How to protect your computer from rootkits? Finding and removing rootkits (Rootkit)
There is no such thing as too much security. I have repeated this phrase and will always repeat it. But computer security consists of many different parameters and boundaries, just listing them would take a lot of time, not to mention the long list of software and hardware. In this article, I have collected several of the most, in my opinion, effective utilities for detecting and removing rootkits and other cunning viruses for Windows. This is not a complete list, but rather an online reserve just in case. Usually I carry them all on a duty flash drive, but you never know, suddenly I need it somewhere and I don’t have a miracle flash drive at hand. I warn you right away that this is a rather specific toolkit, so if you are not confident in your abilities or don’t know what it is and why, then just pass by.
RkUnhooker- the most powerful, in my opinion, program for detecting rootkits and fighting other malware. Allows you to detect and remove interceptions of the SDT table and code, shows all hidden drivers, processes and files. Through RkUnhooker, you can kill files of running processes, including overwriting them with empty data to prevent them from running again, take process memory dumps for analysis, and much more. It is well protected from external influence and modification of its file. Russian language available. Unfortunately, the project is currently closed.
Tuluka.Kernel.Inspector.1.0.394.77.zip (2,893,650 bytes)
This category covers various programs for finding and removing rootkits. The greatest danger of such malware is that it gains control at the operating system kernel level. Simply put, they become part of the operating system and can do whatever they want. Hide processes, block access, use your computer to operate a botnet network, download various programs and much more. At the same time, you may not even suspect that you have a rootkit. Because their main task is not to break or somehow clog the system (although there are such things), but to act covertly for a long time. Some of these rootkits are even capable of blocking antivirus programs.
Review of free programs for rootkit removal
There are many programs to combat rootkits. But, most of them are intended for technically savvy users who are well aware of the operating systems. Such programs are unlikely to be suitable for ordinary users. However, in this class of programs there are several options that do not require special technical knowledge from users, and they will be just as effective.
Kaspersky TDSSKiller rootkit removal program from the company of the same name
One of the best solutions can be called. This program has a fairly simple and intuitive interface. It works quite quickly and is capable of detecting a fairly large number of rootkits.
In fact, it is difficult to recommend them to ordinary users, because the results for them may seem like just a set of incomprehensible symbols (the results are purely technical in nature, i.e. the complete absence of beautiful phrases “The utility cleared everything itself,” “You have nothing to worry about,” etc. .d.). Usually you need to act quickly, so these programs are the last thing you remember. But, if you somehow caught a particularly rare and difficult to clean rootkit, then they will become invaluable assistants in the fight for your computer, because you will be provided with a huge range of useful information.
Avast Anti-Rootkit rootkit removal program from a well-known manufacturer
The interface resembles a command line window, but don’t be scared, because the interface is very simple and easy to use. This program can scan your computer and MBR for rootkits, and also detect a number of problems. It may be a little difficult for ordinary users to understand the results of the program, but nevertheless, the program does its job well. It found TDSS and a number of other modern rootkits just as well as TDSS Killer. But there were some minor problems when removing them. But this program has one important functionality, which is sometimes difficult to do without when removing rootkits. This is the ability to perform FixMBR directly from Windows. Typically this requires booting from a Windows recovery disc or LiveCD. And in this program, to do this, you just need to click on the FixMBR button. That is why you should always keep such a program with you.
Antivirus tool Dr.Web CureIt! prevention is useful
The next product included in the review is. You should always keep it with you. CureIt! is not a full-fledged tool for finding and removing rootkits, like other programs discussed earlier. It's more of a free malware scanner, essentially a mini-antivirus. But, it is quite effective in combating a number of rootkits. True, it is also impossible to guarantee that it will be able to catch all rootkits. It should rather be used as an addition to the main tool for combating rootkits. However, it is worth noting that it creates a fairly secure execution environment while it is scanning. The fact that it stops all processes is only a plus for it, since malware may try to block its operation. It can also perform a deep scan of your disk. It also allows you to reboot into safe mode to search for and remove malware.
