[bitstechs]

Hello,

I've recently been seeing Roguekiller detect a lot of userland rootkits on quite a few machines that come through our repair shop. I was wondering how exactly to proceed in removing them besides just reloading. I've tried a lot of rootkit scanners, asw, mbar, tdsskiller, but nothing seems to help. What would the procedure be to actually remove the detected rootkits? I've done some research and it seems to be some coding that has to be implemented in order to unhide services but this is a little over my head. Can someone provide newbie steps on how to do this?

Thanks!

[EP_X0FF]

Turn off infected PC, load from removable media, clean it.
Using above mentioned toys can lead to data lost and turning OS into unbootable state.

[bitstechs]

We usually use kaspersky rescue cd for removable boot cleaning. Would you recommend anything different? We have 2 store machines which we slave infected hdds to as well, could we slave it to remove rootkits, what programs would be good to use for removing rootkits when hooked up as a slave if possible?

[EP_X0FF]

If speak about rescue cds, then I can't really recommend anything, because I don't have much experience in this topic except incidents we analyzed in the forensic group (Alureon TDL3 in 2010), but from my own little usage it was MS Dart (ERD Commander) + bunch of sysinternals tools and later was using Windows Defender Offline few times. I think now most of popular AV have in their arsenals rescue cds that effective enough.

In case of attaching infected hdds to other machines I can suggest using sysinternals tools (autoruns can load registry hives from different Windows installation which is useful) and some disk editor that understands NTFS structure like for example WinHex.

[r3shl4k1sh]

Hello,

I've recently been seeing Roguekiller detect a lot of userland rootkits on quite a few machines that come through our repair shop. I was wondering how exactly to proceed in removing them besides just reloading. I've tried a lot of rootkit scanners, asw, mbar, tdsskiller, but nothing seems to help. What would the procedure be to actually remove the detected rootkits? I've done some research and it seems to be some coding that has to be implemented in order to unhide services but this is a little over my head. Can someone provide newbie steps on how to do this?

Thanks!

AFAIK userland rootkits not suppose to be removed by rootkit scanners, usually userland rootkits should be removed using the same tools you remove regular malware.
The rootkit tools you mentioned suppose to detect & remove (sometimes) kernel-mode rootkits (drivers)...