Download Microsoft Debugging Tools

Start->Debugging Tools for Windows->windbg

or C:\Program Files\Debugging Tools for Windows\windbg.exe

start a command prompt and create a temp directory: mkdir c:\temp

File->Kernel debug->local

Verify local firewall software is disabled, the following command requires it. If the symbols can't be read, try the reload function File->Symbol file path. It may prompt you with a firewall dialog.

Point debugger to Microsoft's symbol store by typeing:

Rootkit Hunting:

• List running processes and compare with Process Explorer:

!process 0 0

• List loaded drivers and compare with Process Explorer: 

.reload

lmkv

• Look for Kernel hot-patches:

!chkimg -d nt

To get  rid of the invalid hooks, type: !chkimg -f nt

 

• To check all images:

!for_each_module !chkimg @#ModuleName

 

• Dump the system service table and interrupt dispatch table (IDT)

dd kiservicetable

!idt -a

Scroll to the top of the list, all entries should be pointing to nt!kitrap????

Task Selector = 0x00A0 - is ok too.

Red circle depicts viral entries:

 

• After performing the above checks, always check every file on the disk for it's signature, especially files in c:\windows.

sigcheck -e -u -s c:\

Any suspicous files should be deleted, try renaming them or use: movefile maleware.exe ""

 

If file still cannot be deleted, delete with an offline utility like BartPE.

 

For hard to delete registry keys, use: regdelnull hklm...