot for the software recomendation =D
Pingback: Unstable system | keyongtech
I also have the bediddle spyware. It opens a new window into firefox to search for terms I have searched for in Google or Blackle or other search engines.
I don’t have the original Windows 2000 disks since I bought this computer used.
Can I still do the fix with malwarebytes?
What do I do if the computer does not reboot after installing malwarebytes?
Is it essential to download the fix to another computer, what happens if you download to the infected one directly?
My son signed up for GameVance. Mistake! This is a horrible company that puts its own ads up in highlighted text–on any and every website you may be on!!–to click on when you hover the mouse over the text.
Now Internet Explorer shuts down with an error that reads:
“Runtime error! Program: Program files\Internet Explorer\Iexplore.exe
This application has requested the Runtime to terminate it in an unusual way. Please contact the application’s support team for more information.”
When I press “OK” button, IE shuts down.
So I installed Mozilla Firefox. It works well but for the Bediddle popup problem. (I get “97%” for System Idle Resources listed under Task Manager. Is this a good figure?)
All of this is a gross invasion of my privacy and computer resources, and I want the US govt. and all governments to work together to shut down these spam/virus/spyware companies.
How can I report them and get action?
you are a champ, thanks
Thank you sooooooooo much! Your advice is the ONLY one that worked! You’re the BEST!!!
I have a question.
After I have scanned it in safe mode and it finds the root trojan, do I delete it or do I just reboot my computer and scan again?
Be aware of the Idle process when monitoring processor usage. The Idle process runs a thread on each processor. This thread runs when the system is not already running the thread of an active user or system process. System Monitor and Task Manager both use the Idle process to calculate time when the processor is not busy. You can see processor time for the Idle process on the Processes tab in Task Manager (called the System Idle Process) or by tracking the Process(Idle)\% Processor Time counter in System Monitor. Notice that the Total instance for this counter includes processor time for the Idle process. To measure the Idle process, use the Process(Idle)\% Processor Time counter, or use the Processes tab in Task Manager. Zero idle time could mean that the processor is handling a lot of work, but it could also mean that the processor or central processing unit (CPU) is overloaded.
What does the high Sytem Idle Process usage have to do with the infection?
Just wanted you to know that this has also infected Firefox. Will try this tomorrow and let you know what happens.
Don’t know when it was released, but a tool has been released
which worked for me on a friends computer.
Download TDSSKiller, http://support.kaspersky.com/viruses/solutions?qid=208280684
unzip file to desktop.
install MBAM as outlined above, changing the installer file name, and the exe file in the programs folder.
Run MBAM, update, Full scan, when it’s done, run TDSSKiller,
I am infected with the TDSS trojan. I moved the renamed MBAM.exe file from my flash drive to my desktop and selected Run as Admistrator. It says “The InstallShield Engine (iKernel.exe) could not be installed. The system cannot find the file specified.”
I went to C/Program Files/Common Files/InstallShield/Engine/6/Intel32.
The IKernel application is there. Any idea how to solve this issue so I can run the Setup.Exe, but nothing happens if I try to run the app?
I HATE THIS FUCKING TROJAN
IT REDIRECTED ME TO PORN SITES AND ALL THESE SHIT ICFKAISER SITES!
Hi, great solutions, I haven’t met a virus/malware this tough before.
I’ve managed to disable part of it, and remove part of it, but I can’t do any searches on yahoo without the page being re-directed, it was the same with google too, but I’ve managed to fix that one. This rotten little bugger has allowed more malicious content to find its way into my computer as well. I’m about at my wits end. I really need to extend the life of this computer at least another year, but it’s getting tired (had it since ’03, Compaq Persario) and these new viruses and malware programs are really kicking its butt.
Pingback: Platform Wedge
I like your blog,and also like the article,and thank you for provide me so much information :))
I hate slow browsers
Making sure you are stress-free in the event that something negative happens while we are cleaning is our top focus. In less than a minute, reserve our reputable home cleaning service for the UAE.
Dubai cleaning services provides professional cleaning services in Dubai, United Arab Emirates. These services are specifically tailored to meet the cleaning requirements of residential and commercial properties, ensuring a clean and spotless environment for residents and tenants.
Our experienced and knowledgeable team of professionals offers superior service and quality craftsmanship. We use only the best materials, tools and techniques to ensure that our work is of the highest standard. Our competitive prices and customer satisfaction guarantee make us the preferred choice of many customers in the region. If you have any questions or inquiries regarding our services, do not hesitate to contact us. We look forward to helping you beautify your home or business!
DeepClean.ae is a progressive cleaning administration organization that utilizes the most recent innovation and harmless to the ecosystem items to give the greatest of administration. They have some expertise in a great many administrations, like profound cleaning, sterilization, and disinfection, for private and business clients. Their accomplished and proficient group of cleaners are prepared in the furthest down the line procedures to guarantee that your space is left immaculate and microbe free. With DeepClean.ae, you can believe that your property will be cleaned with absolute attention to detail and tender loving care, so you can zero in on the things that make the biggest difference.
What makes Best web-based home grown shop in Dubai | online Home grown store in Dubai stand apart among its rivals is it has developed enduring relations with neighborhood ranchers across India that supply them with great unrefined components to make their normally determined wellbeing items including analgesics, colors and an exceptional mix equations well defined for the various locales inside Dubai.
The best part about using a professional cleaning company in Dubai is that they will use the best cleaning products and equipment available to make sure your home or Villa cleaning is as clean as possible. They will also be able to provide advice on any additional services you may need, such as upholstery cleaning or window cleaning.
Desert Safari Abu Dhabi tour organizer provides the facility of picking you up and dropping you off anywhere in Abu Dhabi. You’ll be guaranteed unsurpassed vistas, and create memories to last a lifetime. Soar across the dunes with Balloon Adventures Abu Dhabi or enjoy life in the desert with the Al Marmoom Bedouin Experience.