TDSSKiller Won’t Run – What To Do

It seams like every other client who complains that they have a fake anti-virus also  a TDSS Rootkit.  Doing a quick search on how to get rid of a rootkit usually leads you right to Kaspersky’s TDSS Killer.  It’s a fine little app when it opens and runs, but these days that’s a rare occasion.  Why?  The rootkit is preventing it from running.

Here’s what you can do to get rid of the rootkit on the system.  Keep in mind there are lot’s of ways to do this, I’m just going to cover a few.

  1. Start the PC in safemode and try to run TDSS Killer.  While the success rate of this method is low, I’ve used it a few times and it has worked.
  2. Download the TDSS Killer .exe instead of the zip.  Sometimes the .exe is a newer version of the TDSS Killer.
  3. Make a Kaspersky Rescue Disk (how to create and use a Kaspersky Rescue Disk instructions) and scan boot sectors along with c:\windows\system32 (you have to click add for this one).  The rootkit will be found and disinfected.  After that you should scan your PC with Malwarebytes to get rid of any left overs.
Consider using a combination of anti-malware.  I’m using Norton Internet Security 2011 (because of it’s speed) and Comodo’s Defense+ (allows me to authorize changes to the  OS).  This combo has thwarted everything so far.  Note – If you decide to run this combo do not install Comodo’s antivirus component, Norton will be fulfilling that role.

,

31 Responses to TDSSKiller Won’t Run – What To Do

  1. estechguy July 14, 2011 at 8:23 pm #

    I have used avast sens v6 came out because i saw how good it was after that did v6. Before i used MSE. When i saw you vid on the TDL4 Roodkit i saw that avast might not be good so i admittedly installed Comodo Defense+! I play with malware in my vm’s too and i do not want to get a malware intrusion that way! Thanks for doing that vid Matt!!!!(:

  2. Tomo172 July 14, 2011 at 9:52 pm #

    Thanks Matt. Helpfull post.

    Do you not think running Defense+ and NIS 2011 is going overboard?

    You’ve got Norton’s SONAR (behaviour blocker) and a HIPS running at the same time.

  3. malwarekilla July 14, 2011 at 10:53 pm #

    @Tomo172 – Yeah, maybe a bit, but I don’t like depending on one security provider. Guess I’m just a bit on the sensitive side with these TDL4 infections.

  4. hahacify July 14, 2011 at 11:04 pm #

    Hi Matt, I would like to use the combination of Comodo and Norton that you mentioned, but I don’t know what settings to disable in my Norton 360 so that there won’t be any conflicts between the two products. I need your advice Matt, thanks.

  5. Casey July 15, 2011 at 12:29 am #

    @malwarekilla – I know what you mean. Ive got Comodo’s Defense+ running along side my Avast free antivirus and Malwarebytes Pro. ;D

  6. gusthebus July 15, 2011 at 1:41 am #

    @hahacify You need to disable Norton’s firewall (Tasks and Settings>Changed Adv. Settings>Firewall settings>Disable Firewall) and Windows Firewall (Control Panel>System and Security>Windows Firewall).

  7. bulldozer July 15, 2011 at 3:27 am #

    Hey, matt you should check out avast it’s pretty amazing. I would suggest it for anyone looking for a free av it’s like what MSE’S detection rate use to be when it first came out. The auto-sandbox is a great add on. They will soon be releasing avast 7.0 that will be running off of the cloud like norton. You should really test out avast’s prevention it is amazing i think you will change you mind on a free av for your clients. 🙂

  8. Roni July 15, 2011 at 4:51 am #

    Do you think you will do a ESET Smart Security 5 release candidate review ? I’d love to know what you think about it. Ive been using Smart Security 4 and its really solid. I have yet to get infected (I do a full on scan with a bootable anti-malware disk once every 2 or 3 months alongside the regularly scheduled full scans of course).

  9. estechguy July 15, 2011 at 2:26 pm #

    @ bulldozer – I agree with you about avast! 🙂 I have done several tests on it in my vm and it block everything serious i chucked at it! I also did a vid for it on my estechguy YouTube channel.

  10. enes July 16, 2011 at 5:36 am #

    hi matt,
    avira rocks for me
    haven’t gotten a single infection since I started using it
    vary light on system
    will you be reviewing sp2 of avira

  11. ZOU July 16, 2011 at 3:48 pm #

    That is what I like about Avira as well. It does not drag anything down. For that, I am willing to deal with a few FP’s here and there.