More utilities for finding and removing rootkits
Sophos Anti-Rootkit(now called Sophos Virus Removal Tool, unfortunately it has become a trial, perhaps old versions can still be found on file storages) - a good and easy-to-use program, without the ability to specify the scan type (it scans everything). But, just like CureIt!, it can hardly be called a specialized program for searching and removing rootkits. Those. can also be used as an addition to the main product, although unlike CureIT! it requires installation. The work process is very simple. You simply run the scan and wait for the results. After the search is completed, a list of detected threats appears in the interface. At the same time, you can expand each threat and see exactly where the tails of each specific threat are located. Perhaps it would be an excellent utility for searching and removing rootkits if it had not been reoriented from a specialized tool to a mini-antivirus.
F-Secure Blacklight(unfortunately, the site is unavailable, you need to look for the version on file storages) This is another great tool for removing rootkits. Unfortunately, support for it ended a couple of years ago, and now you can't even find it on their website. However, it is still available on the Internet and is compatible with Windows Vista and XP. If you try to run it on Windows 7, be prepared to see a dialog box that says "incompatible error."
BlackLight is good at finding and removing old rootkits, but expecting it to be able to detect the latest rootkits would be a grave mistake. That is why it is still recommended to use other programs.
Quick Guide (Links to download free rootkit removal software)
Kaspersky TDSSKiller
| Simple and intuitive interface. Works quickly. Copes with known modern rootkits. | ||
| It looks like the program only recognizes a small range of rootkits. |
GMER
| Great tool with detailed technical scan reports. | ||
| There is no help file, but there is information on the Internet. Not suitable for general users. |
Avast Anti-Rootkit
| Works well. Detects most rootkits. Easy to use. The "Fixmbr" feature in Windows is invaluable. | ||
| The results are sometimes difficult to understand. When trying to remove some rootkits it froze. |
Dr.Web CureIt!
| Stops processes. Creates its own execution environment. | ||
| Cannot be used as the main means of combating rootkits. |
Are you sure that you are the sole owner of your computer? If there is a suspicion that he is living his own life, then it’s time to think about whether you are being spied on.
The first such programs appeared about 20 years ago, mainly on Unix, where the term came from rootkit. Root translated as "root" and is used in this context to denote the role of a superuser who has unrestricted access to the system. Kit– set, respectively, rootkit– a set for obtaining unlimited access. They are most common on Windows, but are now increasingly being promoted on Android.
What type of malware are rootkits?
Many PC users do not know what rootkits are and how dangerous they are, thinking that they are ordinary viruses. In reality, everything is much more complicated. Initially, this type of malware was conceived as a kind of “add-on” to existing viruses and spyware, making their presence and interference in the system invisible to the victim.
- Do not miss:
Over time, rootkits have evolved and today represent a complete set of software for carrying out almost any attacker’s plans. Stealing information, passwords, bank card data, monitoring online activities, installing and uninstalling software - this is not all that can be done with their help. In fact, they provide unlimited possibilities for remote control of an infected PC through its network port.
Thus, rootkits are a separate class of malware, along with viruses, Trojans and worms. The “method of infection” is no different: other people’s flash drives, visiting unreliable sites, files in received mail... Usually one small file is enough, which will be installed deep inside the operating system, and then, unnoticed by the user, additional malicious software will be “pulled up”.
Why are rootkits dangerous?
Having figured out what rootkits are, let's find out why they are dangerous. First of all, this is their invulnerability to detection by standard viruses and firewalls that most users have. By introducing themselves into system files or memory, they can remain undetected for years and do their “dirty” work.
- This is interesting:
As already mentioned, installing the “correct” rootkit means that an attacker’s actions to control your computer are limited only by his imagination. Even if you do not have credentials or bank cards that are valuable to scammers, this does not mean that they are not interested in you. Hackers can use your PC to commit illegal actions, for which you will have to answer.
