Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


A question about rootkit removal software

  • Please log in to reply
4 replies to this topic

#1 Daavee


  • Members
  • 4 posts
  • Local time:05:26 AM

Posted 23 August 2012 - 10:05 PM

There are two people who regularly post to another forum whom I respect; they are both very knowledgeable and have helped a good many people along the way.

Unfortunately, I have become confused about two particular rootkit scanning/removal programs (I happen to have used both and have never had problems with either): Kaspersky's TDSSKiller and Avast's aswMBR.

According to one of the regular participants:

"I think you are going to have to just see for yourself what TDSS Killer will do when a boot sector rootkit is detected, removed and Windows will no longer boot because the rootkit was improperly removed resulting in a corrupted MBR.. That scanner has been absent from my toolbox for some time now."

And according to the other regular participant:

"Problems can happen with any removal tool, but TDSSKiller is safer to use than using aswMBR. Furthermore, many experts on malware removal forums use TDSSKiller when they help people. TDSSKiller can cause problems, but in most cases, it's safe to use."

If I recall correctly, aswMBR (which does seem to have an edge over TDSSKiller from what I have seen) can be problematic if one clicks on FixMBR (in certain situations).

So, can anyone help me understand AS OBJECTIVELY AS POSSIBLE the risks/benefits of each of these programs?

Thank you.

Edited by Daavee, 23 August 2012 - 10:06 PM.

BC AdBot (Login to Remove)


#2 noknojon


  • Banned
  • 10,871 posts
  • Gender:Not Telling
  • Local time:08:26 PM

Posted 24 August 2012 - 04:51 AM

This is general advice only on aswMBR and not specifically for you:
That is why it shouldn't be used unless recommended and then only under advice from someone experienced in its use and the information it produces.
To start with you must be able to diagnose early scans, and find there is a reason to run a program like those mentioned -

It could seriously impact on your system should you chose options where you don't know what the impact might be.
The unknown MBR could mean more than one thing and not always malicious. It could be an indication that malware has modified the MBR code, but you would likely be experiencing other symptoms.
Perhaps more commonly this could be because of the system that you have, Dell, Acer, etc. where they have got a manufacturers recovery console and recovery partition.
To achieve that they have to customise the MBR record, if anyone chose Fix in this instance they would be wiping that custom MBR code and would lose access to that recovery console.
So care has to be exercised when using tools such as these as that may return information which could be incorrectly acted on.

A few Reasons to Run the TDSSKiller - If these infections are known to be present, or shown in earlier scans

List of malicious programs that can be cured / removed with TDSSKiller - Supplied by Kaspersky -
Rootkit.Win32.TDSS, Rootkit.Win32.Stoned.d, Rootkit.Boot.Cidox.a, Rootkit.Boot.SST.a, Rootkit.Boot.Pihar.a,b,c, Rootkit.Boot.CPD.a, Rootkit.Boot.Bootkor.a, Rootkit.Boot.MyBios.b, Rootkit.Win32.TDSS.mbr, Rootkit.Boot.Wistler.a, Rootkit.Win32.ZAccess.aml,c,e,f,g,h,i,j,k, Rootkit.Boot.SST.b, Rootkit.Boot.Fisp.a, Rootkit.Boot.Nimnul.a, Rootkit.Boot.Batan.a, Rootkit.Boot.Lapka.a, Rootkit.Boot.Goodkit.a, Rootkit.Boot.Clones.a, Rootkit.Boot.Xpaj.a, Rootkit.Boot.Yurn.a, Rootkit.Boot.Prothean.a, Rootkit.Boot.Plite.a, Rootkit.Boot.Geth.a, Rootkit.Boot.CPD.b, Backdoor.Win32.Trup.a,b, Backdoor.Win32.Sinowal.knf,kmy, Backdoor.Win32.Phanta.a,b, Virus.Win32.TDSS.a,b,c,d,e, Virus.Win32.Rloader.a, Virus.Win32.Cmoser.a, Virus.Win32.Zhaba.a,b,c, Trojan-Clicker.Win32.Wistler.a,b,c, Trojan-Dropper.Boot.Niwa.a, Trojan-Ransom.Boot.Mbro.d, e, Trojan-Ransom.Boot.Siob.a, Trojan-Ransom.Boot.Mbro.f.

