How to get rid of rootkits?

What are rootkits?

A rootkit is a malicious program that can hide the presence of other harmful programs from the user and security softwares (antivirus, firewall ). Some rootkits install backdoors. Unlike viruses or worms, rootkits are not able to duplicate themselves.

  • To install a rootkit, it is necessary to have administrator rights on the machine.
  • The detection of rootkits is more complicated than for other malware.

The main actions of rootkits :

  • They may affect how the operating system (and possibly the kernel) works.
  • They are "invisible" (hidden process) which makes them difficult to disinfect.

The most common rootkits are:

  • ZeroAccess / Sirefef
  • Alueron/ TDSS TDL 4 (bootkits)

Note that:
The majority of Internet users use their administrator accounts instead of a limited account to browse the internet and this greatly facilitates the installation of rootkits on the machine!
More information about rootkits.

Disinfection methods

Getting Started

Rootkits can make the system unstable.

  • Prior to their removal, it is strongly recommended to backup important documents.
  • On the other hand, during the disinfection procedure, close all running programs and disable virus protection.
  • Save the scan reports and publish them on the appropriate forums, if needed.

First method : Malwarebyte 's Anti -Rootkit

  • Malwarebyte Antirootkit scanner provides an very effective solution.
  • Download and launch the program :
  • Run a scan .
  • Remove the detected malicious elements .
  • Save the scan report .

Second method: RogueKiller

RogueKiller is a program that can detect rootkits (it is able to detect and remove ZeroAccess/Sirefef).

  • Download RogueKiller.
  • Close all programs
  • Start RogueKiller.exe.
  • Wait until the prescan is over ...
  • Run a scan to unlock the Delete button.
  • Click on Delete.
  • Save the content of the report.

Third method: Using the Recovery Console

Thanks to the Recovery Console you can repair Windows (vital files are corrupted or lost), but it can also help to neutralize rootkits.

Fourth method: Gmer

Gmer is a powerful rootkit detector:
Visit this page and download Gmer under a random name (to deceive the Rootkit).
Run Gmer
The program launches and performs an auto scan.

  • Red lines should appear in case of infection.
  • Services: Right-click and delete Service
  • Process: Right-click and then kill process
  • Adl, file: Right-click and delete files

Easily identify roootkits:
When Gmer detect a rootkit or a hidden file, the corresponding line turns red .
At the end of the line you should see (for infections ) the following extensions:

  • .dat
  • .exe
  • _nav.dat
  • _navps.dat
  • .sys

Example of infection:

  • C:Users\crilaud\AppData\Local\igeysiy.dat
  • C:Users\crilaud\AppData\Local\igeysiy.exe
  • C:Users\crilaud\AppData\Local\igeysiy_nav.dat
  • C:Users\crilaud\AppData\Local\igeysiy_navps.dat

Fifth method: Combofix

  • It is advisable to seek advice on the forum before using Combofix (it is a very powerful tool).
  • Download ComboFix (by sUBs ) on your desktop .
  • Temporarily disable any resident protection Antivirus , Antispyware ..)
  • Double click on ComboFix.exe (Under Vista, you must right-click on ComboFix.exe and select Run as administrator).
  • Accept the license agreement.
  • The program will ask you if you want to install the Recovery Console, click on Yes.
  • When the operation is completed, a report will be created in :% ystemDrive% ComboFix.txt (%systemdrive% is the partition where Windows is installed)

Online scans

It is advisable to perform an online scan to check for the presence of infected applications: Online scans!

Deactivation/reactivation of the System Restore

It is necessary to disable and enable System Restore to purge the infected restore points:

Ask a question
CCM is a leading international tech website. Our content is written in collaboration with IT experts, under the direction of Jean-François Pillou, founder of CCM reaches more than 50 million unique visitors per month and is available in 11 languages.
This document, titled « How to get rid of rootkits? », is available under the Creative Commons license. Any copy, reuse, or modification of the content should be sufficiently credited to CCM (