A trojan rootkit variant (part of the Win32.Rootkit.Gen or Rootkit.Gen family group) continues to threaten computer users and has the ability to prevent anti-virus software from running to scan and remove parasites on your computer. Computer users who are infected with the rootkit variant state that it does not allow them to open their anti-virus program or visit websites that assist them in the removal of the infection such as symantec.com and update.microsoft.com. It is apparent that serious issues will occur for computer users who have a Rootkit type of infection on their computer.

Understanding Rootkits

A Rootkit may be composed of one program or a combination of malicious programs that are designed to take control of your computer. Basically, a rootkit will allow hackers or outside attackers have root access to an infected computer. They can virtually act as an administrator and have access to your system without your permission. A rootkit like Rootkit.Gen runs in the background and limits usage of certain programs or access to websites that could assist you in removing the rootkit infection. Other rootkits have been known to act or pretend to be proxy servers and manually spread from executable files.

Rootkits were originally legitimate programs that gave a user or administrator control to fix issues on an unresponsive computer. Nowadays, hackers have used this type of technology for malicious purposes (usually to extort money) at the expense of computer users, who often times are unaware that they’ve been infected with a rootkit. Just like Trojans or Rogue Anti-Spyware you have to find means of protecting yourself from rootkit infections and other malware.

Rootkit Symptoms to Watch Out For

• The anti-virus program that you currently have installed no longer runs.
  You notice that you are no longer protected by your antivirus program. You may get popup alerts from Windows that say you are not protected by an antivirus program. If you normally run antivirus software and it doesn’t run upon command, then this is a clear indication that a setting has been changed without your permission.
• Your computer locks up or fails to respond to common inputs.
  At times you notice that your mouse is not moving or a program ceases to function or respond to commands given to it by you.
• Settings in Windows change without your permission.
  When you access certain programs or perform actions on your Windows desktop, you notice that a setting has been manipulated or changed from what you originally set it as. This can be anything from your background or screen saver changing to your taskbar hiding itself.
• Disabled web browser applications.
  You are not able to open Firefox or Internet Explorer to surf the web. Sometimes malicious applications block your access to the Internet by shutting down web browser applications.
• You experience excessive network traffic or your network connect becomes slow or disconnected.
  You may notice web pages or network actives to be intermittent or cease to function properly at times.

What to Do to Disable Rootkits?

So you’ve been infected by a rootkit and it’s causing havoc on your computer. Most of the symptoms mentioned above you’re experiencing occur after the presence of a Rootkit.Gen infection. In order to gain control of your computer, you must disable the Rootkit.Gen and its variations.

IMPORTANT: Although the instructions listed below have been added to help you disable a rootkit on your computer, there’s no guarantee that the rootkit and other malware will not reappear on your computer. Make sure to follow the instructions with caution and back up your computer before you start. Instructions are to be used at your own discretion. If you’re not sure what to do, then it’s advised that you get help from an experienced computer technician.

1. Locate and install the program called RootkitRevealer from SystemInternals. After installation, run the RootkitRevealer so it may scan your system to identify files that are marked as hidden from Windows API. Once the files are no longer hidden you can then determine which ones need to be removed so you can disable the rootkit. The file “clbdriver.sys” is used as an example of the main file of a rootkit which can be located in the folder C:\Windows\System32\Drivers.
2. Boot your computer from a Windows Installation CD into Recovery Console Mode.
3. Delete the following files which are located in the default Windows directory C:\WINNT or %WinDir%:

   %WinDir%\system32\clb.dll
   %WinDir%\system32\clbcatex.dll
   %WinDir%\system32\clbcatq.dll
   %WinDir%\system32\dllcache\clb.dll
   %WinDir%\system32\dllcache\clbcatex.dll
   %WinDir%\system32\dllcache\clbcatq.dll

4. While you are still in Recovery Console Mode, enter the following commands to kill the file:

   cd \
   cd c:\windows\system32\driversdir clbdriver.sys – Should return “1 File Found”
   del clbdriver.sys
   dir clbdriver.sys – Should return “No file Found”

5. Reboot your computer.
6. Open up your registry editor (regedit) and find and delete the following registry keys:

   HKEY_LOCAL_MACHINE\SOFTWARE\MRSoft
   HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FFFFFFFF-85A3-452b-B7A8-759AD9B42162}
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-85A3-452b-B7A8-759AD9B42162}
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\clbImageData
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\clbdriver
   HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\clbdriver.sys
   HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\clbdriver.sys
   HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\clbdriver
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\clbdriver.sys

7. Use the expand.exe command to extract the files explorer.exe and clb.dll from the i386 directory. This is basically copying the files over to the C:\Windows\System32 directory.
8. Rename the explorer.exe file to something else such as explorer_new.exe.
9. Open you registry editor again (regedit) and change the value of the key HKLM\software\Microsoft\WindowsNT\CurrentVersion\WINDOWS\shell from explorer.exe to the new renamed one (explorer_new.exe). If the name is not changed then the infection will return.
10. Restart your computer. The rootkit should now be disabled.

Remember the instructions mentioned on this article are to be followed at your own discretion. We are not responsible for any complications that may occur when using the information provided above.

Simple Tips to Prevent Rootkits from Running on Your PC

• Pay special attention to the settings of your privileges and what programs you allow to be installed by users. Do not give users the ability to install applications. In other words, do not allow guests or secondary users have many privileges to change settings.
• Keep up-to-date on all available security patches. Verify your Windows update schedule and make sure automatic updates are on and running properly. It never hurts to manually check for any new updates or security patches that come available from the Microsoft update website.
• Verify that you have firewall protection. Utilizing the built in Windows Firewall is always a good idea. The use of other firewall software can aid in the protection of infections as well.

What will these hackers and their Rootkits do next? Of course, there are other methods to disable trojan rootkits. If anybody has any new methods or developments about rootkits that they will like to add to this article, we encourage you to post a comment below.

This entry was posted on Tuesday, July 22nd, 2008 at 3:31 pm and is filed under Rootkits. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.