Rootkits: Evil, Nasty and Sneaky!

Category: Security

A reader asks: 'My computer is acting strangely, and a friend said I might have a rootkit. What exactly is a rootkit, and how is it different than a virus? Also, how can I detect and remove rootkit infections from my computer?' Read on to learn more about this insidious threat to your security and privacy...

What is a Rootkit?

Of all the nasty, evil, sneaky malware ever to infect millions of computers, the species known as the "rootkit" may well be the nastiest, evilest, and sneakiest. Rootkits are very difficult to detect; even harder to find once their effects have been detected; and eradicating them can be difficult.

A rootkit is a stealthy form of malware that is designed to take control of the infected computer with administrator (root) privileges, and do so without the user's awareness. With a rootkit implanted in your computer, bad guys can use your system to commit crimes, transmit your private data to a bad guy, or use your computer to send spam emails. Rootkits can even lock you out of your own system, but typically they want to run undetected.
rootkit detection and removal

A rootkit is a type of malware package that is extremely difficult to detect and eradicate. That's because a rootkit actively hides itself from standard operating system tools like Task Manager and Windows Explorer. But even worse, rootkits often elude detection by popular anti-malware software. Once embedded in your computer, a rootkit may disable anti-malware programs or modify operating system components so that built-in security functions ignore the rootkit and whatever it does.

How can a computer become infected with a rootkit? There are many possibilities: Compromised websites, unpatched security holes in your operating system, vulnerabilities in application software; rogue anti-malware software, USB flash drives, and infected downloads from torrent or file-sharing sites.

Because rootkits are meant to operate in stealth mode, it can be difficult to detect them on your computer. Since you typically can't see a rootkit, you can only infer the possibility of one from otherwise inexplicable or abnormal behavior on your system. Some symptoms of potential rootkit infection include:

  • Your anti-virus program has been disabled.
  • A spate of system crashes (the Blue Screen of Death) on a system that previously ran trouble-free.
  • Random system slowdowns indicating that something invisible is consuming network or system resources. Task Manager's Performance or Networking tabs may indicate an unusually high level of CPU or network activity.
  • Erratic behavior of input and pointing devices, i.e., mouse freezes, keyboard does not respond.
  • You can't access certain Web sites, particularly sites devoted to security issues, or cannot open your Web browser at all.
  • Unusual increase in network traffic; something is using your Internet connection without your knowledge.

Once the rootkit is active on your system, it can do all sorts of nasty things. Keystroke logging, password stealing, spam spewing, and surreptitious monitoring of your activities are all possible. And worse, you may not realize that any of this is happening. If you sense that your computer or Internet connection is slower than it should be, or you notice any of the symptoms above, it's a good idea to scan for rootkits.

Removing a Rootkit

Eradicating a rootkit once it's entrenched in your operating system is very difficult. One possibility is to use a recovery disc, to return your system to its original "factory fresh" condition. It's a bit extreme, because you'll lose all your personal files, software that you've installed, and customized settings. If you have backup copies of your documents, photos and music, and installation media for your software, you could restore them after using the recovery disc.

But if you're doing regular full system backups (also called backup images), you could instead try restoring your system from a known good state. This is easier and less destructive than the full system wipe that a recovery disc will do. I encourage you to read my ebook Everything You Need to Know About BACKUPS, where you'll learn about backup strategies and how to make sure all your important data is safe from malware threats, hardware failures, and other data disasters.

If you haven't been making backup images regularly, or you suspect the rootkit is also embedded in your disk image discs, then you can try a rootkit removal utility. There are several free and paid products available. Here are some I recommend, because they come from trusted sources and have achieved a good reputation for detecting and removing rootkits:

  • Sophos Anti-Rootkit is a free, advanced rootkit detection program which can be operated from a friendly graphical interface or the command line.
  • UnHackMe by Greatis Software is a highly-rated anti-rootkit utility. It can be a bit overwhelming for novice users, but if you read the wizard's somewhat technical instructions and follow them carefully, cleaning out a rootkit is a pretty straightforward process. UnHackMe is free to use for 30 days, and costs $34.90 to purchase.
  • Kaspershy's TDSSKiller rootkit removal utility is a free download that's often recommended for disinfecting systems that have rootkits.
  • Trend Micro Rootkit Buster scans your system's hidden files, registry entries, active processes, driver software, and can even detect Master Boot Record rootkits.
  • I'll mention F-Secure Blacklight, because readers are sure to mention it if I don't. But this program was last updated in 2009, and is no longer supported by F-Secure, so I no longer recommend using it.
  • Finally, there's Rootkit Hunter for Linux and Mac OS X systems. But it requires a fair degree of Unix geekery to use.

