Rootkit and malware cleanup

Kent will be on “The Gun Show” with Matt Canovi (KSGF 104.1 – Springfield) this Sunday (December 5th 2011) between 3:00 and 4:00, he will speaking about this topic and personal security with your technology. The show will also be avaliable as a podcast on Monday. You can listen via your computer at

Lately we at IFix Computers have been dealing with more rootkit infections than normal. These internet nastiness are much more difficult to cleanup and cause a lot of havoc for the user and their networks.

Rootkits, worms, viruses, Trojans are all different forms of infections and can get on your computer in various ways. Gone are the days of you purposefully needing to download an infected program or open a link in an email. Today’s infections have been called “drive-by downloads” and quite often come from infected websites that you have legitimate reason to be there. The infections are called SQL injections and they have infected PBS, Intel as well as thousands of smaller web sites. The fix for the webmasters is easy and in the case of the big boys mentioned above they were repaired in a matter of hours.
In an article from January 2010 titled “Scareware continues to rise reaching $150 Million” we went over how to cleanup from an infection and some basic prevention measures. It is my desire to get an updated article out on prevention next week, but right now too many people are dealing with already being infected.

In an attempt to help you after a suspected infection, I went to the ever trusty Mike Rosmis and asked him for a list of what he uses and why. Before you think “but I have an anti-virus program” remember infections occur in different ways, getting a flu shot does not prevent the common cold, diverticulitis or cancer, they occur for different reasons, that is why preventive security is so essential.

Mike has been diligent about finding the best ways to clean up infected computers and has done some tracing of where the main attacks or source of these root-kits are coming from, it appears to be China, though that could be a slight of hand done by the coders of the most recent wave of infections.

DANGER WILL ROBINSON – Mike properly warned me to warn you, we are professionals and know the limits and quirks and “got-yas” of these programs, you CAN really screw up your entire computer if something goes awry. If you can afford it, have a professional IT company do this work, at IFix Computers we currently charge between $150 and $200 to do the work described below.

From Mike – Here’s a list of my current A/V tools:
1. TDSSkiller – from Kaspersky.  It scans system32 files and the MBR.  Good to start with this because it’s effective and usually takes no more than 30 seconds to run, even if it finds a rootkit.  It primarily scans for and removes TDSS, TDL3, Alurion, and others.  Symptoms of a rootkit are browser redirection, large quantities of junk files & folders.

2. MBRfix – found on the Mini P.E. CD.  It rewrites the MBR with a generic XP boot sector.  More complicated and time consuming than TDSSkiller, but effective when Windows just won’t cooperate.  It is also useful if TDSSkiller or Combofix hose up your boot sector.
Kent’s note: we only use this on Windows XP machines, not for Vista or Windows 7. If someone has built or knows of a Mini PE for Vista and 7, we would love to know about it.

3. Combofix – The Big Daddy.  Checks for rootkit activity; steps through Windows startup looking for odd behavior; scans system files, replacing infected files with known good files.  Allow at least 20 minutes to run. This program is known to be updated several times a day so be sure to get the latest updates.  Always get a fresh copy.
Kent’s note: this program needs to be run directly from the desktop, not a USB drive or from another folder. I also prefer to run it while the computer is booted into “Safe Mode” first and then again at the regular desktop.

4. Autoruns – Use this if you can’t get to the desktop in Normal Mode and can get to Safe Mode.  It allows you to stop things like ‘hsuebvbhjsg.exe’ from starting up.

5. Spybot Search & Destroy – a good malware scanner, provides passive browser protection through a manually updated hosts file, shows you which BHO’s (Browser Help Objects) and ActiveX’s are installed, has a process explorer and an alternative registry cleaner. Allow 20 minutes for the scanner.  You have to manually tell it to fix what it finds.
Kent’s note: You should right-click on the icon and choose “Run as Administrator” in Vista and I do the same in Windows 7. Also you want to use the “Immunize” and (when in the Advanced Mode) under the “Tools” section go through the “ActiveX”, “BHOs”, and load the “Host File”.

6. MalwareBytes – good, simple malware scanner for civilians.  Update it and run it.  You also have to manually tell it to fix what it finds.  Allow an hour-and-a-half to run for the full scan.
Kent’s note: Under the “Settings” tab, be sure “Terminate Internet Explorer during threat removal” is selected.

7. ESET anti-virus – When properly configured, this program blocks a lot of infections the others don’t. It is also very “light” on system resources allowing you more horsepower to do what you need to on the computer. It cleanups op a lot of crud and can be run in safe mode as a command line tool (don’t be afraid, just run it and it automatically goes to the command line and does what is needed). If you are infected, I would run this in “Safe Mode” after running Combofix.

Well that is it, will this clean all infections? “No”, did we give you every step in configuring these programs? “No”. However, we have given you the tools do clean up your computer as best we can in this short space.

Until we meet again, have a virus (and root-kit) free week.


One thought on “Rootkit and malware cleanup

  1. Pingback: The actual steps to cleaning malware from your computer - The Weekly Geek

Leave a Reply

Your email address will not be published. Required fields are marked *