Detect, remove unknown rootkits with Kaspersky Anti-rootkit utility TDSSKiller

Rootkits can sometime be very difficult to get rid of. Free Kaspersky Anti-rootkit utility TDSSKiller is a tool which helps you  get rid of rootkits in Windows operating system which can download and execute other malware, delivers advertisements to your computer, and block programs from running etc. A rootkit can effectively hide its presence by intercepting and modifying low-level API functions.

Moreover it can hide the presence of particular processes, folders, files and registry keys. Some rootkits install its own drivers and services in the system (they also remain “invisible”). Kaspersky Lab has developed the TDSSKiller utility that detects and removes both, known (TDSS, Sinowal, Whistler, Phanta, Trup, Stoned) & unknown rootkits.

How to disinfect a compromised system

  • Download TDSSKiller  and extract it into a folder. Run TDSSKiller.exe file;
  • It scans the system for malicious and suspicious objects.
  • The utility can detect the following suspicious objects:
  • Hidden service – a registry key that is hidden from standard listing;
  • Blocked service – a registry key that cannot be opened by standard means;
  • Hidden file – a file on the disk that is hidden from standard listing;
  • Blocked file – a file on the disk that cannot be opened by standard means;
  • Forged file – when read by standard means, the original content is returned instead of the actual one;
  • Rootkit.Win32.BackBoot.gen – a suspected MBR infection with an unknown bootkit.

It supports both 32 bit and 64 bit version.

Command line keys for the TDSSKiller.exe utility:

-l <file_name> - save a log into the file;
-qpath <folder_path> – quarantine folder path (automatically created if it does not exist);
-h – this help;
-sigcheck – detect all not signed drivers as suspicious;
-tdlfs – detect the TDLFS file system, that the TDL 3 / 4 rootkits create in the last sectors of a hard disk for storing its files. It is possible to quarantine all these files.

The following keys allow to execute the utility in the silent mode:

-qall – quarantine all objects (including clean ones);
-qsus – quarantine suspicious objects only;
-qboot – quarantine all boot sectors
-qmbr – quarantine all MBRs;
-qcsvc <service_name> - quarantine the service;
-dcsvc <service_name> – delete the service;
-silent – scan in silent mode (do not display any windows) to be able to run the utility in a centralized way over the network;
-dcexact – automatic detect / cure of known threats.

Via: [Kaspersky Labs]

0 comments… add one

Leave a Comment