How to get rid of rootkits?

December 2016



What are rootkits?


A rootkit is a malicious program that can hide the presence of other harmful programs from the user and security softwares (antivirus, firewall ). Some rootkits install backdoors. Unlike viruses or worms, rootkits are not able to duplicate themselves.
  • To install a rootkit, it is necessary to have administrator rights on the machine.
  • The detection of rootkits is more complicated than for other malware.


The main actions of rootkits :
  • They may affect how the operating system (and possibly the kernel) works.
  • They are "invisible" (hidden process) which makes them difficult to disinfect.


The most common rootkits are:
  • ZeroAccess / Sirefef
  • Alueron/ TDSS TDL 4 (bootkits)


Note that:
The majority of Internet users use their administrator accounts instead of a limited account to browse the internet and this greatly facilitates the installation of rootkits on the machine!
More information about rootkits.

Disinfection methods

Getting Started


Rootkits can make the system unstable.
  • Prior to their removal, it is strongly recommended to backup important documents.
  • On the other hand, during the disinfection procedure, close all running programs and disable virus protection.
  • Save the scan reports and publish them on the appropriate forums, if needed.

First method : Malwarebyte 's Anti -Rootkit

  • Malwarebyte Antirootkit scanner provides an very effective solution.
  • Download and launch the program : http://www.malwarebytes.org/products/mbar/
  • Run a scan .
  • Remove the detected malicious elements .
  • Save the scan report .

Second method: RogueKiller


RogueKiller is a program that can detect rootkits (it is able to detect and remove ZeroAccess/Sirefef).
  • Download RogueKiller.
  • Close all programs
  • Start RogueKiller.exe.
  • Wait until the prescan is over ...
  • Run a scan to unlock the Delete button.
  • Click on Delete.
  • Save the content of the report.

Third method: Using the Recovery Console


Thanks to the Recovery Console you can repair Windows (vital files are corrupted or lost), but it can also help to neutralize rootkits.

Fourth method: Gmer


Gmer is a powerful rootkit detector:
Visit this page and download Gmer under a random name (to deceive the Rootkit).
Run Gmer
The program launches and performs an auto scan.
  • Red lines should appear in case of infection.
  • Services: Right-click and delete Service
  • Process: Right-click and then kill process
  • Adl, file: Right-click and delete files


Easily identify roootkits:
When Gmer detect a rootkit or a hidden file, the corresponding line turns red .
At the end of the line you should see (for infections ) the following extensions:
  • .dat
  • .exe
  • _nav.dat
  • _navps.dat
  • .sys

Example of infection:
  • C:Users\crilaud\AppData\Local\igeysiy.dat
  • C:Users\crilaud\AppData\Local\igeysiy.exe
  • C:Users\crilaud\AppData\Local\igeysiy_nav.dat
  • C:Users\crilaud\AppData\Local\igeysiy_navps.dat

Fifth method: Combofix

  • It is advisable to seek advice on the forum before using Combofix (it is a very powerful tool).
  • Download http://download.bleepingcomputer.com/sUBs/ComboFix.exe ComboFix (by sUBs ) on your desktop .
  • Temporarily disable any resident protection Antivirus , Antispyware ..)
  • Double click on ComboFix.exe (Under Vista, you must right-click on ComboFix.exe and select Run as administrator).
  • Accept the license agreement.
  • The program will ask you if you want to install the Recovery Console, click on Yes.
  • When the operation is completed, a report will be created in :% ystemDrive% ComboFix.txt (%systemdrive% is the partition where Windows is installed)

Online scans


It is advisable to perform an online scan to check for the presence of infected applications: Online scans!

Deactivation/reactivation of the System Restore


It is necessary to disable and enable System Restore to purge the infected restore points:

Download links




http://www.commentcamarche.net/forum/virus-securite-7

Related :

This document entitled « How to get rid of rootkits? » from CCM (ccm.net) is made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions stipulated by the license, as this note appears clearly.