'Tislife

Much happens at this place that is never seen
©'Tislife 2009

December 21, 2009

Removing a Windows Rootkit Using SystemRescueCd

The past few weeks have taught me a lot about rootkits:

They are insanely difficult to remove from a Windows installation
This is because they disable all the best anti-malware tools
They hide themselves from even the most diligent searching

Instead of spending hours trying to trick a rootkit into letting an anti-malware software to run, I prefer to use a different approach. I discovered SystemRescueCd during a painful search to remove a virus that I could not seem to identify. I knew the symptoms of this evil malware, but could not find a cure. After long hours searching for that elusive cure, I landed on the SystemRescueCd home page. I was eventually able to use this tool to remove the rootkit and rescue the Windows machine. Unfortunately, learning to use this simple tool provided a capable Windows systems administrator with a separate challenge: familiarizing myself with (Gentoo) Linux. I had dabbled with various flavors of Linux throughout the years, but this would be my first attempt at a productive use of Linux. Below are the steps to successfully using SystemRescueCd to eradicate a rootkit from a Windows installation (syntax commands are in italics; user specific information is specified in all caps):

Boot to SystemRescueCd

Set root password
passwd
TYPE YOUR PASSWORD TWICE

Setup networking
dhcpcd eth0 (make sure your network card or WIFI is plugged in or turned on)
Update DNS if DHCP does not provide
vim /etc/resolv.conf
Type in “nameserver NAME.SERVER.IP.ADDRESS” in the last line of the file (edit the file by typing “R”; when finished, press the escape key)
Save the file using “:wq”

Mount the Windows partition
mount -t ntfs-3g /dev/SDA1 /mnt/windows (or /dev/sda2 - this will take some trial and error if not used to Linux)

Update ClamAV
emerge clamav (this will take a while - not frozen)
freshclam

Run ClamAV, sit back, and relax for 2 hours or more
clamscan -r -i /mnt/windows

When the scan is finished, reboot the machine by typing “reboot” and then run one of those great anti-malware killers.

2 months ago • 0 notes