How to Remove a Rootkit from a Windows System
A rootkit is a software program  that enables attackers to gain  administrator access to a system.  On Unix/Linux system, this is called  “root”  access.  Rootkits contain tools and code that  help attackers  hide their presence as well as give the attacker full control of the  server or client machine continuously without being noticed.  Sometimes  they even cause typical malware type problems.  I had a case where a  browser hijack was being caused by a particular rootkit installed on the  system. In this article, I will show you one way to remove a Rootkit  from a Windows system.  
“Rootkits are usually installed on systems when they have been  successfully compromised and the highest level of access has been given  (usually root) Some rootkits refuse to be installed until the attacker  has root access, due to read and write permission to certain files. Once  the system has been successfully compromised and the attacker has root,  he\she may then install the rootkit, allowing them to cover their  tracks and wipe the log files.”
A typical rootkit consists of the following utilities:
-  Backdoor Programs – login backdoors, telnetd etc
- Packet Sniffers – Sniff network traffic such as FTP, TELNET,POP3
- Log-Wiping Utilities – Bash the logs to cover tracks
- DDoS Programs – Turn the box into a DDoS client (Remember trinoo?)
- IRC\Bots – Bots used to take over IRC channels (Lame and annoying)
- Miscellaneous programs – May contain exploit, log editor
Types of Rootkit
- Persistent RootkitsA persistent rootkit activates each time the system boots. Normally these types of Rootkits are stored in the system registry.
- Memory-Based or non-Persistent RootkitsMemory-based rootkits will not automatically run after a reboot; they are stored in memory and lost when the computer reboots.
- User-mode RootkitsUser-mode rootkits operate at the application layer and filter calls  going from the system API (Application programming interface) to the  kernel. These rootkits normally change the system binary files to  malicious code that redirects control of the computer to the creator of  the rootkit.
- Kernel-mode RootkitsKernel-mode rootkits hook to the system’s kernel API’s and modify  data structure within the kernel itself. These are the most effective  and dangerous types of rootkits. Kernal-mode rootkits are very difficult  to detect and can hide on a system without any indication of being  active.
- BootkitsBootkits are variations of kernel-mode rootkits that infect the  Master Boot Record (MBR). The malicious code can be executed before the  computer actually boots.
- FirmWareA firmware rootkit infects a device or piece of hardware where code resides, such as a network card or the system BIOS.
Mebromi firmware rootkit http://blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/
- HypervisorThese are newer types of rootkits that are infecting the hypervisor  layer of a virtual machine setup. The hypervisor is basically the layer  between physical hardware (host systems) and the virtual system (guest),  although a type II hypervisor can be installed on top of an OS in order  to present a virtual layer to the virtual system. These rootkits can  intercept hardware “calls” going to the original operating systems.
How to remove the Rootkit
This is where it gets fun!  There are different approaches and really  no single full-proof method, neither is it guaranteed that the rootkit  will be fully removed.  As a matter of fact, there are some computer  security experts who simply recommend formatting the drive and  completely re-installing the operating system.  
The Manual Method
This may or may not be more time consuming than trying to search  using an automatic tool.  If you are familiar with legitimate Windows  services and programs and can pick out suspicious files, then this could  be the way to go.  Many times, rootkit scanners will not detect rootkit  infections, especially if they are new, so this may be the way to go if  you don’t want to go straight to the nuke-and-pave solution.  
Tools:
Here is a process for locating a rootkit via msconfig:  1. Open msconfig and enable bootlog.
In XP, goto Start then Run. Type in “msconfig” (without quotes). Goto the “boot.ini” tab and tick “Boot log”
In Vista and Windows 7, goto Start, type in “msconfig” (without quotes). Goto the “Boot” tab and tick “Boot log”2. Restart the Computer
3. Open C:WINDOWS or C:WINNT and open ntbtlog and search for malicious files.
You can start by searching this short list from Computersight.com for the files starting with the following names. It may contain some random characters after it.
- rot
- gas
- gaopdx
- seneka
- win32k.sys
- uacd
- tdss
- kungsf
- gxvxc
- ovsfth
- msqp
- ndisp
- msivx
- skynetGet the path of the file name: \SystemRoot\system32\drivers\BadRootkit.sys
For an exhaustive list of rootkits that you can search for, check out this Rootkit List from Bleeping Computer.  
4)  Open up a command prompt and disable file permission using either the CACLS or ICACLS command.
For e.g., type cmd in the Run box (XP) or search box (Vista/7) with  Admin privileges (in Vista and Windows 7 Hit Ctrl-Shift-Enter to enter  the command prompt as an Admin) and type
cacls C:WINDOWS\system32\drivers\BadRootkit.SYS /d everyone  or
Icacls C:WINDOWS\system32\drivers\BadRootkit.SYS /deny S-1-1-0:FMRXRW 
(cacls /d everyone denies permission to the files for all users, Icacls /deny Sid:permission can deny Simple or Specific rights)
5)  Restart the computer
6)  Search for the file in the following location and remove it
C:\WINDOWS or C:WINNT
C:\WINDOWS\system32
C:\WINDOWS\system32\drivers
Registry
Clear the temp, %temp% and prefetch folders
The Automatic/ Semi-Automatic method
You can check out a list of rootkit removal tools here. I would first fire up TDSSKiller from Kaspersky.  It runs a fairly  quick scan and TDSS variants are popular, so it may catch something on  the first attempt.  
If the TDSSKiller comes up empty then try out GMER, which is a powerful and exhaustive rootkit scanner.  
From there I like to use AVG’s Rootkit Scanner.  This tool has  actually found quite a bit of rootkits for me.  It’s also good to run it  after you have removed the rootkit to be thorough, although you could  do that with any of these tools.  Another program worth mentioning at  this point is the new Microsoft Standalone System Sweeper Beta.  There  has been some buzz that this tool has been fairly successful at finding  hidden rootkits.  
If these rootkit scanners are not finding anything, or they do find  something but can’t delete it, then you may have to move to the manual  method.  You can also keep trying other tools but there does come a  point when you have to evaluate if the time and effort is worth it or  you should either try a manual method, or perform a full re-installation  of the operating system. 
credits to Chuck Romano