Basically, you need to be able to pre-diagnose the problems and the reasons for selection of a relevant tool -

Reasonably objective in saying that you must know how to read scan results, and only apply the required tool to solve your problem.
As always, incorrect diagnostics can cause major problems in removal of incorrect programs and render a system useless -

#3 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,932 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:26 AM

Posted 25 August 2012 - 07:30 AM

With TDSSKiller, in cases where the machine may not boot after running the tool we have found that users had chosen to delete TDSS File System (TDLFS) entries prior to a successful cure and removal of the rootkit.

Many security tools have settings built in by default and ignoring those settings can be problematic. TDLFS detection is disabled by default and default action for this detection is Skip...not to delete until rootkit removal has been completed. At that time TDSSKiller can be rerun and TDLFS entries can be removed.

aswMBR has several fix options. Only the [FixMBR] button is available when launching - [Fix] button is unusable (greyed out) unless TDL4 is detected.
If there is no TDL4 (MBRoot) or other MBR based infection found, the Fix button is unusable (greyed out).
If TDL4 (MBRoot) is found, then FixMBR button will be unusable (greyed out) out to prevent using wrong buttons. This was a safeguard initially not built into the tool but later implemented to help eliminate the possibility of a user using the wrong fix.

Important Note for other readers of this topic: If you're unsure how to use a particular Anti-rootkit (ARK) tool or interpret the log it generates, then you probably should not be using it. Some ARK tools are intended for advanced users or to be used under the guidance of an expert who can interpret the log results and investigate it for malicious entries before taking any removal action. Incorrectly removing legitimate entries could lead to disastrous problems with your operating system.

Why? Not all hidden components detected by anti-rootkit (ARK) scanners and security tools are malicious. It is normal for a Firewall, anti-virus and anti-malware software, CD Emulators sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to exhibit rootkit-like behavior or hook into the OS kernal/SSDT (System Service Descriptor Table) in order to protect your system. SSDT is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both legitimate programs and rootkits can hook into and alter this table.

API Kernel hooks are not always bad since some system monitoring software and security tools use them as well. If no hooks are active on a system it means that all system services are handled by ntoskrnl.exe which is a base component of Windows operating systems and the process used in the boot-up cycle of a computer. ARK scanners do not differentiate between what is good and what is bad...they only report what is found. Therefore, even on a clean system some hidden essential components may be detected when performing a scan to check for the presence of rootkits. As such, you should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.

In most cases further investigation is required after the initial ARK scan by someone trained in rootkit detection or with advanced knowledge of the operating system. Report logs need to be analyzed and detected components identified in order to determined if they are benign, system critical or malevolent before attempted removal. Using an ARK scanner without knowing how to tell the difference between legitimate and malicious entries can be dangerous if a critical component is incorrectly removed.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Daavee

  • Topic Starter

  • Members
  • 4 posts
  • Local time:05:26 AM

Posted 05 September 2012 - 10:21 PM

Thanks so much for that explanation, quietman7 (and thanks also to noknojon)!

So, if someone reports TDSSKiller found Rootkit.Boot.Pihar.C, is it safe to assume he can select "Cure"?

Edited by Daavee, 05 September 2012 - 10:21 PM.

#5 noknojon


  • Banned
  • 10,871 posts
  • Gender:Not Telling
  • Local time:08:26 PM

Posted 06 September 2012 - 01:00 AM

Lets just say (for now) it is much better to post a topic in Am I Infected area of the forum.
When you learn more specific details about Malware removal, then it may be an idea to try things yourself.

On average you need a year of good training in specific tools and methods (with the aid of experts) to try most heavy removal yourself.
Up to then stay with Malwarebytes Anti-Malware and Antivirus type programs for basic infection removal only :)

I have spent some time with training, but I do not know enough to remove all infections safely without just a chance of doing some damage along the way.
This is the reason for attending a Malware Removal training School first -

Thank You -

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users