How to Remove a Rootkit from a Windows System
What is a Rootkit?
A rootkit is a software program that enables attackers to gain administrator access to a system. On Unix/Linux system, this is called “root” access. Rootkits contain tools and code that help attackers hide their presence as well as give the attacker full control of the server or client machine continuously without being noticed. Sometimes they even cause typical malware type problems. I had a case where a browser hijack was being caused by a particular rootkit installed on the system. In this article, I will show you one way to remove a Rootkit from a Windows system.
“Rootkits are usually installed on systems when they have been successfully compromised and the highest level of access has been given (usually root) Some rootkits refuse to be installed until the attacker has root access, due to read and write permission to certain files. Once the system has been successfully compromised and the attacker has root, he\she may then install the rootkit, allowing them to cover their tracks and wipe the log files.”
A typical rootkit consists of the following utilities:
- Backdoor Programs – login backdoors, telnetd etc
- Packet Sniffers – Sniff network traffic such as FTP, TELNET,POP3
- Log-Wiping Utilities – Bash the logs to cover tracks
- DDoS Programs – Turn the box into a DDoS client (Remember trinoo?)
- IRC\Bots – Bots used to take over IRC channels (Lame and annoying)
- Miscellaneous programs – May contain exploit, log editor
- Persistent Rootkits
A persistent rootkit activates each time the system boots. Normally these types of Rootkits are stored in the system registry.
- Memory-Based or non-Persistent Rootkits
Memory-based rootkits will not automatically run after a reboot; they are stored in memory and lost when the computer reboots.
- User-mode Rootkits
User-mode rootkits operate at the application layer and filter calls going from the system API (Application programming interface) to the kernel. These rootkits normally change the system binary files to malicious code that redirects control of the computer to the creator of the rootkit.
- Kernel-mode Rootkits
Kernel-mode rootkits hook to the system’s kernel API’s and modify data structure within the kernel itself. These are the most effective and dangerous types of rootkits. Kernal-mode rootkits are very difficult to detect and can hide on a system without any indication of being active.
- Bootkits
Bootkits are variations of kernel-mode rootkits that infect the Master Boot Record (MBR). The malicious code can be executed before the computer actually boots.
- FirmWare
A firmware rootkit infects a device or piece of hardware where code resides, such as a network card or the system BIOS.
Mebromi firmware rootkit http://blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/
- Hypervisor
These are newer types of rootkits that are infecting the hypervisor layer of a virtual machine setup. The hypervisor is basically the layer between physical hardware (host systems) and the virtual system (guest), although a type II hypervisor can be installed on top of an OS in order to present a virtual layer to the virtual system. These rootkits can intercept hardware “calls” going to the original operating systems.
How to remove the Rootkit
This is where it gets fun! There are different approaches and really no single full-proof method, neither is it guaranteed that the rootkit will be fully removed. As a matter of fact, there are some computer security experts who simply recommend formatting the drive and completely re-installing the operating system.
The Manual Method
This may or may not be more time consuming than trying to search using an automatic tool. If you are familiar with legitimate Windows services and programs and can pick out suspicious files, then this could be the way to go. Many times, rootkit scanners will not detect rootkit infections, especially if they are new, so this may be the way to go if you don’t want to go straight to the nuke-and-pave solution.
Tools:
Technibble has a video on using Process Explorer and AutoRuns to remove a virus. Finding a rootkit would be a similar process using these tools.
Read here for more on HijackThis and the HijackThis reader. Those tools can be used to find suspicious processes and files and, each have a unique form of analysis.
Here is a process for locating a rootkit via msconfig:
1. Open msconfig and enable bootlog.
- In XP, goto Start then Run. Type in “msconfig” (without quotes). Goto the “boot.ini” tab and tick “Boot log”
- In Vista and Windows 7, goto Start, type in “msconfig” (without quotes). Goto the “Boot” tab and tick “Boot log”
2. Restart the Computer
3. Open C:WINDOWS or C:WINNT and open ntbtlog and search for malicious files.
You can start by searching this short list from Computersight.com for the files starting with the following names. It may contain some random characters after it.
- rot
- gas
- gaopdx
- seneka
- win32k.sys
- uacd
- tdss
- kungsf
- gxvxc
- ovsfth
- msqp
- ndisp
- msivx
- skynet
Get the path of the file name: \SystemRoot\system32\drivers\BadRootkit.sys
For an exhaustive list of rootkits that you can search for, check out this Rootkit List from Bleeping Computer.
4) Open up a command prompt and disable file permission using either the CACLS or ICACLS command.
For e.g., type cmd in the Run box (XP) or search box (Vista/7) with Admin privileges (in Vista and Windows 7 Hit Ctrl-Shift-Enter to enter the command prompt as an Admin) and type
cacls C:WINDOWS\system32\drivers\BadRootkit.SYS /d everyone or
Icacls C:WINDOWS\system32\drivers\BadRootkit.SYS /deny S-1-1-0:FMRXRW
(cacls /d everyone denies permission to the files for all users, Icacls /deny Sid:permission can deny Simple or Specific rights)
5) Restart the computer
6) Search for the file in the following location and remove it
C:\WINDOWS or C:WINNT
C:\WINDOWS\system32
C:\WINDOWS\system32\drivers
Registry
Clear the temp, %temp% and prefetch folders
Source: Computersight.com
The Automatic/ Semi-Automatic method
You can check out a list of rootkit removal tools here.
I would first fire up TDSSKiller from Kaspersky. It runs a fairly quick scan and TDSS variants are popular, so it may catch something on the first attempt.
If the TDSSKiller comes up empty then try out GMER, which is a powerful and exhaustive rootkit scanner.
From there I like to use AVG’s Rootkit Scanner. This tool has actually found quite a bit of rootkits for me. It’s also good to run it after you have removed the rootkit to be thorough, although you could do that with any of these tools. Another program worth mentioning at this point is the new Microsoft Standalone System Sweeper Beta. There has been some buzz that this tool has been fairly successful at finding hidden rootkits.
If these rootkit scanners are not finding anything, or they do find something but can’t delete it, then you may have to move to the manual method. You can also keep trying other tools but there does come a point when you have to evaluate if the time and effort is worth it or you should either try a manual method, or perform a full re-installation of the operating system.
There is more than one way to find and kill a rootkit. What is your process?
Session expired
Please log in again. The login page will open in a new tab. After logging in you can close it and return to this page.
Combo Fix
Thank you for the info on the manual way and AVG’s Rootkit Scanner. I have been using GMER, TDSSKiller and Combofix mainly but it is nice to have more options, for the stubborn types. -Chris
We always use SmitfraudFix and Malwarebyates in hard to clean cases.
Downside to a lot of rootkit removing software now days is that they do not support Windows 7 64bit
We always use SmitfraudFix and Malwarebyates in hard to clean cases.
I was not familiar with SmitfraudFix and when I researched it I discovered it has not been updated since June 2009. Given that, I would not recommend its use.
I use Malwarebytes as a first step backed up with Hijack this, TDSSKiller and on occasion a range of other common removal tools. As a last resort ComboFix, it is an excellent tool but can be a bit dangerous
TDSSKiller has been a staple in my toolkit until about a week ago. Nothing I did seem to remove this lil bugger of a root kit from a client’s computer. GMER, ComboFix, and MalwareBytes didn’t find anything and TDSSKiller would not run for the life of me. I tried safe mode, renaming the file, etc; I could see the process start and then quickly close out. Close to my wits end, I was about to wipe/reload it (which I hate doing.) I ended up trying using Kaspersky Rescue CD. Booted off the machine and within a minute it found and removed the root kit and about a dozen trojans. Kaspersky Rescue CD for the win!
The reason TDSSkiller wont run most of the time is that there is a boot kit that prevents it from loading. I use Avast MBR to reset the MBR to the default. Then TDSSkiller will run almost every time. My current antivirus run at the moment is. Rougefix(saves a lot of time resetting junk), Tdsskiller (then Avast MBR if needed), Hitmanpro, autoruns, last resort is Combofix.
I am experiencing the exact same thing right now. This girls laptop is infected big time. It has the notorious “System Restore” Rogue Anti-Virus at startup. We have dealt with this before but this one is much more sophisticated. It dodges everything I have thrown at it. I was considering the Kaspersky rescue as a last resort but i talked to the girl and she said that she has everything backed up to an external drive, so I went ahead and ran the onboard recovery option. Now after reading your post, I wish I would have ran the Kaspersky recovery disc. I need to find a way to get rid of this nasty booger without having to wipe the drive. These damn bugs are getting more and more difficult to remove now.
Doug, try Eset.com online scanner. Eset has found critters when malwarebytes, Panda and microsoft essentials couldn’t.
Thanks Woodz, I will check it out. Any body got any opinions on the NOD32 AV? Is it pretty effective?
So, at what point do we decide if it’s worth running X number of programs for 2+ hours and lower our $ per hour rate, or just N&P to keep the average up?
