How to remove a bootkit

	Useful references
	Ask for a solution at the Anti-Virus forum Free virus removal tools

This infection method allows the malicious program to be executed before the operating system boots. As soon as BIOS (Basic Input Output System) selects the appropriate boot device (it can be a hard disk or a flash drive), the bootkit that resides in the MBR starts executing its code. Once the bootkit receives the control, it usually starts preparing itself (reads and decrypts its auxiliary files in its own file system that it has created somewhere in the unallocated disk space) and returns the control to the legitimate boot loader overseeing all stages of the boot process.

The main feature of a bootkit is that it cannot be detected by standard means of an operating system because all its components reside outside of the standard file systems.
Some types of bootkits hide even the fact that the MBR has been compromised by returning the legitimate copy of the MBR when an attempt to read it has been made.
A system infected with a bootkit can be cured with the TDSSKiller utility.

List of malicious programs

Backdoor.Win32.Phanta.a,b; Backdoor.Win32.Sinowal.knf,kmy; Backdoor.Win32.Trup.a,b; Rootkit.Boot.Aeon.a; Rootkit.Boot.Backboot.a; Rootkit.Boot.Batan.a; Rootkit.Boot.Bootkor.a; Rootkit.Boot.Cidox.a,b; Rootkit.Boot.Clones.a; Rootkit.Boot.CPD.a,b; Rootkit.Boot.Fisp.a; Rootkit.Boot.Geth.a; Rootkit.Boot.Goodkit.a; Rootkit.Boot.Harbinger.a; Rootkit.Boot.Krogan.a; Rootkit.Boot.Lapka.a; Rootkit.Boot.MyBios.b; Rootkit.Boot.Nimnul.a; Rootkit.Boot.Pihar.a,b,c; Rootkit.Boot.Plite.a; Rootkit.Boot.Prothean.a; Rootkit.Boot.Qvod.a; Rootkit.Boot.Smitnyl.a; Rootkit.Boot.SST.a,b; Rootkit.Boot.SST.b; Rootkit.Boot.Wistler.a; Rootkit.Boot.Xpaj.a; Rootkit.Boot.Yurn.a; Rootkit.Win32.PMax.gen; Rootkit.Win32.Stoned.d; Rootkit.Win32.TDSS; Rootkit.Win32.TDSS.mbr; Rootkit.Win32.ZAccess.aml,c,e,f,g,h,i,j,k; Trojan-Clicker.Win32.Wistler.a,b,c; Trojan-Dropper.Boot.Niwa.a; Trojan-Ransom.Boot.Mbro.d,e; Trojan-Ransom.Boot.Mbro.f; Trojan-Ransom.Boot.Siob.a; Virus.Win32.Cmoser.a; Virus.Win32.Rloader.a; Virus.Win32.TDSS.a,b,c,d,e; Virus.Win32.Volus.a; Virus.Win32.ZAccess.k; Virus.Win32.Zhaba.a,b,c.

How to disinfect a compromised system

• Download the TDSSKiller.exe file on the infected (or possibly infected) computer;
• Run the TDSSKiller.exe file;
• Wait until the scanning and disinfection completes. A reboot might require after the disinfection has been completed .
  
   

IMPORTANT

• The utility has a graphical interface.

• The utility supports
  32-bit operation systems: MS Windows XP SP2, MS Windows XP SP3, MS Windows Vista, MS Windows Vista SP1, MS Windows Vista SP2, MS Windows 7, MS Windows 7 SP1,  Microsoft Windows Server 2003 R2 Standard / Enterprise SP2, Microsoft Windows Server 2003 Standard / Enterprise SP2, Microsoft Windows Server 2008 Standard / Enterprise SP2.
  and
  64-bit operation systems: MS Windows XP SP2, MS Windows XP SP3, MS Windows Vista, MS Windows Vista SP1, MS Windows Vista SP2, MS Windows 7, MS Windows 7 SP1, Microsoft Windows Server 2008 Standard / Enterprise x64 Edition SP2, Microsoft Windows Server 2003 R2 Standard / Enterprise x64 Edition SP2, Microsoft Windows Server 2003 Standard / Enterprise x64 Edition SP2, Microsoft Windows Server 2008 R2 Standard / Enterprise x64 Edition SP0 or higher.

• The utility can be run in Normal Mode and Safe Mode.

It detects the following known bootkits:

• TDSS TDL4;
• Sinowal (Mebroot, MaosBoot);
• Phanta (Phantom, Mebratix);
• Trup (Alipop);
• Whistler;
• Stoned,
  

How to use the utility

• The utility starts scanning the system for malicious and suspicious objects when you click the button Start scan.
  
  
  
• If the utility detects an infection with the MBR bootkit, it will report the it has detected an infected object type “Physical drive” and prompt for action:
  
  
• Cure. This action is only available if the utility has identified the exact type of the bootkit. If it has detected an unknown bootkit, it will be reported as Rootkit.Win32.BackBoot.gen.
• Skip.
• Copy to quarantine. The utility quarantines the infected MBR.
• Restore. The utility restores a standard MBR.
  

• A reboot might require after the disinfection has been completed.
  
  
  

-l <file_name> - save a log into the file. Can now point to paths not existing at the moment of executing the command. The utility will create corresponding folders automatically.

-qpath <folder_path> - quarantine folder path (automatically created if it does not exist);
-h – this help;
-sigcheck – detect all not signed drivers as suspicious;

The utility will detected unsigned and having an invalid signature drivers. This does not mean that those file are surely infected. Such drivers are detected as <unsigned file>. If you suspect that such a file is infected, please send it to the Kaspersky Virus Lab for analysis.

-tdlfs – detect the TDLFS file system, that the TDL 3 / 4 rootkits create in the last sectors of a hard disk for storing its files. It is possible to quarantine all these files.

The following keys allow to execute the utility in the silent mode:

-qall – quarantine all objects (including clean ones);
-qsus – quarantine suspicious objects only;
-qboot - save copies of all boot sectors;
-qmbr – save copies of MBRs;
-qcsvc <service_name> - quarantine the service;
-dcsvc <service_name> - delete the service;
-silent – scan in silent mode (do not display any windows) to be able to run the utility in a centralized way over the network;
-dcexact - automatic detect / cure of known threats.

For example, the following command tells the utility to scan the computer, and save a detailed log into the report.txt file (created in the TDSSKiller.exe utility folder):

TDSSKiller.exe -l report.txt