In
this section you will find recommendations how to fight malicious
programs which cannot be disinfected by Kaspersky Lab's products. In
order to disinfect/remove malicious programs you may have to modify the
system registry or use an additional utility. If you failed to find the
necessary information or you find these recommendations too complicated
or inadequate, please send a request to the Technical Support service
via the [You must be registered and logged in to see this link.].

A rootkit is a program or a set of programs designed to obscure the fact that a system has been compromised.
For Windows operating systems, the term rootkit stands for a program that infiltrates the system and hooks system functions (Windows API). By hooking and modifying low-level API functions, such malware can effectively hide its presence in a system. Moreover, rootkits
as a rule are able to conceal in the system any processes, folders and
files on a disk as well as registry keys described in its
configuration. Many rootkits install own drivers and services (hidden as well) into the system.
It is possible to disinfect a system infected with malware family Rootkit.Win32.TDSS using the utility TDSSKiller.exe.
The utility has GUI.

The utility TDSSKiller.exe supports 32-bit and 64-bit operation systems.

Disinfection of an infected system

• Download the file [You must be registered and logged in to see this link.] and extract it (use archiver, for example, WInZip) into a folder on the infected (or potentially infected) PC.
  
• Execute the file [You must be registered and logged in to see this link.].
  
• Wait for the scan and disinfection process to be over. It is necessary to reboot the PC after the disinfection is over.
  

How to use the utility

• Press the button Start scan for the utility to start scanning.
  It detects malicious and suspicious objects.
  
  
  
• The utility can detect two object types:
  
  
  
  • malicious (the malware has been identified);
    
  • suspicious (the malware cannot be identified).
    


• When the scan is over, the utility outputs a list of detected objects with description.
  The utility automatically selects an action (Cure or Delete) for malicious objects.
  The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
  
• Select the action Quarantine to quarantine detected objects.
  The default quarantine folder is in the system disk root folder, e.g.:
  C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
  
  
  
  
  
• After clicking Next, the utility applies selected actions and outputs the result.
  
• A reboot might require after disinfection.
  
  
  
  
• By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder.
  Logs have names like: UtilityName.Version_Date_Time_log.txt.
  E.g. C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
  

Command line parameters to run the utility TDSSKiller.exe

-l - write log to a file.
-qpath - quarantine folder path (it will be created if does not exist).
-h - list of command line arguments.

The following arguments make the actions apply without prompting the user:

-qall - copy all objects to quarantine (even non-infected);
-qsus - copy to quarantine suspicious objects only;
-qmbr - copy to quarantine all MBR;
-qcsvc - copy this service to quarantine;
-dcsvc - remove this service.

E.g. use the following command to scan the PC with a detailed log written into the file report.txt (created in the TDSSKiller.exe utility folder):

TDSSKiller.exe -l report.txt

For example, if you want to scan the PC with a detailed log saved into the file report.txt (it will be created in the folder with TDSSKiller.exe), use the following command:
TDSSKiller.exe -l report.txt



Symptoms of an infection

• Symptoms of infection with Rootkit.Win32.TDSS first and second generation (TDL1, TDL2)
  

Experienced users may try to monitor the following kernel function hooks:

• IofCallDriver;
  
• IofCompleteRequest;
  
• NtFlushInstructionCache;
  
• NtEnumerateKey;
  
• NtSaveKey;
  
• NtSaveKeyEx.
  

Using the utility [You must be registered and logged in to see this link.].

Symptoms of infection Rootkit.Win32.TDSS third generation (TDL3)

An infection can be detected with utility Gmer. It detects replacement of a “device” object of the system driver atapi.sys.