I Think I Have a Rootkit!
For the past two days, my computer has been running very slowly, and crashing every few hours. I've run scans for malware and viruses, but they came up empty. I'm thinking maybe I picked up a rootkit infection - what do you advise? |
How to Detect a Rootkit
A rootkit is a type of malware package that is extremely difficult to detect and eradicate. That's because a rootkit actively hides itself from standard operating system tools like Task Manager and Windows Explorer. Worse, a rootkit often disables anti-malware programs found on the infected system. The rootkit may also block access to Web sites that offer help with rootkit elimination, or even prevent your browser from opening at all.
Since you can't see a rootkit, you can only infer the possibility of one from otherwise inexplicable abnormal behavior on your system. Some symptoms of potential rootkit infection include:
- A spate of system crashes (the Blue Screen of Death) on a system that previously ran trouble-free.
- Random system slowdowns indicating that something invisible is consuming network or system resources. Task Manager's Performance or Networking tabs may indicate an unusually high level of CPU or network activity.
- Erratic behavior of input and pointing devices, i. e., mouse freezes, keyboard does not respond.
- Anti-malware program does not start with system reboot.
- You can't access certain Web sites, particularly sites devoted to security issues, or cannot open your Web browser at all.
- Unusual increase in network traffic; something is using your Internet connection without your knowledge.
Rootkit Detection and Removal Tools
If you've already done a through scan for malware and viruses, it's time to try a more specialized tool. Some tools that can help locate rootkits on a system include Microsoft Rootkit Revealer, Tizer Rootkit Razor, and IceSword. But these tools are not one-click solutions to rootkit problems. It takes pretty advanced technical skills to interpret their findings, and even more to actually do something about a rootkit.
Rootkit removal utilities for non-technical computer users are relatively rare, probably because rootkits themselves are rare. F-Secure Blacklight detects objects that are hidden from users and security tools, and offers the option to remove them. Trend Micro's RootkitBuster is a standalone rootkit eradicator from a trusted name in anti-malware products. Sophos Anti-Rootkit is another free rootkit detection and removal tool.
It's best to run multiple rootkit scanners on a system you suspect is infected. No anti-malware program catches everything. Even if all of the scans turn up negative for rootkits, there is still a chance that your computer is infected. I've been saving the worst news for last.
The only way to be 100 per cent sure you have eliminated a rootkit is to wipe your hard drive completely and re-install everything from trusted media (like a CD or DVD). And by "wipe," I don't mean simply reformatting the drive. You need to delete the partition(s), shut down the computer to kill any malware that may lurk in RAM, and re-boot from your Windows CD. Then start all over with creating partition(s) and installing the OS, application software, etc. If that sounds daunting, see my articles Reformat Hard Drive Under XP and Reformat Windows 7 Hard Drive for some help with the process.
Preventing rootkits from installing themselves on your computer is the best strategy, obviously. Use the Internet only from a limited-user account, not from an administrator account. Be careful what you download and click on, and keep your anti-malware software up to date.
Do you have something to say about rootkits? Post your comment or question below...
|
|
Share this article with friends! |
|
Posted by Bob Rankin on 3 Aug 2011
| Need More Help? Try the AskBobRankin Updates Newsletter. It's Free! |
 |
Prev Article: What is an Ultrabook? |
The Top Twenty |
Next Article: How To Get Academic Discounts On Hardware and Software |
 |
|
Link to this article from your site or blog. Just copy and paste from this box: |
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter |
||
|
Copyright © 2005
- Bob Rankin - All Rights Reserved
Privacy Policy -- See my profile on Google. |
||
Article information: AskBobRankin -- I Think I Have a Rootkit! (Posted: 3 Aug 2011)
Source: http://askbobrankin.com/i_think_i_have_a_rootkit.html
Copyright © 2005 - Bob Rankin - All Rights Reserved
Free
Most recent comments on "I Think I Have a Rootkit!"
Posted by:
Dee
03 Aug 2011
The best strategy (not listed here, and I understand why) is to just chuck your hard drive and buy a new one!
That's what I did, since my computer was rather old, and I wanted to upgrade. And I was not willing to spend time with procedures to "fix* it.
Posted by:
Dave
03 Aug 2011
Rootkitbuster does not support any 64-bit OS.
I downloaded it, but it would not run for
W7-64......
Posted by:
Lefty
04 Aug 2011
Computer users should learn to read and understand the flashing red and green lights on their DSL modems. This can tell you if there is suspicious activity on the internet.
Posted by:
René Zaldumbide
04 Aug 2011
I've checked and couldn't find any. However, the problem could be resolved if could find a way
to improve Ram-release?
It seems that once a web page is closed, the CPU resources originally allocated to it, are nor released back for future use, consequently at some point the system boggs down...
Appreciate your help.Thanks.
OS: Windows XP Workstation
Processor:
2.50 gigahertz Intel Pentium 4
8 kilobyte primary memory cache
512 kilobyte secondary memory cache
Not hyper-threaded
Mother Board:
Dell Computer Corporation 07W080 A00
Serial Number: ..CN70821338G13X.
Bus Clock: 400 megahertz
BIOS: Mitac International A02 03/24/2003
Memory Modules c,d
Slot 'A0' has 512 MB
Slot 'A1' has 512 MB
Posted by:
Ari
04 Aug 2011
Very timely article.
Usually I am very careful when download free tools from website. I had one photo editing freeware installed on computer and from their website photo--.com I got another freeware and installed. After that I noticed computer started behaving strangely. Then IE 9 and Firefox home page changed to their website even had toolbar installed(which I do not install in any case).
Therefore, I uninstalled the suspected freeware but my computer kept behaving strangely. Therefore I ran Antivirus soft nothing changed so far. Later I ran Norton Rescue Tool. Though it did not find anything but computer is back to normal.
During performing above mentioned process at that time I come to know the term "Rootkit" and got more detailed in this Bob's informative article. As Bob said "It's best to run multiple rootkit scanners on a system you suspect is infected" I am going to try.
Posted by:
D\7m
04 Aug 2011
About avoiding rootkits, finally, you suggest the following: "Use the Internet only from a limited-user account, not from an administrator account."
How does one do that? I'm the only one who ever uses my computer, so I assume I'm always using it as an administrator.
EDITOR'S NOTE: Go to Control Panel / User Accounts to create a new non-admin user, and then login as that user.
Posted by:
Lee McIntyre
05 Aug 2011
Bob, you wisely suggest setting up a non-administrator account and using it for Internet browsing: "Go to Control Panel / User Accounts to create a new non-admin user, and then login as that user."
However, the new account you set up will not have your desktop configured the way you want it, will have the default Start Menu, etc.
Would not a better way be to create a NEW ADMIN account, using the steps you outlined, then change your EXISTING account type from Admin to Non-Admin? That way you'll be using your existing account for most computer interaction, and you won't have to recreate all your settings.
When you do need Admin access for a special purpose, you probably won't care at that moment if your desktop looks a little unusual.
Posted by:
Ted Webber
01 Sep 2011
I'm using Unhackme from http://www.greatis.com/unhackme/download.htm to scan at boot time. What is your opinion of this, Bob?