How to Remove Rootkits

Category: Security

"What exactly is a rootkit, and how is it different than a virus? Also, how can I detect and remove rootkit infections from my computer?"



Send a FREE Fax!

What is a Rootkit?

rootkit removal Of all the nasty, evil, sneaky malware ever to infect millions of computers, the species know as the "rootkit" may well be the nastiest, evilest, and sneakiest. Rootkits are very difficult to detect; even harder to find once their effects have been detected; and eradicating them is extremely difficult.

A rootkit is a software package - a "payload" in hacker parlance - that is injected into your system via one of the many vectors available: vulnerabilities in application software that uses the Internet; USB flash drives; CD/DVDs of data or bootlegged software, etc. But left to itself, a rootkit-laden software package does no harm. It just sits on your hard drive.

The payload package must be "run" or executed to do its damage. Often you will run the payload intentionally, because it appears to be some useful program that you just downloaded. But you may also trigger a payload by opening an existing, perfectly harmless application that runs macros, such as Microsoft Word or Excel. If the payload was accompanied by a cunningly written macro, the macro will run automatically when Word or Excel is opened and then the macro will execute the payload package.

One precaution you can take against rootkits, and other forms of malware, is to turn off the "auto-run macro" feature of any software you use that has it. That prevents a macro from triggering a payload unless you manually run a macro you don't recognize. Obviously, you shouldn't. Ever. Even if Mom emailed the document containing the macro to you.

What Does a Rootkit Do?

When a rootkit payload is executed it may do several sneaky things.

  • It may start services running in RAM and hide them from Windows Task Manager or another application that monitors services.
  • It may copy its own insidious files over identically named system files, so there's no "new" filename there when you look.
  • It may and often does hide the files it writes from your operating system so you can't even see them at all. This trick can even hide rootkits from antivirus software.

Once the rootkit is active on your system, it can do all sorts of nasty things. Keystroke logging, password stealing, spam spewing, and surreptitious monitoring of your activities are all possible. And worse, you may not realize that any of this is happening. If you sense that your computer or Internet connection is slower than it should be, it's a good idea to scan for rootkits.

Removing a Rootkit

Eradicating a rootkit once it's entrenched in your operating system is very difficult. So system administrators often don't dig out rootkits. Instead, they back up all data files from the infected machine; reformat the hard drive; and restore the operating system and executable applications. Where did the sysadmins get a perfect copy of all those things from which to restore them?

This is where regularly scheduled hard drive imaging becomes a very good idea. If you make an exact duplicate of your hard drive while it is not infected with a rootkit payload, you can restore your system to the way it was before an infection. (See my related article on making a Hard Drive Backup Image.

If you haven't been making disk images regularly, or you suspect the rootkit is also embedded in your disk image discs, then you can try a rootkit removal utility. There are several free and paid products available. Here are some I recommend, because they come from trusted sources and have achieved a good reputation for detecting and removing rootkits:

  • F-Secure Blacklight is a rootkit detector that works by finding objects that are hidden from both users and security tools. BlackLight examines your system at a deep level and gives you the option to remove any nasty malware or rootkits that are detected.

  • Sophos Anti-Rootkit is an advanced rootkit detection program which can be operated from a friendly graphical interface or the command line.

  • Trend Micro Rootkit Buster scans your system's hidden files, registry entries, active processes, driver software, and can even detect Master Boot Record rootkits.

Since rootkits are sneaky and hard to detect, you might not even know if you've been infected. To stay safe I recommend that you use a firewall, install both anti-virus and anti-malware software, and periodically do a rootkit scan with one or more of the tools listed above.

Got something to say about rootkits? Post your comments and questions below...

Need more tech support?

Search for help with computers, gadgets,
or the Internet!

 

  Search For Tech Help

Send via Email Make a Comment
Follow me on Twitter Buy Bob a Snickers Granola Bar
Save as Favorite Send to Printer

Posted by Bob Rankin on September 3, 2009 10:47 PM

Need More Help? Try the AskBobRankin Updates Newsletter. It's Free!
Prev Article:
Which Blackberry Should I Buy?
Send this article to a friend
The Top Twenty
Next Article:
Which Online Backup Service Is Best?

Link to this article from your site or blog. Just copy and paste from this box:

Related Keywords: Security   rootkit   anti-virus   malware   backup   image  

Most recent comments on "How to Remove Rootkits"

Posted by:

j
04 Sep 2009

Thx for these links, Mr Rankin. CNET (http://techrepublic.com.com/) just cited an add'l anti-rootkit resource to check, recommended by Dr Joe Nazario, of Arbor Networks, (who wrote Malwarebytes Anti-Malware), called GMER:
http://www.gmer.net/

Posted by:

J Wright
09 Sep 2009

Though I don't know how good the rootkit checker is, BitDefender has a CD that runs a Knoppix Live system in your RAM. Since nothing on the hard drive is run till the scans, nothing can hide or get control of your system.

You do have to burn the iso image to a blank CD then boot to the CD. This isn't the same as copying the iso file to the CD, so it takes special software to burn the image.

Read about, and download BitDefender and some other CD's that perform this feat here:
http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/

Posted by:

Bryan Graham
09 Sep 2009

It would be more than a little handy if you would note which of your software recommendations are for Windoze only.

EDITOR'S NOTE: Are you telling me that Mac OS X is vulnerable to attack by viruses, spyware and rootkits? Say it isn't so!

All of the ones listed are for Windows. You might try "OS X Rootkit Hunter" for Macs.

Posted by:

Jack
10 Sep 2009

For MS-Windows systems, try Sysinternals' excellent RootkitRevealer and related file and system utilities at http://www.sysinternals.com/

Posted by:

Newzjunque
12 Sep 2009

Once again many thanks for your informative article. I am extremely grateful for your brief, detailed yet concise information. I now have one more thing to worry about... ;D

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! And please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are previewed, and may be edited before posting.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Ask Bob Rankin Home Page
RSS   Add to My Yahoo!   Subscribe in NewsGator Online   Feedburner Feed
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved

Article information: AskBobRankin -- How to Remove Rootkits (Posted: September 3, 2009 10:47 PM)
Source: http://askbobrankin.com/how_to_remove_rootkits.html
Copyright © 2005 - Bob Rankin - All Rights Reserved