How to Manually Remove Rootkit

Root kits are often very difficult to detect even by experts. Follow these simple steps to remove root kit manually.In case if normal users find it difficult to follow, better consult an expert to follow the steps.

Wikipedia defines a root kit as a software system that consists of a program or combination of several programs designed to hide or obscure the fact that a system has been compromised. Primary function of root kit are backdoor remote command and software eavesdropping. Rootkits allow someone to administratively control a computer by executing files, accessing logs, monitoring user activity, and even changing the computer’s configuration.

Root kits are often very difficult to detect even by experts. Follow the steps to remove root kit manually. The steps mentioned below are very simple to follow. In case if normal users find it difficult to follow, better consult an expert to follow the steps.

Symptoms

  • Issues when visiting some web sites
  • Google redirection
  • Unable to update security software
  • Unable to download files from certain websites
  • Unknown process running in task manager

·         Slow computer performance

Manual Removal

1)      Open msconfig and enable bootlog.

  • In XP, start-run -msconfig -open ‘boot.ini’ tab – check ‘bootlog’
  • In Vista, start – msconfig – open ‘boot.ini’ tab – check ‘bootlog’

(In Vista, bootlog can also be enabled from ‘enable boot logging’ option in  ‘Advanced Boot Menu’. It can be obtained by pressing F8 as soon as the system starts to ‘Advanced Boot Menu’)

2)      Restart the computer

3)      Open C:WINDOWS or C:WINNT and open ntbtlog.

Search for the files starting with the following names. It may be followed by some random alphabets. For e.g. In my computer, I had ‘GASFKYOBWUBRFT.SYS’
(Note:  Below are the most common root kits which are creating issues now a day. As time passes by, the list of infections will increase)

  • rot
  • gas
  • gaopdx
  • seneka
  • win32k.sys
  • uacd
  • tdss
  • tdss
  • kungsf
  • gxvxc
  • ovsfth
  • msqp
  • ndisp
  • msivx
  • skynet

Also get the path of the file name which in my computer is C:WINDOWSsystem32drivers.

4)      In the command prompt, disable file permission using CACLS command

For e.g., open cmd and type
cacls C:WINDOWSsystem32drivers GASFKYOBWUBRFT.SYS /d everyone
(/d everyone denies permission to the files for all users)

5)      Restart the computer

6)      Search for the file in the following location and remove it

  • C:WINDOWS or C:WINNT
  • C:WINDOWS – system32
  • C:WINDOWS – system32 – drivers
  • Registry
  • Clear the temp, %temp% and prefetch folders

 

 

09.09.24

This is unlikely to work unless

a) Those file names happen to be being used by the malware

or

b) You are dealing with a rootkit that does modify a legitimate system file.

that covers about 90% of modern rootkits….

comments powered by Disqus
Loading