How to remove malware belonging to the family Rootkit.Win32.TDSS (aka Tidserv, TDSServ, Alureon)?Note: In this section you will find recommendations how to fight malicious programs which cannot be disinfected by Kaspersky Lab's products. In order to disinfect/remove malicious programs you may have to modify the system registry or use an additional utility. If you failed to find the necessary information or you find these recommendations too complicated or inadequate.
It is possible to disinfect a system infected with malware family Rootkit.Win32.TDSS using the utility TDSSKiller.exe.IMPORTANT The utility has GUI.
The utility supports
32-bit and
64-bit operation systems.
The utility can be run in Normal Mode and
Safe Mode.
Disinfection of an infected system Download the file
TDSSKiller.zip and extract it (use archiver, for example, WInZip) into a folder on the infected (or potentially infected) PC.
Execute the file
TDSSKiller.exe.
Wait for the scan and disinfection process to be over. It is necessary to reboot the PC after the disinfection is over.
How to use the utility Press the button
Start scan for the utility to start scanning.
It detects malicious and suspicious objects.
The utility can detect two object types: malicious (the malware has been identified); suspicious (the malware cannot be identified).When the scan is over, the utility outputs a list of detected objects with description.
The utility automatically selects an action (
Cure or
Delete) for malicious objects.
The utility prompts the user to select an action to apply to suspicious objects (
Skip, by default).
If you want to quarantine detected objects select the action
Copy to quarantine.
File will not be removed!The default quarantine folder is in the system disk root folder, e.g.:
C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
After clicking
Next, the utility applies selected actions and outputs the result.
A reboot might require after disinfection.
By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder.
Logs have names like: UtilityName.Version_Date_Time_log.txt.
E.g.
C:\TDSSKiller.2.4.7_23.07.2010_15.31.43_log.txtCommand line parameters to run the utility TDSSKiller.exe -l <file_name> - write log to a file.
-qpath <folder_name> - quarantine folder path (it will be created if does not exist).
-h - list of command line arguments.
-sigcheck - detect all drivers without a digital signature as suspicious.
-tdlfs - detect the presence of TDLFS file system which the TDL 3/4 rootkits create in the last sectors of hard disk drives for storing its files. All these files can be quarantined.
The following arguments make the actions apply without prompting the user: -qall - copy all objects to quarantine (even non-infected);
-qsus - copy to quarantine suspicious objects only;
-qmbr - copy to quarantine all MBR;
-qcsvc <service_name> - copy this service to quarantine;
-dcsvc <service_name> - remove this service;
-silent – scan in silent mode (do not display any windows) to be able to run the utility in a centralized way over the network;
-dcexact - automatic detect / cure of known threats.
E.g. use the following command to scan the PC with a detailed log written into the file report.txt (created in the
TDSSKiller.exe utility folder):
TDSSKiller.exe -l report.txtFor example, if you want to scan the PC with a detailed log saved into the file report.txt (it will be created in the folder with
TDSSKiller.exe), use the following command:
TDSSKiller.exe -l report.txtSymptoms of an infection Symptoms of infection with Rootkit.Win32.TDSS first and second generation (TDL1, TDL2) Experienced users may try to monitor the following kernel function hooks:
IofCallDriver;
IofCompleteRequest;
NtFlushInstructionCache;
NtEnumerateKey;
NtSaveKey;
NtSaveKeyEx. Using the utility
Gmer.
Symptoms of infection Rootkit.Win32.TDSS third generation (TDL3)An infection can be detected with utility
Gmer. It detects replacement of a “
device” object of the system driver
atapi.sys.
