It isn’t easy, but the good news is that you CAN get rid of rootkits on your Windows 10 computer.
Rootkits are considered by most to be the worst kind of malware: they load before your operating system starts up and they are particularly good at hiding from regular anti-malware scans. They are created to be invisible and undetectable, which makes them awfully hard to find and clean out.
Since you usually can’t tell when exactly the infection happened, you can’t really be sure that using System Restore will cure it. So you need to treat every restore point as potentially infected. What do you do then?
Since a rootkit is a tough enemy, take it seriously and prepare well for the battle. Read on to get all the information you need to win.
What’s a rootkit?
Wikipedia says a rootkit is “a collection of computer software, typically malicious, designed to enable access to a computer or areas of its software that would not otherwise be allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software. The term rootkit is a concatenation of ‘root’ (the traditional name of the privileged account on Unix-like operating systems) and the word ‘kit’ (which refers to the software components that implement the tool).”
Experts subdivide rootkits into 2 categories: kernel mode and user mode. When you use Windows, most of the standard programs run in user mode, which means their calls to OS resources and services are mediated. Software programs that have privileges, as well as operating system components can access OS resources and services directly. Kernel mode rootkits pretend to be part of Windows, which makes them especially difficult to locate and get rid of, and which also allows them to do more serious damage to your PC.
A kernel mode rootkit activates whenever you boot your PC, can easily access the OS kernel and its APIs, and intercept system calls that might reveal that it’s there to hide itself. This means you may have a rootkit on your PC and never realize it.
How do you get infected?
Although it may be tougher than other types of malware, a rootkit still requires the user to do something wrong or the system to have a security hole somewhere for it to get onto your PC. Most frequently, it gets an unsuspecting user to download a program or file, or to open an infected email attachment. As long as you remember this, you will know to be careful not to open emails from unknown senders or to download files from places you can’t trust 100%.
Once it gets onto your computer, the rootkit will usually try to hide itself by getting inserted into other software programs present on your drive or even into Windows system components. Rootkits are so clever that they get the highest privileges assigned, which gives them a very scary level of power. They can do almost anything to your system, your private data, your financial info, your identity, your logins and passwords, or any other valuable things you may keep on your computer or online. Your information may get stolen and sent to hackers a world away. Any kind of malicious software can get downloaded onto your PC without you even noticing just because the rootkit needs it to do its dirty work. Just thinking about all this stuff gives anyone goose bumps and a feeling of horror.
How do you know you have a rootkit?
Although a rootkit may sit on your hard drive unnoticed for a long time, there are some symptoms that may give out that you have a rootkit infection. One such symptom is an antivirus or antimalware program that suddenly stops working. Alerts will pop up telling you of various possible causes for the AV malfunctioning. If you’ve tried all suggested solutions and your antimalware still does not work, that’s when you should start getting really worried, as this is almost a sure sign of an active rootkit infection.
One other symptom is unexpected changes in Windows settings that may happen without your input. It may be things like your desktop background changing, icons moving or disappearing, new things appearing on the taskbar, etc.
When your mouse or keyboard freezes, and it happens in addition to your antimalware program not working or Windows settings changing, you’ve got to know that a rootkit is the most likely cause.
And one last thing you need to watch for: if your computer is idle, but your network traffic is high, it means something fishy is happening. Use Resource Monitor to pinpoint services or processes that may be using the traffic. Don’t just go by the name of the service or process, as rootkits can mimic legitimate system components. Think whether the process has a reason to be using that much traffic.
How do you detect rootkits?
You already know that rootkits assign themselves the highest level of privilege they can get, so they can be extremely difficult to detect. Regular antimalware applications may not detect rootkits at all and may require a special add-on for that. Methods used to detect rootkits are oftentimes based on inference analysis or checking for specific signatures or files.
Many times you need to boot your computer to a different OS that is known to be 100% clean in order to use rootkit detection apps at runtime.
Another way you can go is observe behavioral patterns: access to high-security system files, unusual usage of API, illegal control transfers, etc. Some rootkit scanners utilize comparison scans that look for differences between legitimate versions of system or other files and those present on the computer. They may also analyze the calls made by applications at runtime and check the elements passed by those apps during the calls.
Using a rootkit scanner
The easiest way to find rootkits or find out if your system is infected is to use a special rootkit scanning tool. Advanced PC users or IT administrators have a wide array of such tools available to them. For us regular users, a good option could be a consumer security program that specifically says that it includes rootkit detection (check with Norton or McAfee). You can also look at big download portals like CNET for single-purpose rootkit tools: there are lots of free and paid options out there.
One good tool to try is GMER from Avast. It’s very lightweight and does not require PC reboot or another clean OS to run.
GMER.net Screenshot shows detection message pop-up.
GMER may require you to have decent knowledge of the Windows operating system and its kernel, or you may not be able to understand the scan results. The program’s online documentation may offer some help though, as it lists most known rootkits and information about them.
How to remove a rootkit?
The absolute best and fool-proof way to get rid of a rootkit on one’s PC is to install a new clean image of the system. However, many people don’t maintain current images of their system, so their only choice is attempting repair or recovery.
Bleeping Computer (bleepingcomputer.com) is an outstanding source of information and links to rootkit removal tools. They maintain very helpful support forums that offer answers to most malware-related questions and where you can ask your own question and get answers. The site has a variety of malware removal guides, including guides for rootkit removal organized by OS versions. It has saved thousands of computers worldwide and is recommended by technicians as the place to go to for cleanup assistance.
MajorGeeks.com maintains a comprehensive list of solutions too, which includes rootkit tools from most major antimalware or antivirus makers. Some are pretty old, so if you are looking for a tool for your old Windows XP computer, you can find one here.
TenForums.com, EightForums.com, SevenForums.com are forums that offer help with the corresponding Windows versions. There is a section that provides malware (and rootkit) removal help on each of these sites.
MalwareTips.com is another place you can go to for answers to your questions or for online tutorials, including those on rootkit removal.
How do you prevent future rootkit trouble?
The best way to prevent rootkit infections and keep your computer protected is using safe computing and web browsing practices. That is in addition to having a reliable antivirus and antimalware program installed and active. Another thing to remember is that having a current clean image of your system can save you time and effort if a rootkit happens to make its way onto your PC.
Good luck with the cleanup and stay safe!
Fast Browser Cleaner...
by Fast PC Tools
Fast Browser Cleaner is a software to clean unwanted addons, extensions, stored unprotected passwords, credit cards, coo...
Tabbles SaaS Corpora...
by Yellow Blue Soft
Tabbles is a tagging software that allows to tag any kind of file, emails (in Outlook), and bookmarks. It helps you to o...
Ant Download Manager...
by AntGROUP Inc.
Ant Download Manager is a fast and easy downloader of any internet files including video files from many popular video s...