Rootkit.TDSS Description

Type: Trojan

The TDSS Rootkit has become extremely widespread since TDSS Rootkit's beginnings in 2008. PC security analysts indicate that this rootkit presents exceptional difficulties for TDSS Rootkit's study and treatment because of TDSS Rootkit's very nature. The TDSS Rootkit infects drivers, meaning that TDSS Rootkit is loaded before the operating system itself. This implies an infection that is very deep and very challenging to remove. Usually, specialized tools are needed to detect and remove the TDSS Rootkit from an infected computer system.

The History of the TDSS Rootkit

The first versions of the TDSS Rootkit are known as TDL-1 or Rootkit.Win32.Clbd.a, because of TDSS Rootkit's ability to infect the driver clbdriver-sys and the clbdll.dll DLL file. Some parts of the original TDSS Rootkit remain in today's newest versions of this extremely dangerous infection. TDL-1 has the capability of hiding itself and other files, executing high-level functions, and injecting malicious code. The TDSS Rootkit also protects itself by displaying an error message reading "STATUS_TOO_MANY_SECRETS" when trying to open the directories needed to remove this rootkit.

The next version of the TDSS Rootkit, TDL-2 made its appearance in spring of 2009. Its main feature is that the rootkit was encrypted to make it much harder for security researchers to analyze TDSS Rootkit. The hackers behind the TDSS Rootkit also included random segments from Shakespeare's Hamlet to confuse researchers further.

In the autumn of 2009, the next generation of the TDSS Rootkit started appearing. Security researchers indicate that the TDL-3 generation of the TDSS Rootkit is particularly malignant and especially hard to remove. The main trouble with TDL-3 is the fact the hackers behind it update TDSS Rootkit constantly. There is a constant arms race between the PC security experts and the hackers; with each advancement in anti-rootkit technology, the hackers release a new update to undo it.

The TDSS Rootkit and Online Scams

Hackers use the TDSS Rootkit to make money through affiliate marketing. While affiliate marketing can be a completely legal activity, the hackers' version of affiliate marketing involves attracting visitors and unwary victims to infected websites associated with various kinds of malware. The TDSS Rootkit is also strongly related to large botnets, typically with a number close to twenty thousand infected computers, which are sold or rented out to criminal organizations. The creators of the TDSS Rootkit are thought to be from the Russian Federation. The TDSS Rootkit botnets have been used for a wide range of criminal activities, from DDoS attacks to sending massive amounts of spam emails.


15 security vendors flagged this file as malicious.

Anti-Virus Software Detection
Panda Generic Trojan
AVG Generic16.BRWH
Symantec Hacktool.Rootkit
Sophos Mal/Generic-A
AntiVir TR/Agent.42496.27
BitDefender Trojan.Generic.3238155
Avast Win32:Jifas-DT
NOD32 a variant of Win32/Olmarik.SR
CAT-QuickHeal Trojan.Agent.ATV
McAfee+Artemis DNSChanger!dd
eTrust-Vet Win32/ASuspect.HGOJO
AntiVir TR/Crypt.XPACK.Gen3
NOD32 Win32/Olmarik.XH
Avast Win32:Rootkit-gen

Technical Information

Screenshots & Other Imagery

SpyHunter Detects & Remove Rootkit.TDSS

File System Details

Rootkit.TDSS creates the following file(s):
# File Name MD5 Detection Count
1 PRAGMAd.sys 4fc1255817092de5c285440cf477035e 98
2 memchek.sys 1ca0d8ee82db8012de42b16f2ef69674 14
3 usbxbox.sys b3da42dfcd9851c24c9b09b8c188266d 13
4 diskchk.sys e94d859753bb68f113b88e8b78607776 11
5 tcppid.sys c72311b8d604a3e3e9b36df733f30843 7
6 isaxbox.sys 5a7eef7dcdae6912afe7f50983d5520f 5
7 _VOIDhrotxiltat.sys 89b56f6143f7c1ad44cd10f46700b9da 1
More files

Site Disclaimer is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.