How To Remove Rootkits with IceSword

Author: Mahesh Satyanarayana (swatkat)
Date Published: May 21, 2006
Edited by Larry Stevenson (Prince_Serendip).

[Special Note: Please do not compile or combine this post with any other archive. The URL will be published and thus carved in stone. ~ Larry Stevenson]

If you get a lot of "red entries" in an IceSword log, don't panic. Come and check with us as there are many legitimate applications which can cause these as well.

• Windows XP Users - Direct Download IceSword English Version 1.22
  
  
• Vista Users - Direct Download IceSword English Version 1.20

Note: It's now a .zip file so upacking is now a breeze. Thanks to PCBruiser for the above link.

Using HxDef, I hid all the files, folders, registry entries and processes of Sandboxie. After this, I ran IceSword. Now, here are the steps which can be followed to remove rootkits.

Note: Sandboxie is NOT a malware. Actually, it's a very useful tool to prevent malware including rootkits.

Step 1: Run IceSword. Click the "Processes" tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Note the filenames of processes in red color. Also, make a note of the folders.

The screenshot below shows the process list of IceSword with two hidden processes hxdef100.exe and control.exe:



Step 2: Click the "Win32 Services" tab and look out for red colored entry in the services list. This red colored service entry indicates that it’s rooted. Note the name of this service.

The screenshot shows the HxDef hidden service:



Step 3: Now, click "SSDT" tab and check for red colored entries. If there are any, note the file and folder names. Kernel level rootkits alter the SDT entries to hook the APIs natively.

The screenshot shows the kernel level API hooking by the Sandboxie driver:

(Note the changed "Original" and "Current" addresses.)

Step 4: Now, we will remove the rootkit! Click the "Processes" tab and right-click on the red colored processes one by one, and choose "Terminate Process". This will kill the rooted processes.

This screenshot shows how the hidden processes are terminated:



Step 5: Click "Win32 Services" tab. Since the rooted processes are already terminated, the rootkit service will be stopped automatically. The service will not be hidden now and so it will not be displayed in red color. Since the service name was already noted down in Step 2, there will not be problem in finding it on the list. Now, right-click on this service and choose "Disabled" to permanently disable this service.

This screenshot shows, how to do it:


Step 6: Now, we have to delete the rooted files. Click "File" tab in IceSword. This will display the Windows Explorer type interface. Navigate to the folder where the rootkit files are present and delete them.

These screenshots show the process of deleting HxDef files and the driver of Sandboxie which hooked the APIs in SDT.

Deleting HxDef Files


Deleting the driver which hooked APIs in SDT:


Step 7: *Not recommended for novice users*
Files which are hidden by rootkits will normally have registry entries to start themselves up when Windows loads. To check whether there are startup entries for any of the rooted files (which were deleted in previous step), click the "Startup" tab. If there are any startup entries, we can remove them using the built-in registry editor of IceSword. Click the "Registry" tab to get the registry editor. This is identical to Regedit.exe of Windows (but the one in IceSword also displays hidden entries). Now, navigate to the key/value to be deleted, right-click on it and choose "Delete."

The screenshots show how to do it:

Checking if Startup Entries exist or not:


Deleting Startup Entries from the Registry using IceSword:


Registry entries of hidden programs other than the Startup entries, can be deleted manually or by using a Registry cleaner software after the removal of the hidden files.

IceSword is showing the Sandboxie registry entry which is invisible in Regedit.exe:


Note: Step 7, which involves registry editing, can be skipped. It could be difficult for novice users. As an alternative, we can use any registry cleaner (like Crap Cleaner). Once all the rooted processes and files are removed, their registry entries are no longer hidden and so they would become stray entries. We can use registry cleaners to remove them. If needed, the BHO and SPI (LSP) tabs of IceSword can also be checked for hidden BHOs and LSP hijackers.

Step 8: Reboot the PC. For this, go to the File menu in IceSword and choose "Reboot and monitor."

Rebooting the PC using IceSword:


Step 9: After reboot, run IceSword again and check whether there are any hidden (red colored) entries in Processes, Win32 Services and SSDT tabs.

The screenshots show the process and SSDT lists after cleaning:





Editor for text and images: Larry Stevenson (Prince_Serendip)
Copyright: Mahesh Satyanarayana (swatkat) 2006

swatkat
Prince_Serendip

Special Note: Please do not compile or combine this post with any other archive. The URL will be published and thus carved in stone. ~ Larry Stevenson

All times are GMT