Trojan Rootkit.Gen Variants Block Security Applications (Norton, Windows Defender, others) from Running

We have recently come across a new variation of an old rootkit infection that is worse than anything our Technical Support team has ever encountered. It was brought to our attention by a SpyHunter customer who contacted our Technical Support team stating that she had a malware infection that was disabling key functions on her computer and that she needed our help. Upon closer inspection, our Technical Support team discovered that her malware infection was actually a trojan rootkit. What drew our Technical Support team to such conclusions was not only the fact that her computer was experiencing excessive pop-ups advertising rogue anti-spyware programs like AntispywareMaster, or that the Task Manager and RegEdit were disabled, but that the biggest symptom was the inability to run SpyHunter after installation. Even when SpyHunter managed to start, she couldn't get the 'Definitions Update' or 'Program Update' feature to work and eventually SpyHunter automatically disabled itself.

From an operational perspective, the trojan rootkit has the same anatomy as Rootkit.Gen (also known as Trojan.Rootkit.Gen) and Rootkit.Win32.Clbd.cx. They're infections that cannot be easily detected or removed (if at all) by anti-spyware or anti-virus programs because rootkits are known to hide files and regisry entries from other programs.

A rootkit is a type of malicious program designed to allow attackers to have "root" access, which means it enables administrator level access to a computer without the consent of the owner of the system. RootKits are the most harmful Trojans, as they are generally impossible to detect, because they are able to hide and integrate within the operating system. Rootkit files will not appear in Windows Explorer, nor will you be able to see malware processes on the Task Manager and there will be no visible malware entries in the Windows Startup. Thus, the rootkit-infected user will be unable to detect or remove it by using standard operating system security mechanisms.

Originally, rootkits were created as programs used to take control of failing or unresponsive systems, but hackers have taken advantage of its capabilities and turned it into a form of malware used to gain access to a computer or computer networks and be able to launch undetectable attacks at will. Hackers, with monetary gain in mind, use rootkits to hide Trojans that either display advertisements, based on data collected from the user's computer, or come bundled with "rogue" programs to sell to the user. Rootkits will reach pandemic porportions as hackers continue to use it as the standard method for them to distribute malicious programs.

Here's the synopsis on the trojan rootkit’s usual symptoms, which the majority of them the SpyHunter customer also experienced on her computer:

  • Removes Task Manager.
  • Disables Command prompt and RegEdit.
  • Disables Firefox.
  • Disables security softwares.
  • C: and D: drives disappear.
  • Access denied to certain websites, especially www.symantec.com, update.microsoft.com and others.
  • The 'Blue Screen of Death' screensaver pops up to indicate a spyware infection.
  • Start Menu does not lists 'Programs', 'My Documents', 'My Computer', 'My Recent Documents', 'Search', 'Help','Control Panel' or 'Run'.
  • 'Log off' function disappears.
  • Changes the password of the default administrator account.
  • Takes away certain administrator privileges from the default administrator account.

How to Disable Trojan Rootkit - Manual Instructions

Use Caution! Please read the instructions below carefully. To disable a trojan rootkit is a delicate procedure. Proceed at your own risk. We advise you to backup your system before you manually disable a trojan rootkit.

To detect and disable the trojan rootkit infection, you'll need a rootkit detection tool and some human effort. Keep in mind that rootkit infections cannot be removed from the system, they can only be disabled. We cannot guarantee that the trojan rootkit infection will be completely disabled.

To manually disable the rootkit infection, follow these removal steps:

  1. Install the program RootkitRevealer from SystemInternals and run a scan to find out which files are marked as "Hidden from Windows API". Once you are able to see the hidden files, you'll be able to know what needs to be removed to disable the rootkit infection. The main file of this particular rootkit infection is called clbdriver.sys and it is located in the folder c:\windows\system32\drivers.
  2. Install Recovery Console from i386 directory or boot from the Windows Installation CD into Recovery Console Mode. If you install the Recovery Console from the i386 directory, remember to activate the key that disables the password.
  3. Reboot the computer and choose Recovery Console from the boot menu. Once you install the Recovery Console, Windows will display a boot menu automatically.
    When in Recovery Console Mode, you will need to delete the following files (%WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.):
    %WinDir%\system32\clb.dll
    %WinDir%\system32\clbcatex.dll
    %WinDir%\system32\clbcatq.dll
    %WinDir%\system32\dllcache\clb.dll
    %WinDir%\system32\dllcache\clbcatex.dll
    %WinDir%\system32\dllcache\clbcatq.dll
    Use the following commands to kill the file, when in Recovery Console Mode.
    cd \
    cd c:\windows\system32\drivers
    dir clbdriver.sys – Should return "1 File Found"
    del clbdriver.sys dir clbdriver.sys – Should return "No file Found"
  4. Re-start the computer.
  5. Start registry editor and delete the following registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FFFFFFFF-85A3-452b-B7A8-759AD9B42162} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-85A3-452b-B7A8-759AD9B42162} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\clbImageData HKEY_LOCAL_MACHINE\SOFTWARE\MRSoft
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\clbdriver.sys HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\clbdriver.sys HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\clbdriver HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\clbdriver.sys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\clbdriver
    This particular rootkit infection replaces several system files, but they all use the file explorer.exe in order to be able to execute their functions. In the next steps, you will replace 2 major system files (explorer.exe and clb.dll) that the rootkit compromises and change the name of the system shell file (explorer.exe) so that the rootkit will lose the its connection to the system and become permanently disabled.
  6. Extract the files explorer.exe and clb.dll from the i386 directory using the expand.exe command. To extract the file cbl.dll from the i386 directory, you need to copy it to the directory C:\windows\system32.
  7. Rename the file explorer.exe. For example, explorer_clean.exe.
  8. Open regedit and modify the value of the key HKLM\software\Microsoft\WindowsNT\ CurrentVersion\WINDOWS\shell from explorer.exe to the new name explorer_clean.exe, as in the example provided above. Therefore, if you renamed the file explorer.exe to explorer_clean.exe, then the key HKLM\software\Microsoft\WindowsNT\CurrentVersion\ WINDOWS\shell should have the value explorer_clean.exe. If you ever change the shell file name to explorer.exe, the infection will reappear.
  9. Reboot the computer. The rootkit infection should not reappear upon reboot.

Instructions to Disable Trojan Rootkit Disclaimer

Warning!! These instructions are used to disable the rootkit not to remove it. Enigma Software Group USA LLC can not be held responsible for any problems that may occur by using the information contained within this rootkit detection guide. By following any of these rootkit detection and disabling instructions, you agree to be bound by the disclaimer. If you do not agree, do not follow these rootkit detection and disabling instructions. We make no guarantees that these rootkit detection and disabling instructions will completely disable the rootkit infection. Trojans and rootkits change regularly; therefore, it is difficult to fully clean an infected machine through manual means. If you were not able to disable the trojan rootkit, we recommend you seek professional help from a computer expert.

One Comment

  • michael tomlin:

    I purchaced a anigma spyhnter to get rid of my duble pulsar, but I am having truble down lowding it ,please could you help me please if you could be so kind, thank you very much?

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.


HTML is not allowed.