Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: Kaspersky TDSSKiller: Detect / Repair TDSS Rookits

Kaspersky TDSSKiller: Detect / Repair TDSS Rookits

How to Use Kaspersky TDSSKiller to Detect / Repair TDSS Rookits
Published by Slartybart
22 Jul 2014
Published by

Name:  logo_01Kaspersky.png
Views: 3017
Size:  5.0 KB TDSSKiller
Malware Remediation - Scan for Rootkits

From the author:

*A rootkit is a program or a program kit that hides the presence of malware in the system.

A rootkit for Windows systems is a program that penetrates into the system and intercepts the system functions (Windows API). It can effectively hide its presence by intercepting and modifying low-level API functions. Moreover it can hide the presence of particular processes, folders, files and registry keys. Some rootkits install its own drivers and services in the system (they also remain “invisible”).

Kaspersky Lab has developed the TDSSKiller utility that that detects and removes both, known (TDSS, Sinowal, Whistler, Phanta, Trup, Stoned) and unknown rootkits.

Name:  tb00_Prep[KLS].png
Views: 2915
Size:  6.1 KB

1. Read the online documentation for TDSSKiller
Name:  tb01_Dnld[SF].png
Views: 2911
Size:  6.3 KB Kaspersky Lab: TDSSKiller
2. There are two packages offered on the download page, a compressed folder (.ZIP) and an executable (.EXE)
Select the executable(.EXE) package as the download.
3. On the Do you want to run or save ... Action Bar
Select Save
The file is placed in your default save location, normally the Downloads folder under your user profile.
Name:  Bar0_dlSave.png
Views: 2886
Size:  14.9 KB
4. On the The ... download has completed Action Bar
  1. If your user profile is an Administrator User Account: Select Run
    Name:  Bar1_dlCompRun.png
Views: 2896
Size:  14.6 KB

  2. If your user profile is a Standard User Account:
    1. Select Open folder
      Name:  Bar1_dlCompOpen.png
Views: 2898
Size:  14.7 KB

    2. Launch TDSSKiller with elevated privileges
      Press the right mouse button on the file to open the context menu
      Pick Run as administrator from the context menu

Name:  tb02_Acpt[KLS].png
Views: 2911
Size:  6.0 KB

If the UAC dialog window requests permission to run the application, Answer Yes

Read the End User Licenses Agreement; Press the Accept button
Read the Kaspersky Security Network (KSN) Statement; Press the Accept button

Name:  tb03_Cnfg[KLS].png
Views: 2892
Size:  6.2 KB
5. Press Change parameters
Name:  01%20TDSS_a1.png
Views: 2987
Size:  63.9 KB Name:  01%20TDSS_a2.png
Views: 2953
Size:  33.2 KB

Verify the following options are selected
Objects to scan
Name:  tickYe_b.png
Views: 3142
Size:  564 Bytes System memory
Name:  tickYe_b.png
Views: 3142
Size:  564 Bytes Services and drivers
Name:  tickYe_b.png
Views: 3142
Size:  564 Bytes Boot sectors
Name:  tickYe_b.png
Views: 3142
Size:  564 Bytes Loaded modules (select this option last)
Additional Options
Name:  tickNo_b.png
Views: 2981
Size:  269 Bytes Verify file digital signatures
Name:  tickYe_b.png
Views: 3142
Size:  564 Bytes Detect TDLFS File System
Name:  tickYe_b.png
Views: 3142
Size:  564 Bytes Use KSN to scan objects (an active Internet connection is required for this option)
Tick Loaded modules last. When this option is selected, a dialog window requests a restart to load a specialized monitor.
Press OK to restart your machine and load the driver.

warning   Warning
Press Change parameters again after the machine restarts
Make sure that Name:  tickYe_b.png
Views: 3142
Size:  564 Bytes Detect TDLFS File System is selected

Name:  tb04_Scan[KLS].png
Views: 2885
Size:  5.9 KB
6. Press the Start Scan button
Name:  01%20TDSS_b%20[scanNow].png
Views: 2892
Size:  4.7 KB

Name:  tb05_Revw[KLS].png
Views: 2887
Size:  6.0 KB
7. TDSSKiller determines the best action for Malicious threats and marks them appropriately on the Threats Detected window.
Name:  01%20TDSS_c1%20[Cure].png
Views: 2995
Size:  41.8 KB

Name:  01%20TDSS_c3%20[Mixd].png
Views: 3291
Size:  48.6 KB
Suspicious threats are always marked Skip; it is up to the user to determine the final disposition of the object.
Name:  01%20TDSS_c2%20[Skip].png
Views: 3043
Size:  46.5 KB

Suspicious object types detected by TDSSKiller
Category Type std means / std listing
  Hidden service key is hidden
  Blocked service key cannot be opened
  Hidden file file is hidden
  Blocked file file cannot be opened
  Forged file original content returned vs. actual content
Disk Rootkit.Win32.BackBoot.gen suspected MBR infection with an unknown bootkit.
It is advisable to accept the disposition set by the utility and press the Continue button. TDSSKiller processes the Malicious files and Skips suspicious files.

