How to Remove a Bootable Rootkit

Rookits are one of the most pernicious forms of malware.
... Comstock/Stockbyte/Getty Images

One of the most dangerous forms of malware on the Internet today is the rootkit. This type of program can quietly infect and control your computer for purposes like stealing passwords, sending junk email, or attacking other computers. Because rootkits actively hide themselves and can be injected into the boot process, special programs are required to combat them.

1 Preparation

Due to their nature, the best way to remove rootkits is with a series of programs. Many of the standalone rootkit-removal programs detect certain types of infections only. In addition, a specific rootkit may have defenses against some programs, so by running several, you increase the odds that the infection can be found and removed. Download the latest copies of Kaspersky TDSSkiller, Bitdefender Rootkit Remover, McAfee RootkitRemover, and GMER. You will need to choose either the 32-bit or 64-bit version of the Bitdefender program, depending on your Windows version. When you download the GMER program, take note of its randomly assigned filename.

2 Kaspersky TDSSkiller

TDSSkiller is designed to find and remove rootkits in the Alureon family, including TDSS and similar infections. Run this program in either Windows' regular mode, or safe mode with networking, and update it if asked to. Remove any problems by selecting “Cure” and following the instructions.

3 Bitdefender Rootkit Remover

Bitdefender's Rootkit Remover is aimed specifically at rootkits that compromise the MBR (Master Boot Record) to hide themselves. It is updated constantly with new definitions and the scan takes only a few seconds. Run the program in normal mode and reboot to clear the infection.

4 McAfee Rootkit Remover

Rootkit Remover by McAfee uses a command-line tool to remove both the ZeroAccess and TDSS rootkit families. Start the program as the administrator by right-clicking the file and selecting “Run as Administrator.” It will then scan the system and automatically remove any infections. Reboot afterwards.


GMER is an advanced program that can find many known types of rootkits, as well as activities that may be related to unknown rootkits. Start the program by double-clicking its randomly named file. Scan the computer. Any suspicious files will be highlighted. Some of the files may be legitimate files that have been altered by the rootkit. Delete any files that are known to be rootkit-related and disable highlighted files. Reboot and scan with standard anti-virus utilities.

6 Kaspersky Rescue Disk

If the previous programs fail to remove the infection, download the Kaspersky Rescue Disk. This is a separate operating system which includes full anti-virus software and other tools that can help you to repair your computer. Once the ISO disc image is downloaded, burn it to a writable CD. Reboot your computer with the disc in the drive and use the boot menu, or edit the BIOS, to boot from CD, if necessary. Many systems use “F12” to access the boot menu on startup and many use either “Del,” “F1” or “F2” to enter the BIOS setup. Check your computer's manual for specific instructions. Select the default options to boot the operating system. The virus scanner can be found on the “K” button menu, under “Kaspersky Rescue Disk.” Update the definitions and scan your machine.

7 Final Scan

After system has been cleaned with the previous programs, apply updates and scan your computer with your regular anti-virus software. If you have none, try the Avast or AVG Free Edition. For more protection, install Malwarebytes Anti-Malware and Spybot Search and Destroy to supplement your anti-virus program. All the programs mentioned are free or offer free versions.

David L. Secor is a computer repairman and writer from west Texas. He has been writing informational articles on a wide variety of subjects since approximately 2005. When not writing, he scours the desert for interesting photos, often ending up with nothing but embedded thorns for his efforts.