Wednesday, December 31, 2008

Zlob fake codec rootkit removal procedure

Lately there has been a rise in rootkit based Zlob fake codecs and video players. The rootkit belongs to TDSServ family, and is quite difficult to remove using standard anti-malware tools. Now, we will see how to remove these rootkit based Zlob malware. This removal procedure holds good for Zlob variants that drop kernel mode rootkits such as BrakePlayer, Moon-Player, TurboPlayer and Light-Track etc.

The removal process consists of three steps:
  1. Removing rootkit driver file and its Registry entry
  2. Removing other malware files dropped by Zlob installer
  3. Removing stray "shell open command" entry (a.k.a malicious autorun.inf file)

Download the following tools and install them (do not run them as of now):
  1. GMER
  2. Malwarebytes' Anti-Malware (MBAM)

Removing rootkit driver file and its Registry entry:
  1. Launch GMER.exe. As soon as GMER starts, it performs a preliminary system scan. If it finds any traces of rootkit, it will ask you to run a full PC scan. Click "No" for this prompt.
  2. Now, click on "Rootkit/Malware" tab and then select only "Services" checkbox (deselect all other scan options). Click "Scan" button to start scan. An example is shown in screenshot below.


  3. GMER should show the rootkit service after the scan. Right-click on that entry and click "Delete Service". Click "Yes" for the prompts that pop up. An example screenshot is shown below.


  4. Reboot the PC.
  5. Run GMER again and repeat steps 1, 2, 3 and 4 again (GMER will again detect the same rootkit service again).

Note: If GMER does not detect any rootkit in its preliminary system scan (in Step 1 above), then you may not have kernel-mode rootkit variant of Zlob (or GMER is not detecting it ;)). Proceed to the section below.

Update: Zlob rootkit driver can also be removed using SysProt AntiRootkit. More information can be found here.


Removing other malware files dropped by Zlob installer:
  1. Run Malwarebytes' Anti-Malware (MBAM), click "Update" tab and then click "Check for updates" button to download latest malware database.
  2. Once the update completes, click "Scanner" tab and select the "Perform full scan" option. Select all the hard disk partitions (C:\, D:\ etc) and then click "OK" to start scan.
  3. Once the scan completes, remove all the malware that MBAM may report. An example screenshot is shown below.


  4. Reboot the PC.

Removing stray "shell open command" (a.k.a malicious autorun.inf file):
  1. Go to Start Menu > Search option to open Windows Search tool. Make Search to look in sytem/hidden folders and files. Finally, search for files named autorun.inf. An example screenshot is shown below.


  2. These autorun.inf files contain few commands which instruct Windows Explorer to load a Zlob malware file (generally, %rootdrive%\resycled\boot.com) whenever a user double-clicks on drive icons. Delete all the autorun.inf files found in hard disk partitions (for ex: C:\, D:\ etc)
  3. Reboot the PC.
Finally, run an online scan at F-Secure or TrendMicro to make sure that the PC is clean. Hopefully, the Zlob rootkit will be gone for good by this time!

Labels: ,

6 Comments:

Anonymous Anonymous said...

I was wondering why you used GMER instead of Sysprot for rootkit detection.

Regards,

RWS

10:15 AM  
Blogger swatkat said...

Hi RWS,

Earlier versions of SysProt AntiRootkit weren't detecting Zlob rootkit driver. I made some improvements in driver detection, and now SysProt AntiRootkit v1.0.0.8 can detect and disable the Zlob (TDSServ/Alureon) rootkit driver. More information can be found here:
http://swatrant.blogspot.com/2009/01/sysprot-antirootkit-v1008-released.html

Regards,

11:39 PM  
Anonymous Anonymous said...

Great work, Swatkat! You're doing a good service for the web community.

Regards,

RWS

6:03 AM  
Anonymous audio codecs download said...

Does it remove the fake codec downloaded from zango

10:28 PM  
Anonymous audio codecs download said...

Solved my problem

9:38 PM  
Anonymous Anonymous said...

i hope this works......please work

10:29 AM  

Post a Comment

<< Home