Restart your machine and launch TDSSKiller again.
If Suspicious threats are detected:
Press Name:  iconQuar.png
Views: 2901
Size:  865 Bytes Copy all to quarantine.
This is a copy operation, the file remains in it's original location. The quarantine function in TDSSKiller only makes further analysis easier by placing a copy of all Suspicious files in one place, it does NOT clean or isolate files.

Name:  tb05b_Analyze[VT].png
Views: 2911
Size:  5.9 KB
To determine the final disposition of reported threats (Cure, Delete, Skip, or retain in quarantine), follow the directions in:
Analyze suspicious files with VirusTotal

Occasionally a scanner will identify a legitimate file as malware (false positive). VirusTotal analysis of the file will help you determine if the file should be deleted or skipped.

If no threats are detected, close the utility. This does not mean that your system is clean, it means that TDSSKiller did not detect any malware; additional on-demand malware scanners might be advised by SF members.

Name:  01%20TDSS_c4a%20[None].png
Views: 2976
Size:  57.9 KB Name:  01%20TDSS_c4b%20[Detail].png
Views: 2968
Size:  27.6 KB
If SF members are assisting you, let them know that TDSSKiller did not find any threats

Name:  tb06_Clean[KLS].png
Views: 2891
Size:  5.7 KB
8. Confirm the action on all threats reported, press the Continue button
Restart your machine to complete the TDSSKiller malware removal process
Name:  01%20TDSS_e%20[rebootBtn].png
Views: 2896
Size:  5.0 KB

Name:  tb07_Repair[SF].png
Views: 2833
Size:  5.1 KB
9. Run the Windows System File Checker (SFC) to repair any system files that the malware might have corrupted.
See: How to Repair Windows 7 System Files with System File Checker

If SF members are assisting you, attach the sfc_detail.txt file as described in the System File Checker tutorial.

Name:  tb08_Atch[SF].png
Views: 2901
Size:  5.2 KB
10. Attach the TDSSKiller log file to a new post on your thread.
See: How to capture screenshots, upload, and attach files to your post

The log file is placed on the System Drive (normally C:\) with the file naming convention:

TDSSKiller.Maj#. Min#. Bld#.Rev#_MM.DD.YYYY_HH.MM.SS_log.txt


 Kaspersky TDSSKiller: Detect / Repair TDSS Rookits

Tutorial Tools

Similar help and support threads
Windows 7 Tutorial Category
Bootmgr is missing, startup repair doesn't detect hard drive
I tried to install Ubuntu and failed. i removed it using the ubuntu boot-repair so i will at least have my windows 7 back. now i get the message "Bootmgr is missing", and the windows repair (the one from the installation disc) doesn't even recognize my hard drive. when i'm loading the ubuntu...
General Discussion
Win 7 can't boot but start-up repair can't detect anything
Since the 11th of Jan I have been experiencing a black screen with just the mouse courser shown when booting my computer, as of reading other threads I tried holding f8 and manually starting start-up repair which did not work, (On the first attempt I got that start-up repair couldn't fix it details...
Backup and Restore
Issues with themes after using TDSSKiller
Hello, I am new to these forums just asking for a bit of help here. I am on Windows 7. A few months ago, I ran a scan with Kaspersky's anti-rootkit program, TDSSKiller. It worked well, but I think it deleted my themeservice.dll file. As a result of this, I am stuck in Windows classic mode...
Themes and Styles
Win 7 x86 can't boot up, startup repair could not detect problem.
My system crashed on my acer laptop - I wasn't doing anything out of the ordinary - It wouldn't boot back up. Would boot into safe mode so I did this & followed instructions to stop all other programs running other than microsoft, still wouldn't boot up - just hangs at the win7 logo screen. I tried...
BSOD Help and Support
Stuck on verifying DMI Pool after TDSS removal, can't repair OS
I am using 64bit Pro. Core i7 920 12gb RAM, an eVGA X58 mobo I had the TDSS/Alureon malware on my pc. It was redirecting most google traffic, playing background ads that could not be seen in task manager or closed in any way. I downloaded some of the TDSSkiller etc files which did not seem...
General Discussion

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 00:13.

Twitter Facebook Google+

Windows 7 Forums

Seven Forums Android App Seven Forums IOS App