How To Find And Remove A Rootkit
- 3
- Add a Comment
Rootkits use nasty tactics to hide malware such as viruses, worms, spyware, and adware from detection by anti-virus programs. If that’s not bad enough, they can be very difficult to locate and remove and you may never be completely sure you’ve completely removed them.
Nearly all rootkits “in the wild” are only for Windows XP and Vista, though there are few which also work on earlier versions of Windows.
Nowadays if you have been infected with spyware or malware it’s probable that there is a rootkit on your system as well. Some signs to watch for is if your computer starts running slower than it used to (even after rebooting), if you are seeing popup ads, or being redirected to other search sites.
To discover and remove a rootkit you’ll need special software to detect the rootkit and remove it. Some anti-rootkit programs are able to remove some rootkits and not others so you might want to try out a few if you suspect you are infected.
I’ve found that Panda’s Anti-Rootkit is the most affective anti-rootkit as it digs deeper than most other scanners and is more descriptive about what it finds. That helps insure you don’t delete files and processes that are legitimate and required by Windows.
F-Secure’s Blacklight was one of the first anti-rootkit programs but is much slower than the others. It doesn’t scan the Windows Registry so it can miss some rootkits or parts of them.
You could also try AVG Anti-Rootkit but it doesn’t detect as many rootkits as Panda’s as it doesn’t scan the Window’s Registry.
The least sophisticated of the bunch is Sophos Anti-Rootkit. It fails to remove many common rootkits and in some cases can report it has successfully removed them, when it hasn’t.
Don’t forget, your best off avoiding infection by not using Internet Explorer so you don’t get a rootkit in the first place.
[tags]ad aware spyware, adaware spyware, adware spyware, adware spyware removal, adware spyware remover, anti spy ware, anti spyware, removal tool, rootkit, root kit, f secure, f secure blacklight, avg, AVG Anti-Rootkit, Panda, Panda Anti-Rootkit, RootkitRevealer, Sophos, Sophos Anti-Rootkit[/tags]
3 Comments
marc klink
May 16th, 2007
at 6:42pm
First, thanks for pointing to this software.
I must, however, warn anyone who uses it to be very careful, as it appears to be a little overzealous in what is defined as a rootkit.
I use a registered version of xplorer2, which is the best file manager for windows, since there is no xtree gold currently available. When I ran the Panda antirootkit it came up with an unknown rootkit, which it offered to send to Panda, while also removing it from my machine. I looked inside the file it was sending, and I must say it did look like it might be a problem. I let it remove the file, and when I rebooted, POW, xplorer2 tells me that my software has been used past the trial period and asks for the serial number. Because I did not have the serial number right at my fingertips, I closed the window to open it when I retrieved the serial number. Bad idea! After retrieving the serial number, and rebooting the machine xplorer2 refused to execute…no warning messages, no nothing. I then removed what was left of the old installation, rebooted, re-installed, and put in the serial number. Success. Ran the Panda antirootkit again. Sure enough, the ‘unknown’ root kit was back. This time I left it alone, and am going to be writing to both the author of xplorer2, and Panda.
This just shows that 1] software authors are not above using devious means to prevent illegal use of their software and 2] a duck [rootkit] is not always a duck!
Use with caution, and maybe the guys at Panda will come up with an update, as I don’t think a small software author is going to change the licensing scheme just because Panda gives a false positive.
rajesh
February 10th, 2008
at 11:50am
how to remove all
Bob
April 24th, 2008
at 3:13pm
No rootkit detective or anti virus will find many rootkits! You need to use NMAP to find open ports on infected computers. This has worked twice for me and after finding the infected computers every antivirus gave the infected hard drive a clean bill of health. Forget rootkit detection and move up to NMAP! It actually works. -Bob Davis