Namespaces

Variants
Actions

Removing rootkits

From Wowpedia
Jump to: navigation, search

Since December 2010, WoW users have been crashing to a rootkit family which appear to be associated with fake antiviruses.

However, this rootkit usually also hides a trojan (keylogger) which Warden detects, and then the rootkit shuts down Warden, crashing wow.

Known Crash addresses

Note that all these crash addresses, the instruction matches the referenced memory.

Could not "execute"

0x00000000
0x00000001
0x00000002
0x00200202

Could not "read"

0x00000001
0x00000063 - This version requires method 2 for proper removal.
0x00000246
0x00000397


Removal instructions

Method 1

  1. Run Rkill.
    1. If the .exe version doesn't run (or BSOD's the system), run the .com version. This program needs to run, so if need be, keep attempting to launch this program until a DOS command screen pops up, and tells you its running.
    2. This program will temporarily shut down malware - long enough to run programs to remove the rootkit.
  2. Download Combofix to the desktop (or move it to the Desktop).
    1. Rename Combofix.exe to Kittysnack.exe
    2. Run Kittysnack.exe
    3. Just a warning: Combofix will cut your internet, then restart your system if it finds anything.
    4. The log should show "Kitty had a snack :p" if it removed the rootkit.
    5. Rename Kittysnack.exe to Combofix.exe
    6. Go to Start->Run and type Combofix /u to uninstall Combofix
  3. Download, install and fully update Malwarebytes. Do a full scan. Allow it to fix ANYTHING it finds.


Method 2

While the above removal instructions work for most variants of the rootkit we've been seeing, it doesn't fully remove the latest variants.

  1. Run TDSSKiller. This will restart your system to remove the rootkit.
  2. Download, install and fully update Malwarebytes. Do a full scan. Allow it to fix ANYTHING it finds.


If you're still crashing after doing one of the methods, do the other method's instructions as well.