Guide | How To How to use Kaspersky TDDSKiller

  • Thread starter Deleted member 21043
  • Start date
The associated guide may contain user-generated or external content.
D

Deleted member 21043

Thread author
Hi everyone,

In this guide I will be showing you how to use the famous Kaspersky TDDSkiller tool.

What is Kaspersky TDDSKiller?
Kaspersky TDDSKiller is an advanced Anti-Rootkit tool provided by Kaspersky Labs. The tool will run a scan and is designed to detect known and unknown rootkits (it can detect rootkit activity and clean it even if that certain rootkit is new and unknown to Kaspersky Labs).

A rootkit (in my opinion) is a program which is designed to be undetected by the user and carry out unauthorized actions on the system. Nowadays, you can find a lot of rootkits which aren't "undetected" and "stealth". However, if you are infected by a very advanced rootkit which purpose is to stay undetected however steal information from your system (we can use an example here of the government rootkits recently which have been found on some systems/backdoors). They can also provide backdoor access to the system.

A rootkit can load it's own drivers on the system (kernel mode) allowing it to be having control of all the other programs on the system. Kernel mode (AKA Ring 0) is preferred by rootkit developers as it gives them a lot more control that they may want.

Of course, you can get rootkits which run in User Mode. User Mode rootkits (AKA rootkits which run in Ring 3) run in the same space that all your other programs run in. They can still do things such as: Intercept API calls.

Root basically means "Administrator". The term "kit" basically represents a set of tools used to perform activities on the system.

Where can I download Kaspersky TDDSKiller?
Before we can start using Kaspersky TDDSKiller, we need to download it. You can download it off the official Kaspersky website. The download page is here: http://support.kaspersky.com/viruses/utility#TDSSKiller

Information from the Kaspersky website you should note:
The TDSSKiller utility supports:



      • 32-bit operation systems: MS Windows XP SP2, MS Windows XP SP3, MS Windows Vista, MS Windows Vista SP1, MS Windows Vista SP2, MS Windows 7, MS Windows 7 SP1, Microsoft Windows Server 2003 R2 Standard / Enterprise SP2, Microsoft Windows Server 2003 Standard / Enterprise SP2, Microsoft Windows Server 2008 Standard / Enterprise SP2.
      • 64-bit operation systems: MS Windows XP SP2, MS Windows XP SP3, MS Windows Vista, MS Windows Vista SP1, MS Windows Vista SP2, MS Windows 7, MS Windows 7 SP1, Microsoft Windows Server 2008 Standard / Enterprise x64 Edition SP2, Microsoft Windows Server 2003 R2 Standard / Enterprise x64 Edition SP2, Microsoft Windows Server 2003 Standard / Enterprise x64 Edition SP2, Microsoft Windows Server 2008 R2 Standard / Enterprise x64 Edition SP0 or higher.
    • The utility has a graphical interface.
    • The utility can be run in Normal Mode and Safe Mode.
Click to expand...
Kaspersky also notes on it's website that it will also scan for bootkits.

How to use Kaspersky TDDSKiller
Once you have downloaded Kaspersky TDDSKiller (I saved it to my Desktop), open it up as Administrator.

**You will have to accept the EULA and KSN Statement**

Once Kaspersky TDDSKiller has opened, it should look like the following screenshot:

uKKx8.jpg


If you click the "Change parameters" link in blue above the Start scan button, a new window will popup with some changeable settings for the scan.

Screenshot is in the below spoiler:
QdTCb.jpg

I am going to check "Loaded modules" for this thread under "Objects to scan".

NOTE: After ticking "Loaded modules" you will be proceeded with an alert to reboot the system. This reboot will allow Kaspersky TDDSKiller to load it's Kernel Mode driver on the system.

Now, we can start our scan by clicking "Start scan".

SqCnT.jpg

After Kaspersky TDDSKiller has completed scanning, you will be presented by the Scan Results:

o4vHf.jpg


In this case, no threats have been found on the system during the scanning process.

By clicking "details" link, a new window will be opened which will display the detections in a organized fashion:
SkEf6.jpg


270gt.jpg



I recommend only using the "cure" option. Deleting detections can result in causing the system to crash/become unstable.

Logs
You may need the logs for Kaspersky TDDSKiller one day. This may be because you are being assisted by a Malware Removal Expert, or have the correct knowledge to read through and understand the contents yourself. To get the results, all you have to do is click the "Report" link at the top menu under the exit/menu buttons for the window:

DL5qI.jpg


SxTDS.jpg

Some information relating to the Arguments that TDDSKiller can take can be found at the bottom of this page: http://www.bleepingcomputer.com/download/tdsskiller/

I have quoted the information below for you:

TDSSKiller has the following command-line arguments:

-l - Save the TDSSKiller to log to the specified file name. If you do not specify a full pathname, TDSSKiller will save the log in the same folder that the executable resides in.

-qpath - Specify the path to a folder that TDSSKiller should use as the Quarantine folder. If this folder does not exist, TDSSKiller will create it.

-h - Display a list of the command line arguments.

-sigcheck - Detects all drivers that do not contain a digital signature as suspicious.

-tdlfs - Detect the presence of TDLFS file system which the TDL 3/4 rootkits create in the last sectors of hard disk drives for storing its files. All these files can be quarantined.

The following arguments make the actions apply without prompting the user:

-qall - Copy all objects to quarantine folder (Very Aggressive).

-qsus - Copy only the suspicious objects to the quarantine folder. (Safer)

-qboot - Quarantine all boot sectors.

-qmbr - Make a copy of all the Master Boot Records and store them in the quarantine folder.

-qcsvc - Copy the specified service to the quarantine folder.

-dcsvc - Delete the specified service. Only use if your sure the service should be removed.

-silent - Scan the computer in silent mode. This will not display any windows and allows the program to be used in a centralized way over the network.

-dcexact - Automatically detect and cure any known threats.

For example, you can use the following command to scan your PC and also generated a detailed log written to the file called report.txt. This report will be created in the same folder that TDSSKiller resides in.

TDSSKiller.exe -l report.txt
Click to expand...

That was all for today, if you would like me to update this thread with information on anything related to Rootkits or Kaspersky TDDSKiller, all you have to do is ask and I will see what I can do.

PLEASE NOTE THIS TOOL SHOULD BE USED WITH CAUTION.

Cheers. ;)
 
Last edited by a moderator:
  • Like
Reactions: MrXidus, frogboy, Viking and 10 others
Oxygen

Oxygen

Level 44
Verified
Feb 23, 2014
3,323
Didn't read the whole thing as I know how to use it, but you should only use "cure" to remove something it detects, if you click "delete" it would most likely ruin the system by deleting files that is needed for the system to work.


Don't know if that has been said in your post.
 
Last edited:
  • Like
Reactions: Cats-4_Owners-2, Piteko21 and MalwareT
Alexstrasza

Alexstrasza

Level 4
Verified
Mar 18, 2015
151
Danpitt said:
Hey man hows it goin. Tdss found hidbth.sys driver unsigned. Shortly after its used its admin abilities to suspend processes on a/v and all utilities and made me download firefox on the sneak. Comodo firewall has been only thing keeping me alive. Tdss does not give option to erase and file is locked, any ideas? Btw- ran all 3rd party tools that exist in safe mode and blocks new a/v install. Tried modify its inheritance and almost had it that way.
Click to expand...
Get malware removal assistance - you will need manual removal for that (automatic tools do not work for everything, as malware writers are trying to outwit security vendors all the time).
 
  • Like
Reactions: frogboy
D

Deleted member 21043

Thread author
Danpitt said:
Hey man hows it goin. Tdss found hidbth.sys driver unsigned. Shortly after its used its admin abilities to suspend processes on a/v and all utilities and made me download firefox on the sneak. Comodo firewall has been only thing keeping me alive. Tdss does not give option to erase and file is locked, any ideas? Btw- ran all 3rd party tools that exist in safe mode and blocks new a/v install. Tried modify its inheritance and almost had it that way.
Click to expand...
Hello @Danpitt,

What you said/described is a rootkit infection.

Nonetheless, If you can access them, please download the following programs and save them to your desktop:
I have linked the text to the download pages to make it easier for you.
Please note not all the above products are specifically for "rootkit detection and removal", but malware detection and scanning in general.

Please run a scan with these 2 products, and see what they detect. If they detect things, check what they are in the case of a false positive before deciding to remove/quarantine them (since Security products can always get false positives).

The reason I have asked you to do these scans is because there would have been the malicious software which would have loaded the driver. And may have also dropped other samples on the system.

After using these tools, please go to the following URL (part of this forum, don't worry, I am not redirecting you to another website):
http://malwaretips.com/forums/malware-removal-assistance.10/

At this subforum, you can create a thread which will allow you to be assisted by the forum Malware Removal Experts. Since I am not part of this group on the forum, what I said above is all I can really say. I cannot assist you with things like checking logs and writing scripts. Only they are allowed to help you with logs and scripts, and they may also use other tools which of course I cannot ask you to use without checking logs... Please note that they will not help you if they see signs of piracy, and they do not assist businesses in malware removal.

Cheers. ;)
 
  • Like
Reactions: frogboy
C

Cch123

Level 7
Verified
May 6, 2014
335
Please note that there is a legitimate hidbth.sys by Microsoft. It is a bluetooth miniport driver. TDSS did not detect hidbth.sys as malicious. It simply indicated to you that hidbth.sys is unsigned, which might indicate an undetected malicious driver. Unless you know what you are doing, do not delete anything yourself.

Instead, run the tools recommended by Kram and see if anything is detected.
 
  • Like
Reactions: Deleted member 21043

Similar threads

Brahman
    • Like
Guide | How To How to enable desktop priority notifications in new outlook App in windows 11 23H2
Replies
2
Views
1,058
Programming Guides & Questions
Marko :)
Marko :)
H
    • Like
Question How to reduce noise in a NAS setup?
Replies
7
Views
599
Hardware Discussions
HarborFront
H
brambedkar59
    • HaHa
    • Wow
    • Like
Serious Discussion Microsoft’s solution to run Photos app faster on Windows 11 is to launch it at startup
Replies
16
Views
909
Windows 11
lokamoka820
lokamoka820

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top