Business products
Workstations & Servers protection

Fighting malicious programs
How to disinfect...

Common information

Viruses and solutions

Virus-fighting utilities

Online Scanner

Kaspersky Virus Removal Tool 7.0

Training and Certification
Take an educational course and become a certified anti-virus security specialist

Self Service
More help online

Support contacts and conditions
Information about support services and rules

Read the same in:

Home / Fighting malicious programs / Viruses and solutions

Viruses and solutions

In this section you will find recommendations how to fight malicious programs which cannot be disinfected by Kaspersky Lab’s products. In order to disinfect/remove malicious programs you may have to modify the system registry or use an additional utility. If you failed to find the necessary information or you find these recommendations too complicated or inadequate, please send a request to the Technical Support service via the HelpDesk form.

How to remove malware belonging to the family Rootkit.Win32.TDSS
ID Article: 2663	Other languages: Will be translated:	434	2009 Aug 25 15:17	Printable version

A rootkit is a program or a suite of programs designed to obscure the fact that a system has been compromised.

For Windows operating systems, the term rootkit stands for a program that infiltrates the system and hooks system functions (Windows API). By hooking and modifying low-level API functions, such malware can effectively hide its presence in a system. Moreover, rootkits as a rule are able to conceal in the system any processes, folders and files on a disc as well as registry keys described in its configuration. Many rootkits install own drivers and services (hidden as well) into the system.

Experienced users may try to monitor the following kernel function hooks:

IofCallDriver;
IofCompleteRequest;
NtFlushInstructionCache;
NtEnumerateKey

Using the utility Rootkit Unhooker, for example.

or Gmer.

It is possible to disinfect a system infected with malware family Rootkit.Win32.TDSS using the utility TDSSKiller.exe. When the utility is run without parameters, it will:

Scan the Registry for services named:

UACd.sys;
MSIVXserv.sys;
TDSSserv.sys;
gaopdxserv.sys;
gxvxcserv.sys.

delete such services as well as the files they are linked to, at the next system start-up;
if nothing has been detected, the utility will conduct a search for hidden services. If such a service is detected, the utility will report its name with a prompt to remove it. Type delete to remove a service.
if malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list.

Disinfection of an infected system

Download the file TDSSKiller.zip and extract it into a folder on the infected (or potentially infected) PC.
Execute the file TDSSKiller.exe.
Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over.

Command line parameters to run the utility TDSSKiller.exe:

-l <file_name> - write log to a file.
-v – write a detailed log (must be used together with the –l parameter).
-d <service_name> - search for a specific malicious service name.

For example, if you want to scan the PC with a detailed log saved into the file report.txt (it will be created in the folder with TDSSKiller.exe), use the following command:

TDSSKiller.exe -l report.txt -v