TDSSKillerMalware Remediation - Scan for Rootkits
From the author:
*A rootkit is a program or a program kit that hides the presence of malware in the system.
A rootkit for Windows systems is a program that penetrates into the system and intercepts the system functions (Windows API). It can effectively hide its presence by intercepting and modifying low-level API functions. Moreover it can hide the presence of particular processes, folders, files and registry keys. Some rootkits install its own drivers and services in the system (they also remain “invisible”).
Kaspersky Lab has developed the TDSSKiller utility that that detects and removes both, known (TDSS, Sinowal, Whistler, Phanta, Trup, Stoned) and unknown rootkits.
![tb00_Prep[KLS].png](https://www.sevenforums.com/data/attachments/178/178507-decd975721d5c9f93e8994c8f5b01c2c.jpg?hash=sIgVqezpJO "tb00_Prep[KLS].png"){kind=small}
1. Read the online documentation for TDSSKiller
- How to remove malware belonging to the family Rootkit.Win32.TDSS (aka Tidserv, TDSServ, Alureon)?
- How to detect and remove unknown rootkits
![tb01_Dnld[SF].png](https://www.sevenforums.com/data/attachments/170/170177-f003a8b23baac97aa240fb6ec021e460.jpg?hash=wEUioyEw64 "tb01_Dnld[SF].png"){kind=small}
Kaspersky Lab: TDSSKiller2. There are two packages offered on the download page, a compressed folder (.ZIP) and an executable (.EXE)
Select the executable(.EXE) package as the download.
3. On the Do you want to run or save ... Action Bar
Select Save
The file is placed in your default save location, normally the Downloads folder under your user profile.
4. On the The ... download has completed Action Bar
- If your user profile is an Administrator User Account: Select Run
- If your user profile is a Standard User Account:
- Select Open folder
- Launch TDSSKiller with elevated privileges
Press the right mouse button on the file to open the context menu
Pick Run as administrator from the context menu
- Select Open folder
![tb02_Acpt[KLS].png](https://www.sevenforums.com/data/attachments/178/178509-d55b02ac4d8719eccdbfdd44574d45bb.jpg?hash=5xBQ3Iav8H "tb02_Acpt[KLS].png"){kind=small}
If the UAC dialog window requests permission to run the application, Answer Yes
Read the End User Licenses Agreement; Press the Accept button
Read the Kaspersky Security Network (KSN) Statement; Press the Accept button
![tb03_Cnfg[KLS].png](https://www.sevenforums.com/data/attachments/178/178510-31c91264ec74d6e2cd2a54829c971dff.jpg?hash=q2bjNHBZU3 "tb03_Cnfg[KLS].png"){kind=small}
5. Press Change parameters
Verify the following options are selected
Objects to scan
System memory Services and drivers Boot sectors Loaded modules (select this option last)Additional Options
Verify file digital signatures Detect TDLFS File System Use KSN to scan objects (an active Internet connection is required for this option)Tick Loaded modules last. When this option is selected, a dialog window requests a restart to load a specialized monitor.
Press OK to restart your machine and load the driver.
Warning
Press Change parameters again after the machine restarts
Make sure that Detect TDLFS File System is selected
Make sure that
Detect TDLFS File System is selected![tb04_Scan[KLS].png](https://www.sevenforums.com/data/attachments/178/178524-8143dcbc6b54551c11281dbecf819aa7.jpg?hash=FogDyuY9id "tb04_Scan[KLS].png"){kind=small}
6. Press the Start Scan button
![01%20TDSS_b%20[scanNow].png](https://www.sevenforums.com/data/attachments/178/178525-fe2d19917eb039a6fc73a9b465b081b0.jpg?hash=M7ngosLKdO "01%20TDSS_b%20[scanNow].png")
![tb05_Revw[KLS].png](https://www.sevenforums.com/data/attachments/178/178526-2f7b380f78d0d8cba1b7d5628aee8204.jpg?hash=LMT8h7sTyL "tb05_Revw[KLS].png"){kind=small}
7. TDSSKiller determines the best action for Malicious threats and marks them appropriately on the Threats Detected window.
