Anti-rootkit software

I work at a cancer centre as the IT guy.  One of the things I run into regularly is infected computers.  Many times these infections are NOT minor, so I've collected a slew of tools to deal with them.  One type of infection is the Rootkit.  I have a bunch of FREE tools I use to clean these.  These are portable tools so that you don't have to install anything on the computer in question.

BEFORE you begin, remember to backup your entire system.  If you already have a backup solution you use, then use that to make a new separate backup, if you don't backup then now is the time to start.  To easily backup your system you can use any number of tools, but 2 I find very useful are Comodo Backup (instructions from the website in PDF) and DriveImageXML.  I find DriveImageXML easier to use, NOTE: If you tried this previously, you may have given up on it with Windows 7 because initially, it didn't work under Win7.  The latest version works with no problems under all versions of Windows.

To use DriveImageXML, download and install the executable from the link above (it can be installed on a removable device).  When you start the program on the left-hand side click "Backup".  Click the drive you wish to backup and click Next.  Click Next again in the popup window from the wizard.  In the next window, the top line denotes where the backup will be stored.  Click the folder on the right to browse for a different location (note that you will need an equal amount of space as the currently used area of your drive - if you have used 20gb of space you will need at least 20gb free where you create the backup - I suggest an external drive).  In the files section, you can give the resulting backup any name you wish.  The rest leave the defaults.  Click "Next" and it will start creating the backup.  Once you have created the backup you can use the Browse button on the left to browse to the location you designated, highlight the file, ".xml", and click load.  This may take some time depending on your computer and the size of the backup.  Once it is loaded you can restore any file(s) or folder(s).

"A rootkit is a program or programs designed to make it so the user does not realize the system is infected in some way." ( From article on rootkits on Wikipedia) Rootkits are tenacious, they tend to install themselves in system files and rewrite themselves into other files when one attempts to clean the infected computer by normal methods.  There are many methods by which an infection occurs and that is another article (you can read this article all about rootkit detection and removal from TechTarget).  Because of the way a rootkit works it makes it very difficult to get rid of.  

Rootkits by their very nature are difficult to detect.  They are programmed to hide from the user and computer software meant to detect most malware.   Rootkits may even have a list of known rootkit detectors to hide from.  When the rootkit detects a scan from any malware detector it will take action by unloading itself and/or rewriting itself into a system file in order to escape detection.  Even if infected files are detected, the rootkit may have written code in multiple registry keys that allow it to recreate itself.  Some rootkits will disable virus scans that will detect them and even disable rootkit detectors.  One rootkit detector executes as a random executable name each time it starts because its original executable name was listed in rootkits and therefore the program did not work against these malware infections.

It is essential that any rootkits be removed from an infected system.  These types of infections will open up the computer to a number of other malware infections.  Rootkits generally create a back-door to the computer they infect.  This allows access to the computer from a remote location.  With that access, more malware can either be loaded or activated.  Many rootkits carry a payload including keyloggers, which log your keystrokes as you type.  These are particularly dangerous since they will reveal ALL your passwords.

The easiest way to detect and clean rootkits is to either remove the infected drive and attach it to another computer in order to scan it, or boot from a bootable CD/USB that has the rootkit detection/cleaner software on it.  Since rootkits work by using the system itself to hide, once the infected drive is no longer the boot drive, the rootkit is more easily detected and cleaned.  You can find instructions to create a bootable USB here.

Instructions to create a Boot CD with the ability to customize (install the software you need) can be found here.  These instructions are well thought out and tested many times over.  I have found this site very useful.  Be patient when extracting the files.  Once the files have extracted I highly recommend saying YES to the MD5 hash validation.  This will make sure all files that have downloaded and installed have not been tampered with or corrupted.  An alternative to the slipstream software recommended on the site is NTLite an excellent free piece of software that I have found to be very useful.  I suggest following the direction to update as many of the plugins/add-ons as possible, or at the very least the ones you will be using.  If the entry starts with "No" this means it is not installed.  I highly suggest you do NOT use an OEM distribution of Windows when building your boot CD, it is much more likely to cause problems.  If the build process encounters ANY errors it will complete but NOT build the ISO.  You must fix any errors before an ISO file will be created.  The below screenshot shows a build that encountered 4 errors, the ISO file was not created, so if you see any errors as the build is going, you can save time by stopping and fixing the error.

Some software to clean rootkits is explained below.  The opinions expressed are of course my own.  I base the brief reviews below on my experience with these tools over the roughly 25 years I've been in the IT field.

The newest version of Malwarebytes Antimalware incorporates a tool for anti rootkit detection. Under the Detection and Protection section of the Settings tab The Detection option "Scan for Rootkits" is by default unchecked, so check this option and do a scan to check for rootkits.  It is my understanding that this is the anti rootkit product that was in beta (and can still be downloaded from the MBAM website) incorporated into their product.  The settings screen looks like this (this happens to be a licensed version, the free version has the same option) - be sure to check the "Scan for rootkits" option:

F-Secure has an excellent program called Blacklight.  It is very easy to use, just accept the caveats and click scan.  You should know in advance that, at least in my experience, Blacklight is the LEAST likely to find any infection.  This is partially due to the way in which it scans and partially because it throttles down the sensitivity to prevent false positives.  I still run it and use it regularly.  It should be noted that F-Secure is an extremely reputable security firm and therefore its products, such as Blacklight, are well thought of and well maintained.  Using a known quantity is always good practice.

