Remove rootkits from your PC image

Remove rootkits from your PC

Most people have heard of computer viruses but rootkits are less well known. Rootkits are just as undesirable but usually don't cause automated damage. They are programs that give someone else "administrator" level access to your machine without you knowing it. This means they can monitor what you are doing, change things around, etc. A rootkit is usually installed through some sort of trojan like clicking on an infected email attachment. Unfortunately deleting them can be a bit tricky because they are usually silent until activated and burrow deeper than most other programs. Because of this you need specialized tools to look for them and remove them. Here are the best tools I am aware of. Your first step is to create a folder called "Computer Cleanup" on your desktop. Create a folder inside that one called "Rootkit Removal" so you know what type of cleaning they are. Run the following once a month. There is more than one in the list because they each seach for different types of rootkits. They run fast so it should not be a problem to run them all.

?

What type of computer do you own?

Mac
PC
Both

TDSSKiller

The TDSS rootkit is spreading around the world. Computers with this infection download other bad content and are used as botnets to send spam. TDSSKiller is a utility created by Kaspersky Labs that is designed to remove the TDSS rootkit. Disinfection of an infected system: Download the TDSSKiller.exe file on the infected (or potentially infected) computer. Run the TDSSKiller.exe file. Wait for the scan and disinfection process to be over. It is necessary to reboot the PC after the disinfection is over. It is also a good idea to run scandisk to check your disk for errors afterwords as there are some reports the TDSS rootkit can cause disk problems once removed. (http://support.kaspersky.com/faq/?qid=208280684)

aswMBR

aswMBR is a anti-rootkit scanner that searchs your computer for Rootkits that infect the Master Boot Record, or MBR, of your computer. This includes the TDL4/3, MBRoot (Sinowal), and Whistler rootkits. This program will also optionally download the Avast virus definitions and do a one time virus scan for you which doesn't hurt to run but it isn't required. How to scan: Download aswMBR.exe ( 1870KB ) to your desktop. Double click the aswMBR.exe to run it If it finds something it will prompt you to take action. If it finishes and you don't see any red messages then you are good to move on to the next task. If you do get some red, then click the [Fix] for TDL4 (MBRoot) or [FixMBR] for Whistler (button select as appropriate) For more information: http://public.avast.com/~gmerek/aswMBR.htm.

Trend Micro RootkitBuster

RootkitBuster is a highly rated removal tool that looks in many places for things that look like rootkits. Here are some of the places: Master Boot Record (MBR) Files Registry entries Kernel code patches Operating system service hooks File streams Drivers Ports Processes Services If there are problems, RootkitBuster will remove hidden files, registry entries, and services. Just be sure to run this in tool in conjunction with the other removers to find and remove all of the infections as there is some overlap but each tool looks for different things in different ways.

GMER rootkit removal tool

GMER is a anti-rootkit scanner that searchs your computer for Rootkits on your computer and then allows you to attempt to remove them. Note that GMER is available as a random named .EXE files or a .ZIP file. When you run GMER, if it is shutdown automatically, then it is most likely the infection detecting that GMER is running and terminating it. In this situation you should use the .EXE download link to download a random named version of GMER. If you are unable to run that, then please rename the download to iexplore.exe before you attempt to run it. GMER scans for the following: hiddenprocesses hiddenthreads hiddenmodules hiddenservices hiddenfiles hiddendisk sectors (MBR) hiddenAlternate Data Streams hiddenregistry keys drivers hooking SSDT drivers hooking IDT drivers hooking IRP calls inline hooks Please put all these tools in your "system cleaning" folder, run this tool with the other suggested tools regularly. They are quick and better safe than sorry.