Detecting and Removing Rootkit from Windows XP
I used to think that I am quite quite an aware user as far as computer security is concerned and it was unlikely for my PC to suffer virus / malware attach. In fact, during my more than 15 years of computer use, my computers have never suffered a severe infection. If my computer got affected, the culprit virus was easily detected and removed without any damage. My anti-virus was always equal to the occasion. I became complacent with time and full-system scan, instead of being done everyday, became a weekly, then monthly and even more infrequent. However, I soon discovered that computer and driving are not much different - crash is imminent if you are not alert.
The other day my website vidyaweb.com and another site I developed har-pal.com suddenly stopped behaving erratically and then started showing a blank page. Investigation revealed that index file and some other files had gotten modified. Upon looking closer, me and my colleague discovered a common suspicious string pattern in the corrupt files. Searching for that pattern on the web revealed that we have been victim of a hack attack - via ftp. Since I was the one with the ftp password, I started suspecting that the security of my computer as well as my over-confidence have been defeated. Some more research and the suspicion gave way to despair. My PC had been compromised by some virus / malware most probably though a downloaded game and then the virus had plundered and transmitted the stored passwords in my FTP client Filezilla. Now my ftp access was being used to modify and compromise my site vidyaweb.com.
Actually, Filezilla ftp client stores the login information for your latest connections in its quickconnect bar to facilitate subsequent connections. Convinced that my PC was compromised, I scanned my computer with my trusted anti-virus Avira Personal Edition using the full scan and the existence of some hidden files were confirmed - and this sealed for me that my computer was rootkit-stricken. All the circumstantial evidence was there.
Rootkits are virus / malware contained in some system files that work to hide the virus and themselves. They are more difficult to remove than the usual virus because they intercept the system calls like search, delete etc. to operating systems and change the behaviour of the intercepted system calls. Therefore, the first step for removing a rootkit is to find where they are hidden. 'Hidden' in the context of rootkits does not mean the hidden attribute of files that can be routinely modified by users from the properties dialog. Here hidden means that some files are hidden even from the operating system. rootking also tampers with windows registry besides the filesystem and system calls in a way that while such registry entries are in effect - it is difficult to delete the files and the registry entries themselves permanently from the system - even for the anti-virus. Many times rootkits are disguised as device drives and are found in windows\system32\drivers folder and have a .sys extension.
First of all I scanned my PC with sophos anti-rootkit downloaded from http://www.sophos.com/products/free-tools/sophos-anti-rootkit/download/ - thereafter with http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx and once more with my trusted Avira. All three times the hidden files kkypqe.sya and frtisc.sys and their namesake registry entries were pointed as hidden. However, deletion both with Sophos and Avira followed by system restarts failed repeatedly to delete the files. Moreover, registry entries were neither being deleted nor it was possible to change the permissions. Another visit to google suggested that it is most effective to scan the infected hard-disk from another system. Fortunately, my PC also has Ubuntu Linux installed in a dual-boot configuration and that saved me the trouble of removing my hard-disk for being scanned from another system. Presto, I restarted my computer, booted from Ubuntu and mounted my Windows system partition. Then I was able to comfortably delete the culprit files. Ater that when I rebooted from Windows, I was able to change permission on the culprit registry keys and also delete them.
Now, I again scanned with Avira and wherever I found those files (Ubuntu had placed them in C:\Trash-1000 folder and they were also there in the backups created by Windows System Restore), I happily deleted them. I encountered no resistance in deleted because I think the registry keys protecting them were already deleted.
If you do not have Ubuntu installed, you need not give up...you can download a Live CD from ubuntu.com. You can use this CD to boot from Ubuntu without installing it and then mount your infected Windows partition. Thereafter, you can delete the files identified as 'hidden' by your anti-virus / anti-rootkit and get rid of them. And of course, if you like what you see then you can also install Ubuntu in a dual-boot configuration with your Windows. Ubuntu is a much friendlier Linux and is free and open source.