|
|
|
|
|
 |
How to detect and remove unknown rootkits |
|
This section explains how to neutralize complicated malware, i.e. when user participation is required to modify the system registry or execute a special utility, for example. If you have not found the requested information in this section please submit a request to the Kaspersky Lab Technical support.
How to detect and remove unknown rootkits
|
|
ID Article: 5353
|
Andere talen:
    
|  10 |
 24.08.2011 12:31 |
 Afdrukbare versie |
|
A rootkit is a program or a program kit that hides the presence of malware in the system.
A rootkit for Windows systems is a program that penetrates into the system and intercepts the system functions (Windows API). It can effectively hide its presence by intercepting and modifying low-level API functions. Moreover it can hide the presence of particular processes, folders, files and registry keys. Some rootkits install its own drivers and services in the system (they also remain “invisible”).
Kaspersky Lab has developed the TDSSKiller utility that that detects and removes both, known (TDSS, Sinowal, Whistler, Phanta, Trup, Stoned) and unknown rootkits.
IMPORTANT
- The utility has a graphical interface.
- The utility supports 32-bit and 64-bit operation systems.
- The utility can be run in Normal Mode and Safe Mode.
How to disinfect a compromised system
- Download the TDSSKiller.zip archive and extract it into a folder on the infected (or possibly infected) computer with an archiver (WinZip, for example);
- Run the TDSSKiller.exe file;
- The utility starts scanning the system for malicious and suspicious objects when you click the button Start scan.
- The utility can detect the following suspicious objects:
- Hidden service – a registry key that is hidden from standard listing;
- Blocked service – a registry key that cannot be opened by standard means;
- Hidden file – a file on the disk that is hidden from standard listing;
- Blocked file – a file on the disk that cannot be opened by standard means;
- Forged file – when read by standard means, the original content is returned instead of the actual one;
- Rootkit.Win32.BackBoot.gen – a suspected MBR infection with an unknown bootkit.
It is highly probable that such anomalies in the system are a result of the rootkit activity. But can also be a trace of some legitimate software.
- In order to perform a further analysis, you should quarantine detected object using the Copy to quarantine option. The file will not be deleted in this case.
- Send the saved file(s) either to the Virus Lab or to VirusTotal.com for scanning.
- If the detailed analysis proves that the objects are malicious indeed, you can do the following:
- delete them by selecting the Delete option;
- or restore the MBR (in case the problem is with the MBR) by selecting the Restore option.
A reboot might require after the disinfection has been completed.
Command line keys for the TDSSKiller.exe utility:
-l <file_name> - save a log into the file;
-qpath <folder_path> - quarantine folder path (automatically created if it does not exist);
-h – this help;
-sigcheck – detect all not signed drivers as suspicious;
-tdlfs – detect the TDLFS file system, that the TDL 3 / 4 rootkits create in the last sectors of a hard disk for storing its files. It is possible to quarantine all these files.
The following keys allow to execute the utility in the silent mode:
-qall – quarantine all objects (including clean ones);
-qsus – quarantine suspicious objects only;
-qboot - quarantine all boot sectors
-qmbr – quarantine all MBRs;
-qcsvc <service_name> - quarantine the service;
-dcsvc <service_name> - delete the service;
-silent – scan in silent mode (do not display any windows) to be able to run the utility in a centralized way over the network;
-dcexact - automatic detect / cure of known threats.
For example, the following command tells the utility to scan the computer, and save a detailed log into the report.txt file (created in the TDSSKiller.exe utility folder):
TDSSKiller.exe -l report.txt
|
|
|
|
