How to Remove Rootkits

How to Remove Rootkits

Category: Security

"What exactly is a rootkit, and how is it different than a virus? Also, how can I detect and remove rootkit infections from my computer?"

rootkit removal

What is a Rootkit?

Of all the nasty, evil, sneaky malware ever to infect millions of computers, the species know as the "rootkit" may well be the nastiest, evilest, and sneakiest. Rootkits are very difficult to detect; even harder to find once their effects have been detected; and eradicating them is extremely difficult.

A rootkit is a software package - a "payload" in hacker parlance - that is injected into your system via one of the many vectors available: vulnerabilities in application software that uses the Internet; USB flash drives; CD/DVDs of data or bootlegged software, etc. But left to itself, a rootkit-laden software package does no harm. It just sits on your hard drive.

The payload package must be "run" or executed to do its damage. Often you will run the payload intentionally, because it appears to be some useful program that you just downloaded. But you may also trigger a payload by opening an existing, perfectly harmless application that runs macros, such as Microsoft Word or Excel. If the payload was accompanied by a cunningly written macro, the macro will run automatically when Word or Excel is opened and then the macro will execute the payload package.

One precaution you can take against rootkits, and other forms of malware, is to turn off the "auto-run macro" feature of any software you use that has it. That prevents a macro from triggering a payload unless you manually run a macro you don't recognize. Obviously, you shouldn't. Ever. Even if Mom emailed the document containing the macro to you.

What Does a Rootkit Do?

When a rootkit payload is executed it may do several sneaky things.

  • It may start services running in RAM and hide them from Windows Task Manager or another application that monitors services.
  • It may copy its own insidious files over identically named system files, so there's no "new" filename there when you look.
  • It may and often does hide the files it writes from your operating system so you can't even see them at all. This trick can even hide rootkits from antivirus software.

Once the rootkit is active on your system, it can do all sorts of nasty things. Keystroke logging, password stealing, spam spewing, and surreptitious monitoring of your activities are all possible. And worse, you may not realize that any of this is happening. If you sense that your computer or Internet connection is slower than it should be, it's a good idea to scan for rootkits.

Removing a Rootkit

Eradicating a rootkit once it's entrenched in your operating system is very difficult. So system administrators often don't dig out rootkits. Instead, they back up all data files from the infected machine; reformat the hard drive; and restore the operating system and executable applications. Where did the sysadmins get a perfect copy of all those things from which to restore them?

This is where regularly scheduled hard drive imaging becomes a very good idea. If you make an exact duplicate of your hard drive while it is not infected with a rootkit payload, you can restore your system to the way it was before an infection. (See my related article on making a Hard Drive Backup Image.

If you haven't been making disk images regularly, or you suspect the rootkit is also embedded in your disk image discs, then you can try a rootkit removal utility. There are several free and paid products available. Here are some I recommend, because they come from trusted sources and have achieved a good reputation for detecting and removing rootkits:

  • F-Secure Blacklight is a rootkit detector that works by finding objects that are hidden from both users and security tools. BlackLight examines your system at a deep level and gives you the option to remove any nasty malware or rootkits that are detected.

  • Sophos Anti-Rootkit is an advanced rootkit detection program which can be operated from a friendly graphical interface or the command line.

  • Trend Micro Rootkit Buster scans your system's hidden files, registry entries, active processes, driver software, and can even detect Master Boot Record rootkits.

Since rootkits are sneaky and hard to detect, you might not even know if you've been infected. To stay safe I recommend that you use a firewall, install both anti-virus and anti-malware software, and periodically do a rootkit scan with one or more of the tools listed above.

Got something to say about rootkits? Post your comments and questions below...
Sign up now for AskBob Updates!

Boost your Internet IQ, keep up with the latest online trends... get your FREE subscription now!

Email:

Share this article with friends!


Posted by on 3 Sep 2009

Need More Help? Try the AskBobRankin Updates Newsletter. It's Free!
Prev Article:
Which Blackberry Should I Buy?
The Top Twenty 		Next Article:
Which Online Backup Service Is Best?

Link to this article from your site or blog. Just copy and paste from this box:

Most recent comments on "How to Remove Rootkits"

Posted by:

j
04 Sep 2009

Thx for these links, Mr Rankin. CNET (http://techrepublic.com.com/) just cited an add'l anti-rootkit resource to check, recommended by Dr Joe Nazario, of Arbor Networks, (who wrote Malwarebytes Anti-Malware), called GMER:
http://www.gmer.net/

Posted by:

J Wright
09 Sep 2009

Though I don't know how good the rootkit checker is, BitDefender has a CD that runs a Knoppix Live system in your RAM. Since nothing on the hard drive is run till the scans, nothing can hide or get control of your system.

You do have to burn the iso image to a blank CD then boot to the CD. This isn't the same as copying the iso file to the CD, so it takes special software to burn the image.

Read about, and download BitDefender and some other CD's that perform this feat here:
http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/

Posted by:

Bryan Graham
09 Sep 2009

It would be more than a little handy if you would note which of your software recommendations are for Windoze only.

EDITOR'S NOTE: Are you telling me that Mac OS X is vulnerable to attack by viruses, spyware and rootkits? Say it isn't so!

All of the ones listed are for Windows. You might try "OS X Rootkit Hunter" for Macs.

Posted by:

Jack
10 Sep 2009

For MS-Windows systems, try Sysinternals' excellent RootkitRevealer and related file and system utilities at http://www.sysinternals.com/

Posted by:

Newzjunque
12 Sep 2009

Once again many thanks for your informative article. I am extremely grateful for your brief, detailed yet concise information. I now have one more thing to worry about... ;D

Posted by:

Phil
31 Mar 2010

I've looked at your site and others and diagnosed the following: My system is running Windows xp sp2 with the McAfee AT&T security suite and a 2wire 2701hg-b modem/firewall is active.

Trend micro rootkitbuster found a fake master boot record and avira antivir rescue (on cdrom) found 4 .dll files detected as worm/zhelatin.awv. I submitted the .dll (all the same) to multiple scanners (using virscan.org and virustotal) and confirmation is I have a trojan downloader win32 mebroot variety.

Copied the hard drive in an attempt to at least have a good backup but still got the trend micro bios message saying we were infected after booting up the original hard drive again. The copy didn't get that error message but it might still not be 'clean'.

No data appears to be missing in the 3 weeks since then and I can use the computer normally (so far), but the first day the computer was up and running again thousands of files on the C drive were copied under path c:\documents and settings\help assistant.

I read that the microsoft recovery console fixmbr can be used but the system requirements are xp sp3 to download it and I only have xp sp2. Maybe there is a version that will run with sp2.

This scares me because I still need to complete my taxes in the next 2 weeks and school is on spring break but I have homework and exams due 1 week from today. Thank you for your website! Phil

Posted by:

DW
09 Mar 2011

SORRY GUYS. I registered Sophos, installed it and it says no hidden kits found. Which is strange because AVAST just minutes ago red flagged itself saying there is the Rootkit Worm on my HD. Hello? Im trying the Trend Micro version of Anti-RootKit now. Lets see it this makes a difference. Who ever invents viruses, malware and spyware should be lined up and shot in the F*ckin head! Perhaps we should should pass some pretty harsh laws demanding 50 years minimum prison sentences for these morons. Shot or Prison... either way, this nonsense has got to stop. -dw

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! And please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are previewed, and may be edited before posting.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
RSS   Add to My Yahoo!   Feedburner Feed
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy -- See my profile on Google.

Article information: AskBobRankin -- How to Remove Rootkits (Posted: 3 Sep 2009)
Source: http://askbobrankin.com/how_to_remove_rootkits.html
Copyright © 2005 - Bob Rankin - All Rights Reserved

 
Free
Newsletter
Get the FREE  "AskBob Updates" newsletter!       Email:    (Details)