How to Remove a Bootable Rootkit

One of the most dangerous forms of malware on the Internet today is the rootkit. This type of program can quietly infect and control your computer for purposes like stealing passwords, sending junk email, or attacking other computers. Because rootkits actively hide themselves and can be injected into the boot process, special programs are required to combat them.

Due to their nature, the best way to remove rootkits is with a series of programs. Many of the standalone rootkit-removal programs detect certain types of infections only. In addition, a specific rootkit may have defenses against some programs, so by running several, you increase the odds that the infection can be found and removed. Download the latest copies of Kaspersky TDSSkiller, Bitdefender Rootkit Remover, McAfee RootkitRemover, and GMER. You will need to choose either the 32-bit or 64-bit version of the Bitdefender program, depending on your Windows version. When you download the GMER program, take note of its randomly assigned filename.

TDSSkiller is designed to find and remove rootkits in the Alureon family, including TDSS and similar infections. Run this program in either Windows' regular mode, or safe mode with networking, and update it if asked to. Remove any problems by selecting “Cure” and following the instructions.

Bitdefender's Rootkit Remover is aimed specifically at rootkits that compromise the MBR (Master Boot Record) to hide themselves. It is updated constantly with new definitions and the scan takes only a few seconds. Run the program in normal mode and reboot to clear the infection.

Rootkit Remover by McAfee uses a command-line tool to remove both the ZeroAccess and TDSS rootkit families. Start the program as the administrator by right-clicking the file and selecting “Run as Administrator.” It will then scan the system and automatically remove any infections. Reboot afterwards.

GMER is an advanced program that can find many known types of rootkits, as well as activities that may be related to unknown rootkits. Start the program by double-clicking its randomly named file. Scan the computer. Any suspicious files will be highlighted. Some of the files may be legitimate files that have been altered by the rootkit. Delete any files that are known to be rootkit-related and disable highlighted files. Reboot and scan with standard anti-virus utilities.

If the previous programs fail to remove the infection, download the Kaspersky Rescue Disk. This is a separate operating system which includes full anti-virus software and other tools that can help you to repair your computer. Once the ISO disc image is downloaded, burn it to a writable CD. Reboot your computer with the disc in the drive and use the boot menu, or edit the BIOS, to boot from CD, if necessary. Many systems use “F12” to access the boot menu on startup and many use either “Del,” “F1” or “F2” to enter the BIOS setup. Check your computer's manual for specific instructions. Select the default options to boot the operating system. The virus scanner can be found on the “K” button menu, under “Kaspersky Rescue Disk.” Update the definitions and scan your machine.

After system has been cleaned with the previous programs, apply updates and scan your computer with your regular anti-virus software. If you have none, try the Avast or AVG Free Edition. For more protection, install Malwarebytes Anti-Malware and Spybot Search and Destroy to supplement your anti-virus program. All the programs mentioned are free or offer free versions.