What are rootkits?
A rootkit is a malicious program that can hide the presence of other harmful programs from the user and security softwares (antivirus, firewall ). Some rootkits install backdoors. Unlike viruses or worms, rootkits are not able to duplicate themselves.
- To install a rootkit, it is necessary to have administrator rights on the machine.
- The detection of rootkits is more complicated than for other malware.
The main actions of rootkits :
- They may affect how the operating system (and possibly the kernel) works.
- They are "invisible" (hidden process) which makes them difficult to disinfect.
The most common rootkits are:
- ZeroAccess / Sirefef
- Alueron/ TDSS TDL 4 (bootkits)
The majority of Internet users use their administrator accounts instead of a limited account to browse the internet and this greatly facilitates the installation of rootkits on the machine!
More information about rootkits
Rootkits can make the system unstable.
- Prior to their removal, it is strongly recommended to backup important documents.
- On the other hand, during the disinfection procedure, close all running programs and disable virus protection.
- Save the scan reports and publish them on the appropriate forums, if needed.
First method : Malwarebyte 's Anti -Rootkit
- Malwarebyte Antirootkit scanner provides an very effective solution.
- Download and launch the program : http://www.malwarebytes.org/products/mbar/
- Run a scan .
- Remove the detected malicious elements .
- Save the scan report .
Second method: RogueKiller
RogueKiller is a program that can detect rootkits (it is able to detect and remove ZeroAccess/Sirefef).
- Download RogueKiller.
- Close all programs
- Start RogueKiller.exe.
- Wait until the prescan is over ...
- Run a scan to unlock the Delete button.
- Click on Delete.
- Save the content of the report.
Third method: Using the Recovery Console
Thanks to the Recovery Console
you can repair Windows (vital files are corrupted or lost), but it can also help to neutralize rootkits.
Fourth method: Gmer
Gmer is a powerful rootkit detector:
Visit this page and download Gmer under a random name (to deceive the Rootkit).
The program launches and performs an auto scan.
- Red lines should appear in case of infection.
- Services: Right-click and delete Service
- Process: Right-click and then kill process
- Adl, file: Right-click and delete files
Easily identify roootkits:
When Gmer detect a rootkit or a hidden file, the corresponding line turns red .
At the end of the line you should see (for infections ) the following extensions:
Example of infection:
Fifth method: Combofix
- It is advisable to seek advice on the forum before using Combofix (it is a very powerful tool).
- Download http://download.bleepingcomputer.com/sUBs/ComboFix.exe ComboFix (by sUBs ) on your desktop .
- Temporarily disable any resident protection Antivirus , Antispyware ..)
- Double click on ComboFix.exe (Under Vista, you must right-click on ComboFix.exe and select Run as administrator).
- Accept the license agreement.
- The program will ask you if you want to install the Recovery Console, click on Yes.
- When the operation is completed, a report will be created in :% ystemDrive% ComboFix.txt (%systemdrive% is the partition where Windows is installed)
It is advisable to perform an online scan to check for the presence of infected applications: Online scans
Deactivation/reactivation of the System Restore
It is necessary to disable and enable System Restore to purge the infected restore points: