How to get rid of rootkits?

What are rootkits?

A rootkit is a malicious program that can hide the presence of other harmful programs from the user and security softwares (antivirus, firewall ). Some rootkits install backdoors. Unlike viruses or worms, rootkits are not able to duplicate themselves.

To install a rootkit, it is necessary to have administrator rights on the machine.

The detection of rootkits is more complicated than for other malware.

The main actions of rootkits :

They may affect how the operating system (and possibly the kernel) works.

They are "invisible" (hidden process) which makes them difficult to disinfect.

The most common rootkits are:

ZeroAccess / Sirefef

Alueron/ TDSS TDL 4 (bootkits)

Note that:

The majority of Internet users use their administrator accounts instead of a limited account to browse the internet and this greatly facilitates the installation of rootkits on the machine!

More information about rootkits.

Disinfection methods

Getting Started

Rootkits can make the system unstable.

Prior to their removal, it is strongly recommended to backup important documents.

On the other hand, during the disinfection procedure, close all running programs and disable virus protection.

Save the scan reports and publish them on the appropriate forums, if needed.

First method : Malwarebyte 's Anti -Rootkit

Malwarebyte Antirootkit scanner provides an very effective solution.

Download and launch the program : httpsalwarebyteom/antirootkit/

Run a scan .

Remove the detected malicious elements .

Save the scan report .

Second method: RogueKiller

RogueKiller is a program that can detect rootkits (it is able to detect and remove ZeroAccess/Sirefef).

Download RogueKiller.

Close all programs

Start RogueKillere.

Wait until the prescan is over ...

Run a scan to unlock the Delete button.

Click on Delete.

Save the content of the report.

Third method: Using the Recovery Console

Thanks to the Recovery Console you can repair Windows (vital files are corrupted or lost), but it can also help to neutralize rootkits.

Fourth method: Gmer

Gmer is a powerful rootkit detector:

Visit this page and download Gmer under a random name (to deceive the Rootkit).

Run Gmer

The program launches and performs an auto scan.

Red lines should appear in case of infection.

Services: Right-click and delete Service

Process: Right-click and then kill process

Adl, file: Right-click and delete files

Easily identify roootkits:

When Gmer detect a rootkit or a hidden file, the corresponding line turns red .

At the end of the line you should see (for infections ) the following extensions:






Example of infection:





Fifth method: Combofix

It is advisable to seek advice on the forum before using Combofix (it is a very powerful tool).

Download https://download.bleepingcomputerom/sUBs/ComboFie ComboFix (by sUBs ) on your desktop .

Temporarily disable any resident protection Antivirus , Antispyware ..)

Double click on ComboFie (Under Vista, you must right-click on ComboFie and select Run as administrator).

Accept the license agreement.

The program will ask you if you want to install the Recovery Console, click on Yes.

When the operation is completed, a report will be created in :% ystemDrive% ComboFit (%systemdrive% is the partition where Windows is installed)

Online scans

It is advisable to perform an online scan to check for the presence of infected applications: Online scans!

Deactivation/reactivation of the System Restore

It is necessary to disable and enable System Restore to purge the infected restore points:

Trend-Micro Rootkit Buster

Mcafee Remover

AVG Anti-Rootkit

Sophos Anti-Rootkit

G Data Remover

Panda Anti-Rootkit



Hunter Jones

Hunter Jones

Next Post

Leave a Reply

Your email address will not be published. Required fields are marked *