Win32.TDSS.rtk

Win32.TDSS.rtk is detection for harmful threat that was made to spread other kind of malware. Trojan Downloaders are small programs that can conceal itself with other software like freeware, shareware, key generators, and other executable files. Once Win32.TDSS.rtk is run on the PC, it will make changes on the system especially on Windows registry.

Security programs like anti-virus and firewall can be rendered useless by Win32.TDSS.rtk. It also disables any running processes which it thinks are relevant to security tools. With this capability, Win32.TDSS.rtk can conceal itself on the computer and users may not notice that PC is already compromised.

As a downloader, this threat was designed to contact distant computer to download other malware. Win32.TDSS.rtk also executes the file without taking permission from the user. If not additional threat, Win32.TDSS.rtk communicates to a remote server to download an upgrade for itself.

There are plenty of ways on how you can safeguard the PC against this type of threat. Keeping away from unknown programs, cracked software, key generators, and other malicious files will prevent your PC from having Win32.TDSS.rtk infection.

Characteristics:

Win32.TDSS.rtk was made to deploy threats. It attacks the computer via security exploits it may find on operating system, Internet browser, or any programs that are installed. Then, Win32.TDSS.rtk will open a connection so that it can download other threats from the remote computer.

This threat is considered as one of the most hazardous malware. Attackers behind Win32.TDSS.rtk may drop malware on the compromised PC that can render it unstable or worst, unusable.

Symptoms:

Alerts from efficient anti-virus program is one visible sign that Win32.TDSS.rtk is present on the computer. Most of the time, this Trojan operates discreetly in the background.

How to Remove Win32.TDSS.rtk

1. Download Malwarebytes' Anti-Malware from this link and save it on your Desktop.
2. After downloading, double-click on mbam-setup.exe to install the application.
3. Follow the prompts and install as default only.

4. Before the installation completes, check on the following prompts:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware

5. Click Finish. Program will run automatically and you will be prompt to update the program before doing a scan. Please update.
6. Scan your computer thoroughly.
7. When scanning is finished click on the Show Results button.
8. Make sure that all detected threats are marked, click on Remove Selected.
9. Restart your computer.

Note: Some malware may prevent mbam-setup.exe from downloading and running. You can download and rename this program from a different computer before running it on infected system.

22 Comments

  1. Phildawg

    Hi I am infected with this Virus, TDSS.EXE and it keeps adding the additional virus “Winigon.EXE” On here, Is there anyway I can remove this?

  2. fred

    spybot removed mine

  3. Ville

    Sbybot finds mine and removes it, but after a restart it’s back again :/

    What to do?

  4. john

    a friend of mine recommended Antivir – google for their rescue disk. it burns you a cd that you have to boot to that basically runs linux and scans your computer. remember to select english though, unless you speak german.

  5. hanlehmann

    I had this Trojan detected by Spybot, but after removal my PC had a total breakdown, not even abled to be started in “safe modus”. Fortunately, I had a recent image of the boot disk which I could restore using Acronis TrueImage, so I could save the PC. I repeated the procedure and hat the Trojan Win32.TDSS.rtk detected by Spybot and removed again, and again the PC had a total breakdown.
    Now, I left the Trojan on the PC, but I don’t know how to get rid of it.

  6. bruce

    I had this virus. You must disable it through the Device Manager (can be seen in Non Plug & Play devices when Device Manager is set to “show hidden devices”). Once disabled, restart computer and remove with Spybot S&D.

  7. Allclick

    What is the name of the device to disable in the Device Manager? I think I have this virus (detected by SS&D) but can’t see anything in the Device Manager that suggests it is related to it.

  8. Maya

    I also got this trojan and my Spybot managed to find it when it was scanned. But when I tried to remove it using Spybot I kept getting a message popping saying that I didn’t have the admin rights to remove it even though I was logged in as an admin.

    So then I restarted the PC in Safe Mode (keep pressing F5 before Windows starts loading) and ran Spybot again. This time I was able to remove it without any problems. I also created a new restore point.

    By the way, my system is Windows Vista 32-bit.

  9. Hal

    Maya, the reason you got that message is because you need to run it as an Administrator. It doesn’t matter if you’re logged in as Aministrator.

    To run as Administrator in vista, right click on the Spybot icon, and select “Run as Adminstrator”.

  10. Casey

    I got this thing 2 days ago and I spent most of yesterday trying to get rid of it. I was running AVG 8x, so I don’t know how it got past it, but here’s what I did:

    I ran a scan recommended on one of the posts called DR Web (http://www.freedrweb.com/).
    It found 6 trojans not found by other scans that I ran prior to this. (AdAware, SpyBot, AVG 8x, and Avira)
    I then ran Spybot and it found it again. Looking at the details, it pointed to a registry entry located at:
    HKey_Local_MachineSoftwareTDSS

    Using Regedit, I attempted to delete the folder TDSS at that location but it wouldn’t delete.
    I changed Administrator Permissions to Full Control and this time the delete worked.
    I have rebooted twice and each time run SpyBot. No virus found.

    WARNING: EDITING YOUR REGISTRY CAN BE DANGEROUS. NO RESPONSIBILITY IS ASSUMED SHOULD YOU ATTEMPT THIS.

  11. stinker

    TDSS.EXE is something different.

    The topic is Win32.TDSS.rtk … a rootkit, hidden service, hidden registry keys, hooked into findfirst->findnext function calls/API to hide files. How do we get rid of this thing?

    MalwareBytes and SpyBot S&D both find but don’t completely get rid of it. It comes back after reboot.