Beware of downloading rootkit removal utilities from any unknown third-party distribution site. The rootkit removal tool itself may be malware. Also, it's best to run multiple rootkit scanners on a system you suspect is infected. No anti-malware program catches everything.

Tips for Staying Safe

Since rootkits are sneaky and hard to detect, you might not even know if you've been infected. So preventing rootkits from installing themselves on your computer is the best strategy, obviously. To stay safe I recommend that you use a firewall, install anti-virus software (see my list of free anti-virus programs) and periodically do a rootkit scan with one or more of the tools listed above.

It's also a good idea to use the Internet only from a limited user account, not from an administrator account. And of course, be careful what you download and click on.

Do you have something to say about rootkits? Post your comment or question below...

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 2 Jul 2013

For Fun: Buy Bob a Snickers.

Prev Article:
Unlocking Your Cell Phone

The Top Twenty
Next Article:
Geekly Update - 03 July 2013

Most recent comments on "Rootkits: Evil, Nasty and Sneaky!"

Posted by:

02 Jul 2013

Malwarebytes also has a Anti-Rootkit BETA available at
I've used it successfully in the past.


Posted by:

02 Jul 2013

None of the suggested root kit sofware listed state they will work with Windows 8

EDITOR'S NOTE: That's true, but I'm pretty sure any of them that work with W7 will also work on W8.

Posted by:

Robert Kemper
02 Jul 2013

Thanks Bob, for the up to date pertinent information on Rootkit detection and removal.

Posted by:

02 Jul 2013

Another source of rootkits: Sony music CDs :)

Posted by:

02 Jul 2013

The latest Spybot has a root kit scanner now.

Posted by:

frank bonner
03 Jul 2013


Posted by:

03 Jul 2013

Just as there's no such thing as an anti-virus program that's 100% effective 100% of the time, it's probably safe to say there's no such thing as an anti-rootkit program that's 100% effective 100% of the time. Running multiple scans might allow one product to catch something another product missed.

Posted by:

Des M
03 Jul 2013

Thanks for the timely 'heads-up'. Followed Tony's idea and downloaded from MBAM. Installed and ran and found two infections which were then cleaned out. Had no idea that there might an infection of any kind despite running MBAM Antibytes every week. You simply can't be too careful.

Posted by:

Des M
03 Jul 2013

A PS to my earlier message after running Malwarebytes AntiRootkit. Thought I would try the 'belt and braces' approach and run the Sophos program as well. Duly installed and run. Since it is also an antivirus program, it took a very long time to process my PC (Has three large external drives). It found another eight malware entries - most which were found, via Google, to be Sophos findings. My normal antivirus program is Microsoft Security Essentials. The plot thickens.....

Posted by:

03 Jul 2013

Bob ... Thanks again, for bringing up timely information! I have known that "rootkits" were nasty little buggers, but, I was never exactly sure what "rootkits" were. Again, thank you for the good explanation.

I agree, that looking for malware, spyware or rootkits, you may have to use several different programs, to address the whole issue. I know that is time consuming, however, what are your other choices, at this time? You can either spend the extended time to try to keep your PC free of malware, spyware or rootkits ... Or ... You can spend a lot of time, re-formatting your hard drive, re-installing your OS and looking for all the programs that you had installed on your PC. Personally, I think that I opt for the first choice. :)

Posted by:

04 Jul 2013

The main feature of rootkits that they modify operating system to get priviliges to be a part of operating system itself. This is why they are invisible for many antimalware programs. There are some particular tools for that like process analyzers that don't work automaticly and you need to detect suspicious modules yourselves. This is the only way of 100% detection. Of course, if you know how to detect those evil creatures.

