|
Donation/Premium |
|
 |
|
|
|
|
|
|
|
Survey |
|
|
|
|
|
|
|
|
|
|
|
| View previous topic :: View next topic |
| Author |
Message |
Prince_Serendip
Site Moderator
Joined: Sep 07, 2002
Posts: 16844
|
 Posted: Thu Aug 24, 2006 3:00 pm Post subject: IceSword Instructions in English, Illustrated |
|
|
How To Remove Rootkits with IceSword
Author: Mahesh Satyanarayana (swatkat)
Date Published: May 21, 2006
Edited by Larry Stevenson (Prince_Serendip).
[Special Note: Please do not compile or combine this post with any other archive. The URL will be published and thus carved in stone. ~ Larry Stevenson]
If you get a lot of "red entries" in an IceSword log, don't panic. Come and check with us as there are many legitimate applications which can cause these as well.
Note: It's now a .zip file so upacking is now a breeze. Thanks to  PCBruiser for the above link.
Using HxDef, I hid all the files, folders, registry entries and processes of Sandboxie. After this, I ran IceSword. Now, here are the steps which can be followed to remove rootkits.
Note: Sandboxie is NOT a malware. Actually, it's a very useful tool to prevent malware including rootkits.
Step 1: Run IceSword. Click the "Processes" tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Note the filenames of processes in red color. Also, make a note of the folders.
The screenshot below shows the process list of IceSword with two hidden processes hxdef100.exe and control.exe:
Step 2: Click the "Win32 Services" tab and look out for red colored entry in the services list. This red colored service entry indicates that it’s rooted. Note the name of this service.
The screenshot shows the HxDef hidden service:
Step 3: Now, click "SSDT" tab and check for red colored entries. If there are any, note the file and folder names. Kernel level rootkits alter the SDT entries to hook the APIs natively.
The screenshot shows the kernel level API hooking by the Sandboxie driver:
(Note the changed "Original" and "Current" addresses.)
Step 4: Now, we will remove the rootkit! Click the "Processes" tab and right-click on the red colored processes one by one, and choose "Terminate Process". This will kill the rooted processes.
This screenshot shows how the hidden processes are terminated:
Step 5: Click "Win32 Services" tab. Since the rooted processes are already terminated, the rootkit service will be stopped automatically. The service will not be hidden now and so it will not be displayed in red color. Since the service name was already noted down in Step 2, there will not be problem in finding it on the list. Now, right-click on this service and choose "Disabled" to permanently disable this service.
This screenshot shows, how to do it:
Step 6: Now, we have to delete the rooted files. Click "File" tab in IceSword. This will display the Windows Explorer type interface. Navigate to the folder where the rootkit files are present and delete them.
These screenshots show the process of deleting HxDef files and the driver of Sandboxie which hooked the APIs in SDT.
Deleting HxDef Files
.gif)
Deleting the driver which hooked APIs in SDT:
Step 7: *Not recommended for novice users*
Files which are hidden by rootkits will normally have registry entries to start themselves up when Windows loads. To check whether there are startup entries for any of the rooted files (which were deleted in previous step), click the "Startup" tab. If there are any startup entries, we can remove them using the built-in registry editor of IceSword. Click the "Registry" tab to get the registry editor. This is identical to Regedit.exe of Windows (but the one in IceSword also displays hidden entries). Now, navigate to the key/value to be deleted, right-click on it and choose "Delete."
The screenshots show how to do it:
Checking if Startup Entries exist or not:
Deleting Startup Entries from the Registry using IceSword:
Registry entries of hidden programs other than the Startup entries, can be deleted manually or by using a Registry cleaner software after the removal of the hidden files.
IceSword is showing the Sandboxie registry entry which is invisible in Regedit.exe:
Note: Step 7, which involves registry editing, can be skipped. It could be difficult for novice users. As an alternative, we can use any registry cleaner (like Crap Cleaner). Once all the rooted processes and files are removed, their registry entries are no longer hidden and so they would become stray entries. We can use registry cleaners to remove them. If needed, the BHO and SPI (LSP) tabs of IceSword can also be checked for hidden BHOs and LSP hijackers.
Step 8: Reboot the PC. For this, go to the File menu in IceSword and choose "Reboot and monitor."
Rebooting the PC using IceSword:
Step 9: After reboot, run IceSword again and check whether there are any hidden (red colored) entries in Processes, Win32 Services and SSDT tabs.
The screenshots show the process and SSDT lists after cleaning:
Editor for text and images: Larry Stevenson (Prince_Serendip)
Copyright: Mahesh Satyanarayana (swatkat) 2006
swatkat
Prince_Serendip
Special Note: Please do not compile or combine this post with any other archive. The URL will be published and thus carved in stone. ~ Larry Stevenson
_________________
Microsoft MVP Consumer Security 2006, 2007 & 2008
Last edited by Prince_Serendip on Sun Nov 26, 2006 7:47 pm, edited 1 time in total |
|
| Back to top |
|
 |
PCBruiser
SRT Team Lead
Forums Admin
Joined: May 11, 2005
Posts: 11673
|
|
| Back to top |
|
|
|
|
|
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum
|
Powered by phpBB © 2001 phpBB Group
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
