Rootkits (subverted versions of originally legitimate hardware manipulation tools, and classified technically as trojans), can take a variety of approaches to clear up. This is because once inside a machine they hide in a number of places: the memory; the system registry; the M.B.R (master boot record); the A.P.I (application planning interface)… and they all have different methods of escape and evasion. This can include in serious cases the ability to hide from – or even the ability to disable – some weaker anti-virus and anti-malware programs. And the problem of search-and-destroying this malware is made more difficult because often they spread to inhabit several locations in the system. This can make the task a little like clearing Japanese Knotweed from your garden – you clear the visible stuff, sure – though unless all the roots are disposed of, they grow unseen with even greater vehemence and speed. And in some cases where roots have not been totally eradicated, Knotweed has been known to lead to buildings being condemned. So, if you detect a rootkit, the challenge is on – what to do? This malware is like an infection in your body: you do have defence mechanisms, though when these cease to work efficiently, other options must be taken quickly.
Here are your options and an outline of what is involved in each each:
- Manual removal;
- Semi-automatic removal;
- Automatic removal;
- Reformat disk and re-install the operating system.
It is possible with the right understanding of the procedure and enough patience to remove most of these infections manually, though the wider opinion is the best route to take is to have scanning/anti-malware capabilities on hand – this is the second option. The third removal option is fully automatic – a high performance A/V program. The fourth way to approach this is a total overhaul of your PC, perhaps resulting in much lost data.
Manual Rootkit Removal
Sometimes this will prove more time-consuming than automated methods to complete, though sometimes not – as scanners will sometimes miss new rootkits and you will have to do it the long way, anyway. Manually, you are searching for boot log files for any known rootkit names. Any files found can then be denied permission for all users which should render them inactive until complete removal is possible – usually after all other appended files have been located and neutralized. N.B: If the rootkit is a complex one, it may be able to disallow a manual scan in normal operating mode, so then the system will need to be started in Safe Mode with Networking.
Semi-automatic Method to Remove a Rootkit
This is using a scan program to locate the rootkit files, then deleting them as with manual method. This may need to be done anyway as some rootkit scanners may find files, though may not be able to delete them due to roots growing in ‘privileged’ places (roots in the center of the system (the kernel), can mean denial of permission for the root-hunter to remove the file).
Automatic Rootkit Removal
This is the total reliance on one of several specialist pieces of software that employ various combinations of signature-based analysis; detecting interceptions; data comparison from different sources; integrity checking; registry comparisons, to locate the rootkit and related components and to remove them. With an efficient and up-to-date A/V program, the roots should be discovered and disposed of entirely. (As some anti-virus programs use their own rootkits to deal with infections, to be safe it is a good idea to back up all files before you start such programs. This will cover you in case any meaningful data is lost during the battle).
Remove Rootkit by Reformat and Install
First, back up your non-exe. files to a remote location. Reformat your drive and reinstall the operating system. This will kill all rootkits apart from those in the BIOS-level (basic input/output system) though these are rare as it requires much time for hackers to create them.
Summary
So, here are a number of options to help if you are unlucky enough to have contracted a rootkit. The most helpful advice that can be added here, however, is a reminder regarding browsing/download hygiene – and not to allow an opportunity for badware to enter and grow again. If you can identify how/when your system became infested, that would be useful. Concentrate on ridding yourself of the intruder and consider strengthening your defence systems with some serious software. And before you sit back and relax, ask yourself, ‘Have I got all those roots out?’ And remember about the Knotweed…
