SMBs optimize

Two portable rootkit tools no SMB should be without

Keep Bitdefender's Rootkit Remover and Kaspersky's TDSSKiller on a USB drive, and your SMB will be ready when a machine is compromised by a rootkit.

When a PC is infected with malware or viruses, you can usually scan with the installed antivirus and/or antimalware and move on. Rootkits, on the other hand, are tricky to remove and can reappear if they are not removed completely. For rootkits, you need the right software. The "right" software is subjective, but in the case of a rootkit removal tool, it either works or it doesn't.

Two tools I find to be effective for the removal of rootkits are Bitdefender's Rootkit Remover and Kaspersky's TDSSKiller. Both tools are portable, so there's no installation necessary. When a machine won't allow you to install applications, portable apps might be the only way to remove rootkits. I'll walk you through the process of scanning for rootkits with each tool.

Safe Mode

Before you run a scan on a machine, it's always best to reboot the machine in Safe Mode in case something nefarious is running in the background that prevents the rootkit remover from starting up. If you're not sure, booting into Safe Mode is simply a matter of rebooting and tapping the F8 key until the Safe Mode menu appears. When that menu appears, select Safe Mode With Networking.

Bitdefender's Rootkit Remover

Bitdefender's Rootkit Remover only checks against known rootkits. Bitdefender's Rootkit Remover protects against the following:

  • Mebroot
  • All TDL families (TDL/SST/Pihar)
  • Mayachok
  • Mybios
  • Plite
  • Xpaj
  • Whistler
  • Alipop
  • Cpd
  • Fengd
  • Fips
  • Guntior
  • MBR Locker
  • Mebratix
  • Niwa
  • Ponreb
  • Ramnit
  • Stoned
  • Yoddos
  • Yurn
  • Zegost

Bitdefender also cleans infections with Necurs (the last rootkit standing). New rootkit definitions are added as they become known; because of this, you will want to make sure you check the Bitdefender site and download a new version of the tool frequently.

After you download the .exe file, move it to your USB drive, and you're ready to move to the infected machine and scan. Insert the USB drive, open Explorer, and double click the BootkitRemoval_xXX.exe file (XX is either 64 or 86 depending on your architecture).

When the application starts up, you will be greeted with a window that has no settings, no preferences, and nothing to tweak (Figure A). When the Bitdefender window is open, click the Start Scan button. The scan will run and is incredibly fast. If the app finds a rootkit, it will automatically remove it and prompt you to restart the system. Figure A

Kaspersky's TDSSKiller

Kaspersky's take on rootkit removal is very similar to Bitdefender's, at least in the way its tool functions. The biggest difference is that Kaspersky focuses only on the TDSS rootkits (Rootkit.Win32.TDSS, Tidserv, TDSServ, or Alureon), which are some of the nastiest in the wild. These rootkits began to spread in 2008 and are one of the primary causes for the unauthorized Google Redirect issue (users do a Google search, click on a resulting link, and are sent to a random page). Kaspersky's TDSSKiller can also remove the Sinowa, Whistler, Phanta, Trup, and Stoned rootkits.

Another difference is that Kaspersky's also offers settings that can be tweaked. Kaspersky's TDSSKiller will remove or fix the following:

  • Hidden service
  • Blocked service
  • Hidden file
  • Blocked file
  • Forged file
  • Rootkit.Win32.BackBoot.gen

Here's how you use Kaspersky's TDSSKiller:

  1. Download the executable file from the download site.
  2. Move the .exe file to your USB drive.
  3. Move the USB drive to the infected machine.
  4. Double click the .exe file on the USB drive.
  5. When the Kaspersky's window opens (Figure B), click the Start Scan button.
  6. If Kaspersky's locates a rootkit, it will prompt you to take action.
Figure B

To access the options it has in terms of what objects to scan, click the Change Parameters link.

One thing that is very important with Kaspersky's is that if it does come up with results from the scan, make sure you know what you're about to delete isn't a false-positive. If Kaspersky does come back with a known rootkit, you will move the file to quarantine.

Summary

Bitdefender's and Kaspersky's offerings are a solid one-two punch that can be used to knock out a number of different rootkits. Keep these two tools on a USB drive, and you'll be ready when a machine is compromised.

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

9 comments
rpgies
rpgies

How do I know which version to use 86 or 64?

voxpopus
voxpopus

Dude: The screen says Bootkit Removal NOT Rootkit Removal. You run it and nothing happens. Or did it?

Gisabun
Gisabun

I'd suggest you put them on a USB with write protect. You don't want anything on the system getting onto the USB key itself.

markov
markov

Never had a problem using CD/Dvd while in Safe Mode (withOut Networking). Sometimes needed to run an Install CD to fix a problem. I just tested; I believe I had no Usb problems, before, but to make sure.. I re-booted, into Safe-mode (NO Networking), and loaded a Flash stick, with no problems. BitDefender Removal Tool would NOT work in Safe Mode (Networked or Not). Specifically Said it had to run from Normal Boot. Tried off Usb stick and internal Hd. Kaspersky TDSSKiller worked from Safe-Mode (Networked and Not).

markov
markov

Hello Jack. Will Bitdefender and Kaspersky work, with-out Networking? Do they have to have Networking on, to be able to update? Wondering why you have to choose Safe Mode WITH Networking. You said to check for updates, frequently, to have the Util with the latest.

clulasnmt
clulasnmt

Steve Gibson has freeware called SecurAble that will ID this for you and has a great explanation regarding Hardware DEP and such. FYI 32 bit is referred to as x86 here's the link http://www.grc.com/securable.htm

jlwallen
jlwallen

Though it isn't necessary for these tools, I just generally default to Safe Mode with Networking -- in case there is something I need to look up or download. Sorry for the confusion on that one.

DT2
DT2

If I'm not mistaken, you need networking enabled in safe mode to read USB drives and CDROMs.