![01%20TDSS_c1%20[Cure].png](https://www.sevenforums.com/data/attachments/178/178529-b678ba1ba60884d098ac785973168125.jpg?hash=vp3BV4HRFn "01%20TDSS_c1%20[Cure].png")
![01%20TDSS_c3%20[Mixd].png](https://www.sevenforums.com/data/attachments/178/178543-37b66a82fa1c2490c46ba875886ad6d4.jpg?hash=naKh1eMv2n "01%20TDSS_c3%20[Mixd].png")
Suspicious threats are always marked Skip; it is up to the user to determine the final disposition of the object.
![01%20TDSS_c2%20[Skip].png](https://www.sevenforums.com/data/attachments/178/178537-a48c83957f326e8a5870e7a8a9dd7abe.jpg?hash=WhOrhbODGe "01%20TDSS_c2%20[Skip].png")
Suspicious object types detected by TDSSKiller
Registry
| Hidden service | key is hidden
| Blocked service | key cannot be opened
Files
| Hidden file | file is hidden
| Blocked file | file cannot be opened
| Forged file | original content returned vs. actual content
Disk | Rootkit.Win32.BackBoot.gen | suspected MBR infection with an unknown bootkit.
Restart your machine and launch TDSSKiller again.
If Suspicious threats are detected:
Press
Copy all to quarantine. This is a copy operation, the file remains in it's original location. The quarantine function in TDSSKiller only makes further analysis easier by placing a copy of all Suspicious files in one place, it does NOT clean or isolate files.
![tb05b_Analyze[VT].png](https://www.sevenforums.com/data/attachments/170/170409-befd4440cfbbc6b745ed20f321f0c767.jpg?hash=MNrtbgRgaa "tb05b_Analyze[VT].png"){kind=small}
To determine the final disposition of reported threats (Cure, Delete, Skip, or retain in quarantine), follow the directions in:
Analyze suspicious files with VirusTotal
Occasionally a scanner will identify a legitimate file as malware (false positive). VirusTotal analysis of the file will help you determine if the file should be deleted or skipped.
If no threats are detected, close the utility. This does not mean that your system is clean, it means that TDSSKiller did not detect any malware; additional on-demand malware scanners might be advised by SF members.
![01%20TDSS_c4a%20[None].png](https://www.sevenforums.com/data/attachments/178/178560-83568383d4d6ac5fb84d53d28fe8fd85.jpg?hash=ruWasRlae5 "01%20TDSS_c4a%20[None].png")
![01%20TDSS_c4b%20[Detail].png](https://www.sevenforums.com/data/attachments/178/178566-ed51dbdc85d3261ffb8f0dbc5d45b487.jpg?hash=FCkTBz6Wfi "01%20TDSS_c4b%20[Detail].png")
If SF members are assisting you, let them know that TDSSKiller did not find any threats
![tb06_Clean[KLS].png](https://www.sevenforums.com/data/attachments/178/178568-939f868394c5e522f0d1f25f9ad5ef28.jpg?hash=2PsdURlHaI "tb06_Clean[KLS].png"){kind=small}
8. Confirm the action on all threats reported, press the Continue button
Restart your machine to complete the TDSSKiller malware removal process
![01%20TDSS_e%20[rebootBtn].png](https://www.sevenforums.com/data/attachments/178/178569-54b91b6fb9561f1eaf011d104196d290.jpg?hash=ScG0HYt6JP "01%20TDSS_e%20[rebootBtn].png")
![tb07_Repair[SF].png](https://www.sevenforums.com/data/attachments/170/170184-c6f3385aefe4c2e003d74f261a1b71cd.jpg?hash=UzKh2APpBk "tb07_Repair[SF].png"){kind=small}
9. Run the Windows System File Checker (SFC) to repair any system files that the malware might have corrupted.
See: How to Repair Windows 7 System Files with System File Checker
If SF members are assisting you, attach the sfc_detail.txt file as described in the System File Checker tutorial.
![tb08_Atch[SF].png](https://www.sevenforums.com/data/attachments/170/170190-9fbf0aad8b7a0efe85b11940a02eb494.jpg?hash=jW6C69JwsT "tb08_Atch[SF].png"){kind=small}
10. Attach the TDSSKiller log file to a new post on your thread.
See: How to capture screenshots, upload, and attach files to your post
The log file is placed on the System Drive (normally C:\) with the file naming convention:
TDSSKiller.Maj#. Min#. Bld#.Rev#_MM.DD.YYYY_HH.MM.SS_log.txt
Example:
C:\TDSSKiller.3.0.0.17_03.15.2014_12.03.49_log.txt
Last edited:
