TDSSKiller From Kaspersky
本帖最后由 是昔流芳 于 2011-1-30 18:17 编辑http://www.kaspersky.com/downloads/utils/tdsskiller.zip
It is possible to disinfect a system infected with malware family Rootkit.Win32.TDSS using the utilityTDSSKiller.exe.
The utility has GUI.
http://support.kaspersky.com/images/alerts/info1.gifThe utility TDSSKiller.exe supports 32-bit and 64-bit operation systems.
Disinfection of an infected system
[*]Download the file TDSSKiller.zip and extract it (use archiver, for example, WInZip) into a folder on the infected (or potentially infected) PC.
[*]Execute the file TDSSKiller.exe.
[*]Wait for the scan and disinfection process to be over. It is necessary to reboot the PC after the disinfection is over.
How to use the utility
[*]Press the button Start scan for the utility to start scanning.
It detects malicious and suspicious objects.
http://support.kaspersky.com/images/support_new/2663_1_en.png
[*]The utility can detect two object types:
[*]malicious (the malware has been identified);
[*]suspicious (the malware cannot be identified).
[*]When the scan is over, the utility outputs a list of detected objects with description.
The utility automatically selects an action (Cure or Delete) for malicious objects.
The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
[*]Select the action Copy to quarantine to quarantine detected objects.
File will not be removed!
The default quarantine folder is in the system disk root folder, e.g.:
C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
http://support.kaspersky.com/images/support_new/2663-2-eng.png
[*]After clicking Next, the utility applies selected actions and outputs the result.
[*]A reboot might require after disinfection.
http://support.kaspersky.com/images/support_new/2663_3_en.png
[*]By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder.
Logs have names like: UtilityName.Version_Date_Time_log.txt.
E.g. C:\TDSSKiller.2.4.7_23.07.2010_15.31.43_log.txt
Command line parameters to run the utility TDSSKiller.exe-l <file_name> - write log to a file.
-qpath <folder_name> - quarantine folder path (it will be created if does not exist).
-h - list of command line arguments.
-sigcheck - detect all drivers without a digital signature as suspicious.
-tdlfs - detect the presence of TDLFS file system which the TDL 3/4 rootkits create in the last sectors of hard disk drives for storing its files. All these files can be quarantined.
The following arguments make the actions apply without prompting the user:
-qall - copy all objects to quarantine (even non-infected);
-qsus - copy to quarantine suspicious objects only;
-qmbr - copy to quarantine all MBR;
-qcsvc <service_name> - copy this service to quarantine;
-dcsvc <service_name> - remove this service;
-silent – scan in silent mode (do not display any windows) to be able to run the utility in a centralized way over the network.
E.g. use the following command to scan the PC with a detailed log written into the file report.txt (created in the TDSSKiller.exe utility folder):
TDSSKiller.exe -l report.txtFor example, if you want to scan the PC with a detailed log saved into the file report.txt (it will be created in the folder with TDSSKiller.exe), use the following command:TDSSKiller.exe -l report.txt
Symptoms of an infection
[*]Symptoms of infection with Rootkit.Win32.TDSS first and second generation (TDL1, TDL2)
Experienced users may try to monitor the following kernel function hooks:
[*]IofCallDriver;
[*]IofCompleteRequest;
[*]NtFlushInstructionCache;
[*]NtEnumerateKey;
[*]NtSaveKey;
[*]NtSaveKeyEx.
Using the utility Gmer.
http://support.kaspersky.com/images/support_new/2663_9.jpg
[*]Symptoms of infection Rootkit.Win32.TDSS third generation (TDL3)
An infection can be detected with utility Gmer. It detects replacement of a “device” object of the system driver atapi.sys.
http://support.kaspersky.com/images/support_new/2663_8.jpg
捡个沙发,支持楼主
页:
[1]