Rootkits, Malware and Rootkit Removers.
Over the weekend we dealt with a computer which was possessed by all kinds of malware. This computer would still work but the CPU Load was constantly at 100% and no work could get done. Therefore we needed a rootkit remover, we were working diligently to find a good rootkit remover but there is no such thing. Because of it we had to use all the anti rootkit tools available online and exorcise the rootkits. :)
So what we did was to scan the computer with Malwarebytes Superantispyware and Sophos Antivirus kit. We used the eternal useful ComputerManual’s rescue malware CD so we could scan the computer without loading the infected OS. But this process took many, many hours and it seems that each rootkit remover tool was able to detect some rootkits which others weren’t able. So you can imagine that the process of rootkit removal is costly time-wise. Each of the rootkit scanner would take like 3 to 4 hours scanning the computer completely. And still they weren’t able to remove everything.
So after we removed whatever we could remove with all the tools we had at our disposal on the Computer Manual’s Malware rescue CD we turned the computer on and still the CPU was loading at 100%. Then we used process explorer to pause the offending processes and be able to expedite the scans. We continued to find all kind of evil rootkits but still we could not completely clean rootkits.
We were able to back up the important data of the computer and we went on a personal crusade to get to the bottom of this issue. So we started researching all the tools available which were excellent at rootkit removal. So we found plenty of rootkits and again each one of the rootkit removers found different rootkits than others. We started with the Bitdefender rootkit scanner which was able to remove the main one which would load the CPU to 100% all the time. You can download both the 64 and 32 bit versions here: http://labs.bitdefender.com/rootkit-remover-download-page/
The sad part is that any rootkit remover doesn’t fully scan your computer and has a limited rootkit awareness. So it is possible end up using all of them and still have to rescue the computer with the recovery partition or the rescue DVDs. That why it is very important to burn your recovery CDs/DVDs every time you purchase a new computer.
Another anti rootkit remover we used was Mcaffee rootkit remover which detected something and requested a computer restart but it could not remove zeroaccess. However it removed some other rootkits.
Then this laptop turned into a rootkit and antirootkit hunt and we were able to find more antirootkit tools online, here are the links:
Rootkitbuster from trendmicro: http://downloadcenter.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=355&lang_loc=1
Gmer from http://www.gmer.net/
Then we found AVG’s rootkit but we found it on softpedia or Cnet.com we could not find it on AVG’s website. So for this one you might need to do a search online.
Malwarebytes are still going strong with their own rootkit remover:
And here we have Spybot SD Live CD Bootable which now has a rootkit scanner and rootkit remover, this tool is excellent and is free to download and use. You can use this tool just like the TCM Live CD but this one has a start menu too. Read the post on it to understand how to better use it.
This entire rootkit removal process was quite an ordeal and we weren’t sure if we had removed all of them. All the anti rookit software detected and removed some. However we weren’t sure that each rootkit scanner had found all and was able to remove the rootkits. We were suspicious that some rootkits have evaded detection from the anti rootkit and still were active. In the end we resorted to the old recovery method and data restore from the backup. That’s why we advise you to burn your recovery DVD’s or save your system image.