    GMER will find the hidden service and disable or delete, but again, it comes back.

  12. Folsomg10

    Microsoft.WindowsSecurityCenter_Disabled and Win32.TDSS.rtk are legitimate Windows processes/services of which settings have been changed by YOU in the Security Center with regards to either the firewall or the antivirus program setting you have there. The reason they keep coming back in Spybot is because YOU have set them up or they are supposed to be running by default and you have not set Spybot’s ignore list to look past them. You will find these “Trojans/Threats” on most pc’s that are NOT using the default Windows firewall/antivirus applications.

  13. psitacci

    kaspersky antivirus 2010 is the solution.

  14. erid147

    I don’t know how to delet “trojan win32 tdss annk” I have tried kaspersky 2010 , malwarebyte’s anti-malware they have found it they say that it well be deleted after restart but when I scan my computer it aperas again.
    there is the log of malwarebyte’s anti-malware :

    Malwarebytes’ Anti-Malware 1.40
    Database version: 2697
    Windows 5.1.2600 Service Pack 3

    8/29/2009 1:16:15 AM
    mbam-log-2009-08-29 (01-16-15).txt

    Scan type: Quick Scan
    Objects scanned: 107808
    Time elapsed: 5 minute(s), 56 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:WINDOWSsystem32hjgruilog.dat (Trojan.Agent) -> Delete on reboot.

    Please help

  15. Kyokushinkai

    Win32.TDSS.rtk can be fixed using combofix: combofix.org. Read well before using it. It worked for me.

  16. Spetto

    I found TDSS using Spybot but it couldn’t remove vsfoce files from system32.
    So I run Windows Recovery Console and deleted them manually.
    After that I used regedit to delete most of its entries but I had to change the permissions first.
    I also couldn’t delete one of the entries. Any ideas?

  17. Jzone09

    I have also found Win32.TDSS.rtk using spybot, I tihn kthis is the reason why my computer keeps restarting at startup, I can only run it by booting it from safe mode with netowrking, what is the fix?

  18. Kendo

    Hi all ..at last I found a solid if drastic cure for having TDSS.rtk
    it appeared after my daughter downloaded some (as she thought) mp3 files. She had saved to desktop, scanned with Spybot and they were announced as clean…moments later , she yelled to come see…jeez , there was a folder with a number of exe files , all disappearing one by one of their own accord after she had opened the first one !
    Thereafter , everything went pear shaped..first of all none of my burning software could even see my DVD RW, and when I checked out “problem devices” in Disk management (in XP) , the first thing I saw in horror was just one huge pink block telling me that there were no physical drives present…no partitions ..NOTHING !!
    Weird thing was too that windows still worked after a wobbly fashion, desktop all OK etc
    Scanned whole pc and found 8 instances of TDS.rtk (corresponding to the number of files she had downloaded and let loose )
    Spybot elected to fix them, apparently, giving the usual green tick success story …..NOT !! because on the second scan , there they were again, all over the place , in registry etc !!
    No matter how many scans I did with various software including AVG, spybot , Adaware etc, they ALWAYS reappeared….PANIC !!!
    Got a grip of myself and thought I’d sneak up behind this virus , by going in XP in Safe Mode … no way , I couldn’t even get there..it just went right on into windows welcome every time !!
    In frustration I decided to bite the bullet and go for a full reinstall…and guess what , no matter which way I tried , the install failed , mainly because Widows installer couldn’t find a drive !!
    Trawled loads of sites, looking for help and advice…willing to give anything a go .
    Found an article that recommended downloading and installing Malwarebytes mbam (freebie)….
    Nothing to lose , I gave it a go …..and guess what ? First scan showed up the same 8 instances of our wee friend TDSS.rtk…and mbam offered to do the biz on them.
    Fingers crossed, I hit the button and sure enough , it apparently did its thing.
    Second scan run , and again ..guess what ??
    TDSS.rtk had been given the heave ho! Call me a cynic , or just paranoid , but I ran a third scan…still clean…fourth one too.
    Went back into Disk Management , and lo and behold , there were all my drives and partitions , and not a hint of pink in sight.
    Just to be on the safe side though , and having had a poke around in the registry, I decided to follow on my plan to reinstall, just in case TDSS was hiding with its tail between its legs, preparing an even nastier sting in its tail . Drastic measure, I know , but……
    Result – full clean re-installation without a hitch. !!!
    Aye , even though I’m Scottish , I broke out the wallet , bought myself a wee dram or two at the local pub and drank the health of those fine dudes down at Malwarebytes .
    Slainte !!!
    Hope this helps …if not , there’s always the Samaritans

  19. Kendo

    Try Malwarebytes mbma (free download)

    Worked a treat for me

  20. infectious

    malwarebytes didn’t catch this one for me, Kaspersky did. it’s worth a try if malwarebytes don’t detect it.

  21. DAVO

    so basically that whole story just to say we should download malwarebytes

  22. Anonymous

    Kaspersky alerted me that I had something similar to the tdss.rtk trojan. I googled it to see what it was and came to this site. I had no idea it was that hard to get rid of. Kaspersky prevented it from even infecting me. If you want you can put this URL onto your hosts file.
    Kaspersky
    Anti-Virus 2010
    ACCESS DENIED
    The requested URL could not be retrieved
    While trying to retrieve the URL:
    hxxp://91. 121. 223. 184/ setup.exe
    The following threat was encountered:
    The requested object is INFECTED with the following viruses:
    Trojan.Win32.TDSS.azta
    Generated:
    10:47:51 PM
    Kaspersky Anti-Virus 2010

Comments are closed.