Removing a Windows Rootkit Using SystemRescueCd

The past few weeks have taught me a lot about rootkits:

  1. They are insanely difficult to remove from a Windows installation
  2. This is because they disable all the best anti-malware tools
  3. They hide themselves from even the most diligent searching

Instead of spending hours trying to trick a rootkit into letting an anti-malware software to run, I prefer to use a different approach.  I discovered SystemRescueCd during a painful search to remove a virus that I could not seem to identify.  I knew the symptoms of this evil malware, but could not find a cure.  After long hours searching for that elusive cure, I landed on the SystemRescueCd home page.  I was eventually able to use this tool to remove the rootkit and rescue the Windows machine.  Unfortunately, learning to use this simple tool provided a capable Windows systems administrator with a separate challenge: familiarizing myself with (Gentoo) Linux.  I had dabbled with various flavors of Linux throughout the years, but this would be my first attempt at a productive use of Linux.  Below are the steps to successfully using SystemRescueCd to eradicate a rootkit from a Windows installation (user specific information is specified in all caps):

Boot to SystemRescueCd

Set root password

passwd

TYPE YOUR PASSWORD TWICE

Setup networking

dhcpcd eth0 #(make sure your network card or WIFI is plugged in or turned on)
#Update DNS if DHCP does not provide
vim /etc/resolv.conf

Type in “nameserver NAME.SERVER.IP.ADDRESS” in the last line of the file (edit the file by typing “R“; when finished, press the escape key)
Save the file by typing”:wq

Mount the Windows partition

mount -t ntfs-3g /dev/SDA1 /mnt/windows

(or /dev/sda2 or /dev/sda3, etc, etc – this will take some trial and error if not used to Linux; if you’re on a desktop, it could be hda1, hda2, etc; after mounting the partition, change directories (cd /mnt/windows) and check for the “documents and settings” folder (ls), which will confirm that this is indeed your Windows partition)

Update ClamAV

emerge clamav #this process will take a long time and seem like it's frozen.  Go get lunch
freshclam

Run ClamAV, sit back, and relax for 2 hours or more

clamscan -r -i /mnt/windows

When the scan is finished, reboot the machine by typing “reboot” and then run one of those great anti-malware killers.

One Comment

Leave a Reply