Sophos also makes a great application.  Their anti-rootkit program does require you to supply some basic information before downloading here, but it is worth it.  The Sophos software is relatively easy to use just choose what to scan (check all) and click "Start Scan".  Like F-Secure, Sophos is well known and reliable.  The Sophos software is more sensitive scanning for rootkits than the F-Secure software.  But as I mentioned earlier, both are better when scanning the infected drive if it is not the boot drive.

Panda Anti Virus Anti RootKit, Run Pavark.exe.  Accept the first screen, check deep scan, click scan, this will schedule a scan the next time your system restarts (you can restart right away or later).  Generally, the quick scan is similar to the Blacklight scan - it doesn't pick up rootkits even if you know they are there (assuming you are scanning the infected drive while it is still the boot drive).  The Panda startup scan is fairly good but is no substitute for booting from CD.  The Panda scan will actually start after windows has almost finished loading, so the term "startup scan" may be a misnomer.

Gmer is a more complicated application.  It is extremely good but is aimed at the Information Technology professional or at least someone more conversant with computers.  The GUI (Graphical User Interface) is not as easy to use as the other programs.  It is truly more of a scanner than anything else.  If you want to find out if there are rootkits on your computer, GMER will do the job, but if you want to clean them off, you will either need to do it by hand (no mean task) or use another tool.

RootkitRevealer Originally by Mark Russinovich at Sysinternals now part of Microsoft Technet is the rootkit scanner I spoke about in the second paragraph that runs as a random executable name each time it is invoked to prevent rootkits from detecting that it is running.  The way RootkitRevealer works is it compares What the registry actually says and what is returned through the Windows API (Application Programming Interface).  If there is a difference Rootkitrevealer assumes that a rootkit is interfering with the Windows API (which is how rootkits hide) and reports this as a rootkit.  Although it is best to run this, like any rootkit detection tool, from a CD booted computer, no matter what you do no other applications should be running at the same time and no interaction should be started once you start the scan (any interaction may change values which will initiate rootkitrevealer seeing the change as a rootkit).

Radix is another tool to scan and remove rootkits.  Radix is a powerful tool that can be used by both beginners and advanced users.  It has a number of capabilities best summarized by their own website:

Detects and repairs drivers that have been modified by Rootkits. 

Detects and repairs computer processes modified by Rootkits. 

Detects and reveals hidden processes and files, including Alternate Data Streams (ADS). 

Allows the removal of "locked" or "unremovable" processes and files. 

Provides dump memory areas for processes. 

Shows the Global Descriptor Table (GDT) for advanced Rootkit Detection capabilities. 

Shows the Import Address Table (IAT) for advanced Rootkit Detection capabilities. 

Shows the Interrupt Descriptor Table (IDT) for advanced Rootkit Detection capabilities. 

Shows hidden Registry Keys. 

Operates in both command line mode for power users, or as a graphical tool for regular users. 

Radix is another tool you should only use by itself (nothing else running).  There is a lot there to understand, but if you use the 1click tab (first tab) and the default settings you should be okay.

With anti-rootkits you should run at least 3 before feeling safe.  Some of these applications will identify false positives - things that seem like rootkits but are not - so be careful.  After running your anti-rootkit programs, if you found something, once you have gotten rid of it be sure to run an antivirus /malware application with up to date virus definition file to be sure to get rid of any vestiges that were left behind.

I've cleaned my system, am I done?

Once you have a clean system, it is essential to protect yourself from another infection and to take precautions in case you are infected.  To protect yourself be sure you have installed a reputable piece of anti-malware software with updated virus/malware definitions.  You can see comparisons of AV programs here.  

My personal recommendation is the professional version of Malwarebytes or NOD32.  It really depends on your usage, how comfortable you are with the software, your computer, and how careful you are.  I also recommend running these anti rootkit tools every so often just to check.  But my biggest recommendation is don't ever click on anything that tells you there is malware on your computer.  Exit the dialogue by clicking the "X" in the upper right-hand corner of the dialogue, not any button in the dialogue itself, then do a scan of your computer using the software you trust.

If you don't want to be infected again, make sure you know how it happened this time.  If you were infected from another computer, the next step is to follow the same directions on that system.  If on the other hand, the infection came from an external drive or USB stick you should disable Autorun and then look at the autorun.inf file on the infected drive.  See where it is pointing (e.g., \player32\player32.exe) and delete the offending file(s) then delete the autorun.inf file on that drive.  Finally, scan that drive using your anti-malware software (if your software doesn't scan external or network drives, try using the free versions of Avast! or Avira).  

Don't forget your backup files, there is a good chance they are infected as well.  If they are in a format you can scan, then do so, otherwise, it would not be a good idea to depend on them.  If your backups are essential and you cannot scan them directly, you may wish to try restoring them to another machine and then running the above procedures on those files.  Also, note that your System Restore points may be infected.  Even if you feel that your computer is okay now follow those instructions to delete your System Restore points and create a new one.

IMPORTANT: If you are unsure how to detect or eradicate any form of malware make sure you seek the advice of a professional/expert if you suspect you may be infected before you take any action. You can post questions on all subjects malware related here

(Thanks to evilrix and rdivilbiss for their input on this article)