When a PC is infected with malware or viruses, you can usually scan with the installed antivirus and/or antimalware and move on. Rootkits, on the other hand, are tricky to remove and can reappear if they are not removed completely. For rootkits, you need the right software. The “right” software is subjective, but in the case of a rootkit removal tool, it either works or it doesn’t.
Two tools I find to be effective for the removal of rootkits are Bitdefender’s Rootkit Remover and Kaspersky’s TDSSKiller. Both tools are portable, so there’s no installation necessary. When a machine won’t allow you to install applications, portable apps might be the only way to remove rootkits. I’ll walk you through the process of scanning for rootkits with each tool.
Before you run a scan on a machine, it’s always best to reboot the machine in Safe Mode in case something nefarious is running in the background that prevents the rootkit remover from starting up. If you’re not sure, booting into Safe Mode is simply a matter of rebooting and tapping the F8 key until the Safe Mode menu appears. When that menu appears, select Safe Mode With Networking.
Bitdefender’s Rootkit Remover
Bitdefender’s Rootkit Remover only checks against known rootkits. Bitdefender’s Rootkit Remover protects against the following:
- All TDL families (TDL/SST/Pihar)
- MBR Locker
Bitdefender also cleans infections with Necurs (the last rootkit standing). New rootkit definitions are added as they become known; because of this, you will want to make sure you check the Bitdefender site and download a new version of the tool frequently.
After you download the .exe file, move it to your USB drive, and you’re ready to move to the infected machine and scan. Insert the USB drive, open Explorer, and double click the BootkitRemoval_xXX.exe file (XX is either 64 or 86 depending on your architecture).
When the application starts up, you will be greeted with a window that has no settings, no preferences, and nothing to tweak (Figure A). When the Bitdefender window is open, click the Start Scan button. The scan will run and is incredibly fast. If the app finds a rootkit, it will automatically remove it and prompt you to restart the system.
Kaspersky’s take on rootkit removal is very similar to Bitdefender’s, at least in the way its tool functions. The biggest difference is that Kaspersky focuses only on the TDSS rootkits (Rootkit.Win32.TDSS, Tidserv, TDSServ, or Alureon), which are some of the nastiest in the wild. These rootkits began to spread in 2008 and are one of the primary causes for the unauthorized Google Redirect issue (users do a Google search, click on a resulting link, and are sent to a random page). Kaspersky’s TDSSKiller can also remove the Sinowa, Whistler, Phanta, Trup, and Stoned rootkits.
Another difference is that Kaspersky’s also offers settings that can be tweaked. Kaspersky’s TDSSKiller will remove or fix the following:
- Hidden service
- Blocked service
- Hidden file
- Blocked file
- Forged file
Here’s how you use Kaspersky’s TDSSKiller:
- Download the executable file from the download site.
- Move the .exe file to your USB drive.
- Move the USB drive to the infected machine.
- Double click the .exe file on the USB drive.
- When the Kaspersky’s window opens (Figure B), click the Start Scan button.
- If Kaspersky’s locates a rootkit, it will prompt you to take action.
To access the options it has in terms of what objects to scan, click the Change Parameters link.
One thing that is very important with Kaspersky’s is that if it does come up with results from the scan, make sure you know what you’re about to delete isn’t a false-positive. If Kaspersky does come back with a known rootkit, you will move the file to quarantine.
Bitdefender’s and Kaspersky’s offerings are a solid one-two punch that can be used to knock out a number of different rootkits. Keep these two tools on a USB drive, and you’ll be ready when a machine is compromised.