# Rootkit Removal



## Marlin Guy (Apr 8, 2009)

What are you guys using to remove rootkit infections?
I've had two PC's to cleanup this weekend, and it's a bear to get the upper hand on this one.
Malwarebytes ID's it as rootkit.TDSS, but I have to use Process Explorer and some offline HDD scans to even begin to ahold of it.


----------



## Marlin Guy (Apr 8, 2009)

Also, this infection has been found alongside of a fairly new ransomware variant called "Windows Police Pro".

Regarding the rootkit, if you plug a flash drive into the infected PC, the drive will become a carrier and infect subsequent PC's using an autorun.inf file and an executable.

Nasty little bugger.


----------



## Hansen (Jan 1, 2006)

I'm not sure my recollection is correct but I think either Avast or Avira has a free rootkit removal program.


----------



## phat78boy (Sep 12, 2007)

malwarebytes.org. I've had really good success with that malware tool.


----------



## The Merg (Jun 24, 2007)

RootkitRevealer is a simple, free program that works pretty well.

- Merg


----------



## wingrider01 (Sep 9, 2005)

trend micro has one also, they are also the ones that bought out hijack this


----------



## Zellio (Mar 8, 2009)

Were they client pcs or friends pcs?

Even if you remove a rootkit, you cannot guarantee that the system is safe, because a rootkit modifies vital system executables. Even with removing the rootkit the system could still be compromised, and/or still have malware on it that's now hidden!

It would be safest to reformat.


----------



## Marlin Guy (Apr 8, 2009)

Hansen said:


> I'm not sure my recollection is correct but I think either Avast or Avira has a free rootkit removal program.


Avast seems to have incorporated theirs into the Antivirus suite now.
I reformatted the first one, but the second seemed to go a bit better.

With that one, I pulled the drive and attached it to my PC.
Then I ran a boot time scan on it with Avast!
When that was done, I booted Windows and ran a full Malwarebytes scan on the external drive.

I then put the drive back in the notebook and booted Windows.
There was still a fake antivirus trying to run. Not the Windows Police version, but one of the more typical Personal Antivirus varieties.
It also had disabled their Symantec AV.

Process Explorer allowed me to kill the process tree and that stopped it from coming back up, so I could delete the executables and dll's.

I used the Autoruns utility to disable the programs from restarting on reboot.

I ran full scans in Malwarebytes and Symantec to clean up remaining bits and pieces.
After two passes in Malwarebytes, there are no remaining indications or symptoms, so I think I got it cleaned up.
I may install Avast! on the machine itself and run a native boot time scan just to be sure.

The formatted PC was a client.
The second one (described above) is a friend's.

My main concern is whether the rootkit is coming onboard with ransomware, or did I just happen to get two identically infected PC's in a row that just happened to have both on them?
That seems unlikely, but I suppose it's possible.

If "Windows Police Pro" is carrying a rootkit as part of its paylod, then they have certainly raised the stakes in the ransomware game.

BTW, the friend says this one jumped on while they were on Netflix trying to rent a movie. :eek2:


----------



## Marlin Guy (Apr 8, 2009)

I just picked up another desktop infected with "Windows Police Pro".
However this one show no signs of having any rootkit infections.
That's a relief!

Anyway, a big THANKS to MS for keeping my bills paid. :lol:


----------



## gfrang (Aug 30, 2007)

I use Karspancy anti virus,don't relay know if it works but it has it in there.


----------



## Marlin Guy (Apr 8, 2009)

gfrang said:


> I use Karspancy anti virus,


Kaspersky?


----------



## gfrang (Aug 30, 2007)

Marlin Guy said:


> Kaspersky?


Yea that's it. that's all i use.


----------



## harsh (Jun 15, 2003)

I've had success with ComboFix a couple of times recently.


----------



## wilbur_the_goose (Aug 16, 2006)

MarlinGuy- are your PCs running behind a firewall and/or router?

