Backdoor.TDSS
Posted: December 2, 2008
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
Ranking: | 16,643 |
---|---|
Threat Level: | 8/10 |
Infected PCs: | 211 |
First Seen: | July 24, 2009 |
---|---|
Last Seen: | July 20, 2023 |
OS(es) Affected: | Windows |
Backdoor.TDSS is a malicious parasite that is commonly downloaded and installed onto your computer through security holes. Once inside your machine, Backdoor.TDSS will embed itself into the registry in order to open up an unsecured backdoor in your system. This backdoor can be exploited by a hacker to give clear, unfettered access to your PC and any data stored on it. This threat runs in stealth mode, therefore remaining undetected by the user while performing its malicious acts. This threat is commonly associated with rogue antispyware products, such as Antivirus 2009. Backdoor.TDSS is considered a high-level threat and should be removed from your system immediately.
Aliases
More aliases (384)
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:settdebugx.exe
File name: settdebugx.exeSize: 712.7 KB (712704 bytes)
MD5: f80b61f32694dea690315e3b8a4e1388
Detection count: 94
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: January 21, 2010
twunk_32x.exe
File name: twunk_32x.exeSize: 712.7 KB (712704 bytes)
MD5: 4cef8d106ee726d4fdb7774940b792f3
Detection count: 91
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: January 21, 2010
cliconfg64.exe
File name: cliconfg64.exeSize: 712.7 KB (712704 bytes)
MD5: e426729030aebc15a65994819dce721f
Detection count: 86
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: January 21, 2010
winhbt.exe
File name: winhbt.exeSize: 38.4 KB (38400 bytes)
MD5: 528e550562c2acc02885c29dca6e092c
Detection count: 85
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: January 21, 2010
%LOCALAPPDATA%\wpscrict.dll
File name: wpscrict.dllSize: 74.24 KB (74240 bytes)
MD5: 8f65644223a04d8393a460ebeee38a17
Detection count: 83
File type: Dynamic link library
Mime Type: unknown/dll
Path: %LOCALAPPDATA%
Group: Malware file
Last Updated: May 18, 2012
%WINDIR%\kcat432.dll
File name: kcat432.dllSize: 76.8 KB (76800 bytes)
MD5: 68f1e7437c3fece769937c4b8cb3bc15
Detection count: 82
File type: Dynamic link library
Mime Type: unknown/dll
Path: %WINDIR%
Group: Malware file
Last Updated: January 9, 2011
wscsvc32.exe
File name: wscsvc32.exeSize: 524.8 KB (524800 bytes)
MD5: ecca8c1a429e801aa7f3534add5ac5e1
Detection count: 62
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: January 8, 2010
iemodule.dll
File name: iemodule.dllSize: 2.63 MB (2632704 bytes)
MD5: 79a19899cf8b2dcbdb87962bf22701f8
Detection count: 61
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
Last Updated: January 8, 2010
clspackxq.exe
File name: clspackxq.exeSize: 671.74 KB (671744 bytes)
MD5: 70f6b2522ecf2e51b98e737fdb3cf81e
Detection count: 60
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: January 8, 2010
%LOCALAPPDATA%\KBDHReo.dll
File name: KBDHReo.dllSize: 73.72 KB (73728 bytes)
MD5: 4574adfe1adb6fd636c71aa06b309cff
Detection count: 56
File type: Dynamic link library
Mime Type: unknown/dll
Path: %LOCALAPPDATA%
Group: Malware file
Last Updated: December 7, 2010
settdebugx.exe
File name: settdebugx.exeSize: 712.7 KB (712704 bytes)
MD5: 8c4281575d7ad379127835f6783e3b2c
Detection count: 50
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: January 21, 2010
%WINDIR%\kbdmsid.dll
File name: kbdmsid.dllSize: 74.75 KB (74752 bytes)
MD5: 1d62f636ac023971f898fb11061af152
Detection count: 40
File type: Dynamic link library
Mime Type: unknown/dll
Path: %WINDIR%
Group: Malware file
Last Updated: December 6, 2010
Installer.exe
File name: Installer.exeSize: 489.47 KB (489472 bytes)
MD5: ba211925f478dc1f052dabff6b2f79ec
Detection count: 16
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: January 8, 2010
mplay32xe.exe
File name: mplay32xe.exeSize: 258.56 KB (258560 bytes)
MD5: 550d82300b5126d7b00cf4aede871d7e
Detection count: 16
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: April 8, 2010
%LOCALAPPDATA%\aswdwi2.dll
File name: aswdwi2.dllSize: 73.21 KB (73216 bytes)
MD5: a07fd1af85d17411ee5c6d180cc11066
Detection count: 16
File type: Dynamic link library
Mime Type: unknown/dll
Path: %LOCALAPPDATA%
Group: Malware file
Last Updated: April 18, 2011
%LOCALAPPDATA%\hFWiopl7.dll
File name: hFWiopl7.dllSize: 76.28 KB (76288 bytes)
MD5: 243c2c0ba2ec68df66645eea5393e0b4
Detection count: 14
File type: Dynamic link library
Mime Type: unknown/dll
Path: %LOCALAPPDATA%
Group: Malware file
Last Updated: February 14, 2011
services.exe
File name: services.exeSize: 194.04 KB (194048 bytes)
MD5: b6f4e652ed5e9cb7b8c2241a50427614
Detection count: 10
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: January 8, 2010
%WINDIR%\wdbgmeg.dll
File name: wdbgmeg.dllSize: 73.72 KB (73728 bytes)
MD5: 69fe1c421f3c55abc7a66923b1d5c20a
Detection count: 4
File type: Dynamic link library
Mime Type: unknown/dll
Path: %WINDIR%
Group: Malware file
Last Updated: December 7, 2010
D.tmp
File name: D.tmpSize: 50.17 KB (50176 bytes)
MD5: 3f3440ea64eee1ddbe1a1a6b063105b9
Detection count: 3
File type: Temporary File
Mime Type: unknown/tmp
Group: Malware file
Last Updated: August 12, 2010
More files
Registry Modifications
Regexp file mask%SystemRoot%\System32\TDSS[RANDOM CHARACTERS].dat%SystemRoot%\System32\TDSS[RANDOM CHARACTERS].dll%TEMP%\TDSS[RANDOM CHARACTERS].tmp
cannot get into safe mode. cannot run regedit. removal of the tdss files does nothing because it comes right back. cannot turn on firewall. was on. cannot use system restore or manage system restore. solution does not work for me. pctools says it will remove but does not. cannot remove the hidden files.
Thanks to SpyHunter I was able to identify that I had Backdoor.tdss. I did a search on TDSS and found 2 temp files and about 3 dlls. I deleted the temp files and started unregistering the DLLS. Magically McAfede was now able to update its Virus definitions and it cleaned up the rest. I then deleted all references to TDSS in the registry. So far all seems well.
I could remove the TDSS using Spambot Search & Destroy. The problem to solve was to make run Spybot (which is normally prevented by TDSS). I started my XP using an older valid restore point and Spybot came up. I removed all files.
But what to do with newer versions?