Wednesday, May 11, 2011

Instructions - Removing Win7 Antivirus or other rootkits

This rootkit is getting pretty gnarly. I get 4-5 of these a week at my small shop and I've even seen it a few times on Win7 64bit. I have developed some tricks to remove it over time and I know from experience that attempting to use multiple accounts/plugins/add-on's don't work for the average person from a useability stand point, so I don't even bother recommending them. I end up getting more calls from the restrictions than I'd get if they were re-infested. On the front lines there is no way we could keep up if private tool developers weren't playing their part. AV developers are either lost or intentionally hamstrung.

My toolkit is Cleanup 4, CCleaner, ComboFix, Autoruns, Process Explorer, Process Monitor and Reglite my old school friend. Then Malwarebytes, CCleaner for a general post clean removal scan.

Brian Krebs recently blogged about how Google Images is being used to deploy this Malware. Highly recommended reading as Krebs on Security is a favorite of mine!

There is usually a multi-stage infection routine with the social engineered hijack being the first aka. Google Images/Facebook/Codecs etc. It's lately developed a mechanism to inject itself into Windows Security CP and Windows is at times treating this thing like a legit AV software - insane. Usually the system is pretty quickly disabled with restore Points deleted and either all .exe files hijacked (so nothing will run) or registry based System Policies implemented so: Run As --> is restricted; Admin CP's are all locked down; Registry access is hosed.

I have been successful at this point to Run a renamed Combofix As Administrator (although renaming seems to be less of an issue lately), but in XP the administrator account usually has no password and you won't be successful. Adding a password at this point (even if you can as the CP is locked down) won't help.

Best idea at this point is to reboot into Safe Mode with networking (as administrator if possible) and either get Restore to run or get Combofix to run.

Restore is your best option under all conditions and in 64bit Windows it may be your only option! Although there are some tools that are billed as removing rootkits from 64bit systems from my experience they don't work.

If System Restore works make sure you reboot straight back into Safe Mode on reboot using the same profile (administrator) until it's complete. If you don't 9/10 it will fail to complete the restore successfully. Even if restore works you must still run Combofix; because it seems to me some files are being left behind to be used in a future Hijack attempt. I have noticed this more recently!

If ComboFix runs you'll usually lick this with one scan, and then all that's needed is a Cleanup 4 run and a reveiw of drivers in AutoRuns making sure you follow any files still existing and delete them at the source. Sometimes Combofix will only get the registry on the first pass and the file(s) may still exist. Although always remember after Combofix reboots to go back into Safe on reboot and log back into the same profile you were logged into when you ran it.

It becomes more time consuming when Safe Mode is disabled or the system Blue Screens when booting into Safe Mode and you have use RegLite to modify the Policy registry entries manually so you are able to run the tools in regular boot mode. Then you can add add a password to the Administrator account if necessary in XP use Run As Administrator.


If you are unlucky enough to experience a system that the user has actually purchased (accepted the EULA and installed it) it becomes exponentially more difficult to remove and the system is an offical zombie। This means keep it off the network if possible particularly if other machines are around. Using Combofix becomes tricky particularly if it's gotten into the boot record.

For more detailed Malware removal instructions visit Michael's awesome blog.

0 comments: