Rootkit.TDSS Description

Rootkit.TDSS was first detected in 2008. According to ESG security researchers, Rootkit.TDSS is infamous because of its ability to stay hidden within an infected computer system for years without being detected. This makes Rootkit.TDSS a malware infection that is particularly difficult to remove from a computer. Rootkit.TDSS first came to be known by this name because early versions of this rootkit contained the string TDSS in many of its components, although this has been changed since then in order to make this rootkit more difficult to remove. Rootkit.TDSS seldom attacks alone and is often associated with other malware sucha as Backdoor.Tidserv, and especially with DNS changers. Early versions of Rootkit.TDSS are formed of three main parts: the rootkit, the dropper, and a .DLL file. Working together, these three components created an extremely dangerous trio with the ability to hide very effectively. As Rootkit.TDSS evolved Rootkit.TDSS started to be delivered in standalone executable files, although the same kinds of components are executed.


Once Rootkit.TDSS executable is run, it drops a .TMP file in the Temp folder which will then install the other malicious components that conform this dangerous rootkit infection. First it will register as a Windows service by copying and corrupting a legitimate Windows .DLL file. Then Rootkit.TDSS uses a security vulnerability in Windows allowing this .DLL file to be considered by the operating system as a legitimate Windows service. Once this happens, this rootkit infection can then create the essential rootkit component within the system drivers. This rootkit component serves to hide all other malicious files and file processes associated with Rootkit.TDSS or with other malware that is bundled along with this dangerous rootkit infection. Rootkit.TDSS also has the capacity to start, stop, and hide other files and file processes (allowing Rootkit.TDSS to stop legitimate anti-virus applications.)


Once everything is in place, Rootkit.TDSS can download other files in order to configure itself or to install other malware on the infected computer system. Rootkit.TDSS can display pop-up windows, severely disrupt the system, steal confidential information, relay it to a remote server, and perform other dangerous operations associated with the worst malware threats. Some of the most recent variants of Rootkit.TDSS contain several layers of encryption which can make removal of this malware threat extremely difficult. ESG security researchers have found that it is essential to remove the rootkit component of this three-part infection first in order to gain access to all the malware that may be hiding under the hood.
Aliases: DNSChanger!dd [McAfee+Artemis], Generic Trojan [Panda], Trojan.Agent.ATV [CAT-QuickHeal], Trojan/ [TheHacker], Trojan.Alureon.MIZ [VirusBuster], a variant of Win32/Olmarik.SR [NOD32], Win32:Jifas-DT [Avast], Trojan.Generic.3238155 [BitDefender], TR/Agent.42496.27 [AntiVir], BKDR_TIDIES.SMA [TrendMicro], Mal/Generic-A [Sophos], Hacktool.Rootkit [Symantec], Generic16.BRWH [AVG], TR/Crypt.XPACK.Gen3 [AntiVir] and Win32/ASuspect.HGOJO [eTrust-Vet].

Infected with Rootkit.TDSS? Scan Your PC for Free

Download SpyHunter’s Spyware Scanner
to Detect Rootkit.TDSS

Security Doesn't Let You Download SpyHunter or Access the Internet?

Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
  • Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
  • Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
  • Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in 'Safe Mode with Networking' and install SpyHunter in Safe Mode.
  • IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.

If you still can't install SpyHunter? View other possible causes of installation issues.

Technical Information

Infection Statistics

Our MalwareTracker shows malware activity across the world. Explore real-time data of Rootkit.TDSS outbreaks and other threats from global to local level.

File System Details

Rootkit.TDSS creates the following file(s):
# File Name Size MD5 Detection Count
1 %WINDIR%\PRAGMAixjipouowq\PRAGMAd.sys 44,544 4a2dccdd2a14acce0dc2bcfc01b01b15 46
2 %WINDIR%\System32\drivers\_VOIDhrotxiltat.sys 42,496 89b56f6143f7c1ad44cd10f46700b9da 31
3 %WINDIR%\system32\diskchk.sys 2,432 e94d859753bb68f113b88e8b78607776 11
4 %WINDIR%\system32\tcppid.sys 2,304 c72311b8d604a3e3e9b36df733f30843 7
5 %WINDIR%\system32\isaxbox.sys 2,304 5a7eef7dcdae6912afe7f50983d5520f 5

Site Disclaimer

Leave a Reply

IMPORTANT! To be able to proceed, you need to solve the following simple math.
Please leave these two fields as-is:
What is 6 + 2 ?