This has nothing to do with rootkit issues, but if you're running a wireless network, be sure your wireless is encrypted (WPA, not WEP) and your router's userid/password are changed from the factory settings.


----------



## The Merg (Jun 24, 2007)

Marlin Guy said:


> Avast seems to have incorporated theirs into the Antivirus suite now.
> I reformatted the first one, but the second seemed to go a bit better.
> 
> With that one, I pulled the drive and attached it to my PC.
> ...


Just cleaned off a computer with Windows Police Pro on it. I didn't find any evidence of a rootkit infection. BTW, what was the rootkit that you found on the computers?

- Merg


----------



## The Merg (Jun 24, 2007)

I stand corrected. Also found a rootkit infection of Win32.TDSS.

- Merg


----------



## Draconis (Mar 16, 2007)

Zellio said:


> It would be safest to reformat.


Drastic, but it is the only way to guarantee the removal of a rootkit. I keep my computer backed up just in case I have to do that.


----------



## Marlin Guy (Apr 8, 2009)

The Merg said:


> I stand corrected. Also found a rootkit infection of Win32.TDSS.
> 
> - Merg


That's the one I had on two out of three.


----------



## The Merg (Jun 24, 2007)

Marlin Guy said:


> That's the one I had on two out of three.


SpyBot sees it and tries to clean it, but it keeps coming back. I'm trying out a combination of ComboFix and Malwarebytes AM now to see if that will take care of it.

- Merg


----------



## Marlin Guy (Apr 8, 2009)

If possible, pull the drive and attach it to another system via USB external.
Install AVAST! and update. Then schedule a boot time scan of the USB drive.
That seems to be what got it off the second one I did.
Malwarebytes wouldn't get it all.
Adaware and Spybot have fallen behind MB.


----------



## The Merg (Jun 24, 2007)

Marlin Guy said:


> If possible, pull the drive and attach it to another system via USB external.
> Install AVAST! and update. Then schedule a boot time scan of the USB drive.
> That seems to be what got it off the second one I did.
> Malwarebytes wouldn't get it all.
> Adaware and Spybot have fallen behind MB.


Unfortunately, the external enclosure I have is for a 3.5" IDE drive and the drive in question is a 2.5" IDE (laptop). SOL there.

So far it looks like ComboFix is cleaning it up, it found everything so far and said it deleted it. It's rebooting now, so we'll see.

- Merg


----------



## Marlin Guy (Apr 8, 2009)

Cool!
Let me know the final results.
I'll try Combo Fix on the next one.


----------



## The Merg (Jun 24, 2007)

Okay, I ran Malwarebytes AM and it located the Rootkit in the System Restore file, which ComboFix had made prior to its work, and in the Quaratine folder for ComboFix. It also found a couple of remnants of the Personal Antivirus trojan. It quarantined and deleted the originals and I then deleted the quarantined files.

Performing a reboot now and another scan to verify it's gone.

- Merg


----------



## The Merg (Jun 24, 2007)

Follow-up scan showed the system as clean. It looks like ComboFix did the job on the Rootkit. I had used SpyBot and Avira AntiVir to clean up Windows Police Pro.

- Merg


----------



## Marlin Guy (Apr 8, 2009)

Did another one today, and another coming my way tonight.
I now have a sacrificial thumb drive with a handful of utilities on it and it's write protected to prevent contamination.
AVAST!
ComboFix
MalwareBytes
Autoruns
Process Explorer

If you had a machine that has been infected, and you plugged in a thumb drive, you need to check the thumb drive.
If you see an autorun.inf file pointing to some obscure and random filename, your thumb drive is infected as well.


----------



## Marlin Guy (Apr 8, 2009)

While we're on the subject, perhaps one of our resident Microsoft proxies could answer me this.
Why does MS allow Windows to run hidden processes?
That's like a dream come true for a hacker or a virus.


----------

