What are the Best Tips for Rootkit Removal?

G. Wiesen

Rootkit removal can be a difficult and frustrating process, though there are a number of tips that can make the process a bit easier. Certain security programs can fairly reliably detect and deal with rootkits that may be present on a computer, though not all security and antivirus programs can effectively do this. Manual removal of a rootkit can be done, though this may be impractical for many computer users. Rootkit removal can potentially require that an infected hard drive be reformatted completely, and any operating system (OS) on the drive be reinstalled afterward.

A computer's hard drive generally needs to be reformatted if a rootkit is discovered.
A computer's hard drive generally needs to be reformatted if a rootkit is discovered.

A rootkit is a type of malicious software, or malware, which can gain access to a computer system and become installed in various levels of an OS. Once a rootkit is on a system, it typically works to hide other forms of malware, such as viruses or worms, or to provide unauthorized users with access to a computer system through a backdoor. Rootkit removal can be very difficult, however, due to the way that a rootkit acts on a computer system, and even detection of an existing rootkit is unlikely through standard antivirus scans. The best and easiest form of rootkit removal is prevention, usually through the use of antivirus and other security software.

Once a rootkit is present on a computer system, however, rootkit removal can sometimes be aided by a security program designed to remove rootkits. Many security suites, such as antivirus programs with other security features, do not have the utilities necessary to remove rootkits, so specialized software is often necessary. This software typically needs to run from a drive that is not infected, such as from a compact disc (CD) or a universal serial bus (USB) hard drive. Even this type of rootkit removal can fail, however, depending on the rootkit and how well protected it is from security software.

One of the most effective forms of rootkit removal, though also quite drastic, is for an infected hard drive to be completely reformatted. This eliminates all data located on the drive, including OS files, any programs installed on the drive, personal files a user has created, and drivers installed on that hard drive. Once the hard drive is reformatted, rootkit removal should be complete, and an OS and other files can be reinstalled and placed onto the drive. Recovery of files from an infected drive can be done prior to reformatting, though this must be done carefully to ensure the rootkit does not spread onto the device to which the files are copied.

You might also Like

Discussion Comments


This isn't the best advice. I am extremely upset over bad/ineffective solutions to issues like these. The whole "malware removal industry" is a scam. Easy to remove (e.g. non-rootkit) malware may be easily removed by AVs, but the "nuke-and-pave" option isn't the way that should be tried first and it might not even work (e.g. firmware infection). Understanding and a "smart bomb" approach is best. If it is very difficult to detect and remove rootkits, then what needs to happen is that end users need to be either genuinely assisted by a trustworthy expert or given the knowledge and tools to attempt the task themselves.

I am convinced that articles like these are a big part of the problem. If a person can't successfully detect a rootkit - by himself - then he is at the mercy of potentially very crafty malware authors. And there is the additional issue that AV companies may not be trustworthy. They may whitelist malware from nations. Although POSSIBLY not very common, there are APTs (Advanced Persistent Threats) which are likely created by nation-sponsored groups.

The extent of the problem shouldn't be very difficult to understand. The most difficult to detect malware is not easily found with the standard AV solutions. Malware victims are given a false sense of security. All the while very crafty malware authors have the benefit of expert knowledge and the ability to "fly in a stealth fighter" due to the ignorance of the malware victims and the business model of paid AV solutions (i.e. go after easy malware).

Perhaps on purpose (e.g. spying) advanced malware is extremely difficult for any entity but a company/government with lots of money to spend to identify and remove. Even here, the recommendation appears to be a "nuke-and-pave" approach.

I will try to be a part of the solution and hopefully this will be posted. The way to very likely detect rootkits (and also other malware) is with memory forensics. However, there is the possibility of anti-forensic defenses by the rootkit. Also, there are hardware and firmware rootkits. As such, it may be necessary to reflash the firmware. As for hardware, that would require an - AFAIK - extremely difficult to locate and highly specialized company. Perhaps a university with a lab might have the equipment and knowledge to detect a hardware rootkit.

Easily obtainable malware solutions for individuals amount to those mentioned in the article which - as I have shown - isn't even necessarily 100% effective. Even standard offline scanners like live CDs might not do the job for rootkits.

Post your comments
Forgot password?