Originally used in the 1990s to target UNIX operating systems, a rootkit is a special type of malicious software that penetrates your system and intercepts the system functions. By intercepting and modifying low-level API functions, it is highly effective at hiding itself; making it impossible to remove as it is nearly undetectable. It is basically designed to hide the fact that an operating system has been compromised.
Furthermore, it can also hide the presence of certain files, folders, processes, registry keys and software (including file servers, remailers, botnets and keyloggers). Some Rootkits even install their own drivers and servers in your system, which also remain invisible.
A rootkit can get to your computer in a number of ways; Trojan horses or suspicious email attachments are the most common way. Surfing the web can also result in installation of a rootkit; for example, certain web pages ask you to install special plug-ins (pretending to be legitimate)to correctly view the features on the site, which stealthily installs a rootkit on your PC.
These days, Rookits are not used to gain greater access, but rather to mask malware payloads more effectively; they disguise viruses and malware as important/necessary files that normal antispyware programs usually overlook, allowing them to hide in plain sight. Unlike viruses and worms, rootkits by themselves aren’t harmful; they merely hide malware, worms and bots and allow the attacker to identify existing vulnerabilities in your system (such as a weak administrator password or an un-patched system). What makes it worse is the fact that automated network security controls such as intrusion detection systems are unable to detect these types of stealthy attacks.
Rootkits enable the attacker to access and use your computer without your knowledge or consent. Also, due to the way they are installed, they are notoriously difficult to remove; an issue which is intensifying as malware developers are constantly finding new ways to cover up their tracks. Rootkits may consist of spyware and other programs that enable the hacker to remotely execute files and change system configurations on the host machine; by monitoring traffic and keystrokes, creating a backdoor in the system for the attacker’s own use, altering log files, attacking other machines on the network and altering existing system tools to escape detection.
Manually Removing Rootkits
Follow the steps given below to remove a Rootkit from your PC:
Step 1 – Click Start, type “msconfig” and press enter
Step 2 – Select the Boot tab and check the box next to ‘Boot Log’; Click Apply and then restart your computer.
Step 3 – Locate Infected Files
Do this by pressing F3 (which opens up the Search window) or by clicking start and searching for files that start with the following names:
Note: Make sure you write the full name (rot.exe or rot.sys) of every file that you find
- “rot”
- “gas”
- “gaopdx”
- “seneka”
- “win32k.sys”
- “uacd”
- “tdss”
- “tdss”
- “kungsf”
- “gxvxc”
- “ovsfth”
- “msqp”
- “ndisp”
- “msivx”
- “skynet”
Close the Search window once you are done locating the files.
Step 4 – Disable file permission
Do this by clicking Start, typing “cmd” and pressing enter; the command prompt window will open up. Type “cacls C:WINDOWSsystem32drivers [filename] /d everyone” in command prompt and press enter.
Note: the [filename] must be replaced with the file name(s) you wrote in step 3
For example: “cacls C:WINDOWSsystem32drivers rot.sys /d everyone”
Continue doing this for every file you wrote down. Once you are done, restart your computer.
Step 5 – Delete infected files
Do this by pressing F3 (which opens up the Search window) or by clicking start to search for every file that you wrote down, then delete each file by right clicking it and selecting Delete.
Once you have successfully removed the rootkit(s) manually, experienced experts recommended using distinguished antispyware software to scan your computer for any other infectious programs