  12. harry July 17, 2011 at 9:29 am #

    hi matt, just got trend micro titanium max sercurity, it is great for a normal user, please do a test sometime in one of your reviews. thanks

  13. john July 18, 2011 at 2:19 am #

    hey matt,

    can you tell us what are the best tools to use and what not to use for malware removal, repairing internet and windows after malware damage etc.. Not all tools work and it would be nice to know which ones are effective and which ones are a waste of our time.

  14. malwarekilla July 18, 2011 at 1:52 pm #

    @Roni – I don’t do beta’s or RC’s. So much can change from those stages until the final release.

  15. malwarekilla July 18, 2011 at 1:53 pm #

    @harry – yes, I need to take another look at Trends latest products since a lot of my customers are get 15 months free from dell and hp.

  16. malwarekilla July 18, 2011 at 1:54 pm #

    @enes – I’ve always been a huge fan of Avira, but their little “nag” screen became a problem for more than a few of my clients.

  17. Christos July 19, 2011 at 4:37 pm #

    @malwarekilla You can always disable the nag screen, but my problem with avira is the amount of false positives it makes.

  18. Warwagon July 19, 2011 at 10:07 pm #

    @Christos

    As probably already know, you never “Hack” something on a customers c. Because if you do that on every customers computer, and all of the sudden the hack breaks something, you are so screwed. So if Matt were to “disable the nag screen” for 100+ of his customers. Then all of the sudden it gets renabled via an update, and 100+ customers now have a nag screen they never saw before, He will be getting raped over the phone.

  19. ZOU July 19, 2011 at 10:28 pm #

    I got rid of the splash screen via the registry, but I was never able to get rid of the Avira nag screen. The splash screen was my primary issue. The nag screen does not bother me any more. I am used to it. They are providing me with a free service, after all.

  20. malwarekilla July 19, 2011 at 11:06 pm #

    Yeah, I’m completely legal when it comes to dealing with clients.

  21. bulldozer July 20, 2011 at 12:57 am #

    I would replace Avira with avast! so much good things are to come out of that program. So many good things are already in the program like Auto-sandbox.

  22. ZOU July 20, 2011 at 2:00 am #

    Legitimate is definitely the way to go. That way, you do not have to look over your shoulder.

  23. ZOU July 20, 2011 at 2:03 am #

    @bulldozer

    The primary reason that I never went back to Avast is that it drags my system operations down too much by causing annoying hangs. I am a very hyper surfer and program utilizer, as such, I won’t tolerate a security program, or any other program, that slows me down, even if the security that is offered is second to none. I am slightly eccentric that way; one of my little quirks, I guess.

    I agree with you though. Avast seems to be all the rage.

  24. Carlos Rodriguez July 20, 2011 at 6:55 am #

    Sorry guys to rain on your parade but the majority AVs you are mentioning in your comments suck big time against 0-Day threats. Notice that I am not by any means endorsing any AV over another, just keeping you informed that AVs are just ONE layer of defense and thus should not be solely relied upon.

    See this link below:

    http://www.wilderssecurity.com/showpost.php?p=1906837&postcount=591

    Carlos

  25. Christos July 20, 2011 at 9:25 am #

    Yeah…the downsides of not being legitimate are pretty well described in these posts….

  26. ZOU July 20, 2011 at 2:22 pm #

    @Carlos

    Could we judge from those 0day stats that you could effectively use MBAM Pro in place of an AV program?

  27. John July 20, 2011 at 2:22 pm #

    Matt,

    Do you still recommend sandboxie? If so, what is the best combination that you recommend. I’m using sandboxie with mse.

  28. Carlos Rodriguez July 20, 2011 at 2:37 pm #

    Zou,

    To answer your question, I do think MBAM would be one of the multiple layer approach on computer security and not the only one to rely on.
    You can see from those statistics that even MBAM sometimes, has missed something.

    Hope this helps,

    Carlos

  29. malwarekilla July 20, 2011 at 4:21 pm #

    @John – Yeah, Sandboxie is still awesome.

  30. shre54321 October 10, 2011 at 4:12 am #

    For me,

    its avast! free and comodo firewall with D+….

    nothing goes via these two….till where i have seen….

    Avast! 99% of the time catches everything…so comodo doesnt pop-up much for me…

Leave a Reply