I am surprised nobody mention Avira that use to have special antirootkit program (that never worked for me, giving error messages only), but now it is a part of the antivirus. And guys, remember, the more simultaneously working antimalware programs you have, the lower probability to catch anything, but the higher probabitly to slow down your computer and conflicts and even total war between them. I use to ran Malwarebytes with Avira Guard on, it works like a charm, saving me time by the only check by two programs, but recently I've got conflict - Avira blocked some malware from deleting by Malwarebytes, also blocked final removing process of other malware that Avira didn't recognize. So now I turn Guard off and then run Malwarebytes. Historically there were two classes of antimalware programs - antiviruses and antispyware/antiadware. Now it's mostly blended together, but I'd rather say that this difference is still actual and ran Avira and Malwarebytes separately for those classes of malware. Mostly it brings different results. But this is my personal preference and you can find other combination better.

Posted by:

Old Man
05 Jul 2013

Thank you for the information. I got Sophos and I does work with Win 8. With the number of large HDs (some 1.5T) it took a while, but not as long as I expected. No infection found - yeah!

Also thank you to Duane who mentioned Spybot also includes a rootkit checker. So, now I have two. Still, I may look into Malwarebites as Tony suggested. As others have said, no one product catches everything.

Posted by:

06 Jul 2013

I recently had Internet Security Virus removed my my Dell Inspiron laptop. Since then I have had trouble downloading things. I can't download my paystubs (adobe), music from youtube (with a converter) and just now I tried to download Sophos Virus Removal Tool and I got the same message. "Sophos Virus Removal Tool.exe contained a virus and was deleted". Any ideas what's wrong? Thanks.

Posted by:

Mary Ann
10 Jul 2013

Bob, starting a McAfee scan, I noticed one of the first items scanned was "rootkit." If I have a rootkit why is the McAfee scan overlooking it? I also have MBAM and it hasn't detected a rootkit.

Should I be worried?

Posted by:

15 Jul 2013

A couple days elapsed before I noticed that my AVAST scan log showed a ROOTKIT in many (over 40) winsxs (including amd64-system) files. Subsequent AVAST scans (including boot-time) showed no ROOTKIT; nor did Windows Anti-Malware, Windows Defender, MalwareBytes, nor SPYBOT ROOT-KIT.

Due to false-positives in the past, my AVAST is set to do "recommended action" upon my manual APPLY after reviewing scan results. I haven't done this, because I fear breaking my computer by moving/deleting system files, if a False Positive.

The big reason I fear False Positive is because I practice "safe-surf" and AVAST seems to only find Infections on the days when there's a major Windows Update (esp. 2nd Tues of the month).

I can't find understandable info online. Should I do a system restore to an earlier date? Should I "quarantine" or just ignore AVAST (and maybe switch to some other AV suite)?

Posted by:

17 Aug 2014

I clicked on a post from Ask Leo and found your site. I accidentally found this page, which scared me, because: Yesterday, I did a full scan with McAfee, which came installed on my new Dell laptop. The last file to be scanned was rootkit. It took a long time. Then I read this. I just got off of a chat with McAfee. I've been told the Rootkit that was scanned is supposed to be on my hard drive and has nothing to do with Rootkit malware. Though I was pretty sure that if it were malware, it wouldn't have shown up as a file on the McAfee scan, I still had to be reassured. I'm obviously very uneducated about this. What would be an official name for a malware rootkit other than rootkit?

Posted by:

19 Dec 2015

There is another type of rootkit that is taking control of the firmware at the Bios level. It stores itself in the CMOS and on hidden partitions on the drive and actively scans for other devices to infect. I have tried every malware removal tool and occasionally it appears to work temporarilly until the system remounts the hidden partition and restores the infected files, which is pretty much the entire operating system drivers. This thing has destroyed every phone and every computer I own and I am running out of ideas. The rotor seems to have valid certificates for windows, Ubuntu, Google, iPhone and android, although many of then are expired. Has anyone else been affected by this type of routine? Any help would be much appreciated.

EDITOR'S NOTE: What are the symptoms of the problem on each device? How do you know it hides in the CMOS, on a hidden partition?

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
About Us     Privacy Policy     RSS/XML

Article information: AskBobRankin -- Rootkits: Evil, Nasty and Sneaky! (Posted: 2 Jul 2013)
Copyright © 2005 - Bob Rankin - All Rights Reserved