Benjamin,
I think it’s really your call. Many times it depends on the situation. Example, if it’s a residential client who has nothing important to backup and cares less if the system is restored, then maybe just go ahead to a nuke and pave. However, if you have a business client, or a pc that has a lot of programs and data that would take quite a bit of time to restore, maybe it’s worth spending some time trying to kill the virus/rootkit. There are different variables to factor in, but really it’s the tech’s call on what makes sense for both the client and the tech.
Well considering most businesses want you onsite and unless they under contract they should be billed hourly. So doing this at a business clients location shouldn’t be a problem to the bottom dollar. Thanks for your reply
How can you be sure that it’s a rootkit infection?
Client complains that the computer is slow, we always suspect infection as being the culprit,so we run Malwarebytes, Asquared, or the problem is that some of the new stuff doesn’t show up easily so how do you know that its really infected? Maybe the HD is faulty (run chdsk from a win cd) or the MB (forget about diagnosing that) the video card could be slowing things down?
So if the sh*t (Actually shouldn’t complain these lowlifes are helping up make money) doesn’t show up as mentioned in the article How can you be sure that it’s a rootkit infection? Unless you spend hours and hours of your clients money and then loose him because it just wasn’t worth it.
Unfortunately for residential clients, virus cleanup is generally a flat fee. On the tech side, if MWB, SAS or ComboFix doesn’t make a dent, then the computer is generally messed up to the point that a backup and reinstall would be a better solution for the client anyway.
Rivo -> completely agree. If a PC can’t be fully cleaned inside of about 90 minutes, its usually beyond redemption. Any PC of a resonable speed with fully removeable malware should not still be resisting after i’ve spent and hour on site. If you’re getting nowhere after an hour and a half, youy are wasting yours and your clients time and a rebuild should be recommended (off site of course, then move onto your next customer)
… offer your client 2 options. A wipe and rebuild at a fixed cost, performed off site. Or an hourly rate onsite. If you are getting nowhere after an hour and you are competent at malware removal, you would be doing yourself and customer a favour by recommending a wipe and rebuild. When i first started out about 10 years ago, I ‘d spend 4, 5 , 6 hours onsite attempting to cleanup the uncleanable & uncorrupt the utterly corrupted. I had more time then, I wasn’t busy, but the customer just sees a struggling tech and somebody whos not confident of how wisely theyve spent their time as they don’t feel they can charge the customer for the whole time they’ve been there. That doesn’t help anybody either. The major stores don’t attempt virus removals, they don’t want a line of customers bringing back PCs that still have problems with some previously unnoticed piece of software. They always backup, wipe and restore. Personally, I think that’s a cop out. A good tech should be able to cleanup malware and not need to wipe a PC. But set a limit on your time, and if you arent getting anywhere, get out the sledgehammer and fix the cost for an offsite rebuild. Some malware requires a rebuild. The quicker you can identify signs of installations that are going to cause you problems (and that just comes with doing lots of them), the more efficient you’ll get at providing a solution.
I totally agree on your comments. eMicros, I was the same way too. I can tell you care about the people. I like That!! Get the customers data off the drive if it’s a really nasty one. (Like W32 Rogue\Fake Scanti) Try to seek out and destroy the infection first. I like to learn as much as possible how these virii work and where they like to reside. If necessary, then nuke and pave. I have even had to low level format drives before to get the baddies totally wiped out. On a boot virus, I like to use Spotmau. It will plow thru far enough that I can retrieve the data from all drives. I use alot of the same utilities you are using also. We also charge a flat rate. I can’t see raping someone for my learning curve. lol… The last thing we do is…..teach our customers how to maintain and scan their PC’s. They love us for it. We don’t won’t them cussing us 2 weeks later, because their PC is bogged back down by critters and a gigabyte of cookies and temporary internet files. We are going to start having night classes on cleaning and maintaining their PC. By doing this, we really believe our business will more than double, since 95% of it is on repairs and upgrades. Our competition is 2 times the money. They won’t hardly open a case or fight a virus. I have had customers tell me that their PC was junk and so & so said they were gonna have to buy a new tower. Most of the time it was slow from the usual bugs and virii. Their mentality is JUST WRONG on how they come across to these people. Many of the repair shops around here have that same mentality. One last comment. Have any of you checked out Ubuntu? All free open source software and Linux based. Virus free and very stable. My partner loves it. I will shut up. lol…. Thank you guys for comments. It’s nice to read about tech’s that care.
When malwarebytes, combofix and TDSskiller fail, Unhackme has pretty much saved the day numerous times for me and on 64bit machines too