Often, attackers create entire networks of infected PCs, introducing remotely controlled bots into them. With their help, massive DDoS attacks are carried out that can bring down the most reliable servers. In other words, you can play Farm Frenzy without even realizing that your computer is currently involved in a hacker attack on the White House website.
Finding and removing rootkits
Before you remove a virus, you need to find it there, which is not always easy. Therefore, if there is a suspicion of infection, and the data on the disks is not of particular value, then the easiest way to get rid of the “infection” is to reinstall the system with a full format.
If you are ready to “take the fight,” then you will need software to remove rootkits. Of the well-proven ones, it is worth mentioning RootkitBuster, Anti-Rootkit, TDSSkiller, Bitdefender Rootkit Remover. All of them are quite easy to use, most are Russified.
A rootkit is a special program or set of programs that is designed to hide the traces of an attacker or malicious program on the system. Having received such “good” on your computer, you provide the hacker with the opportunity to connect to it. He gains access to control your computer and the further actions of the “pest” depend only on his imagination.
In addition, everything is aggravated by the fact that rootkits actively prevent their detection and it is sometimes quite difficult to do this using standard antiviruses. Simply put, you give access to your computer without even knowing it and the attacker uses your data without you noticing.
The lesson plan is below:
How to remove a rootkit using TDSSKiller.
Since rootkits can generally hide from simple antivirus programs, special programs usually come to the rescue in removing them. First in line we have a program from Kaspersky Lab, which gave us a wonderful antivirus. You can download the utility on the official Kaspersky website in the "Support" section. Open the spoiler “How to cure an infected system” and follow the download link.
We wait for the program to scan and, if necessary, cure the operating system. Fortunately, no threats were detected on my computer.
When threats are found, they are automatically neutralized. The remarkable thing is that treatment does not even require a reboot.
How to remove a rootkit using RootkitBuster.
The second program that we will consider is called RootkitBuster and you can download it from the official website. The advantage of the program is that it does not require installation on a computer.
On the next page, select for which version of Windows you need to download the program. I talked about how to find out the bitness of the operating system in my lesson about . Next, in the window, click on the “Use HTTP Download” button and save the file to your computer.
After downloading, right-click on the file and select “Run as administrator.” You will need to wait a little. A new window will open in which you need to check the box to accept the license agreement and click the "Next" button.
You will be taken to the main program window, where to scan you will need to click the “Scan Now” button, and you need to leave a check mark on all items in the left column, except for “File Streams” (on 64-bit systems the number of settings may be less).
After scanning, you will receive notifications about detected suspicious files. You can select these files with checkmarks and click the "Fix Now" button at the bottom. During the process of removing rootkits, you may be asked to restart your computer, be sure to agree.
How to remove a rootkit using Sophos Anti-Rootkit
And finally, let's look at another utility that helps get rid of rootkits. It will be useful to you if the first two turned out to be non-working or you didn’t like it.
We launch the program, leave all the checkboxes in the scanning settings and press the "Start scan" button.
The search for rootkits can take quite a long time. At the end, you will receive a full report of the problems found in the form of a list. I note that there is one peculiarity here. When you select a found file in the list after scanning, its description appears in the window below. If the "Removable" line contains the value "Yes (but clean up not recommended for this file)", then it is not recommended to delete this file, since it is a system file and its deletion may affect the operation of the entire operating system.
You can safely select all other entries that do not have the line indicated above and delete them using the "Clean up checked items" button. In my example, I did not wait for the scanning to finish and in the screenshot below I showed the removal process just as an example.
These are the three methods you can use to remove rootkits from your computer. The programs are all very easy and do not require any special knowledge. Choose the method that you find most convenient. Also, some antiviruses have already begun to build in such protection, so when choosing an antivirus solution, be guided by the built-in protection against rootkits.
In this lesson we will look at the question of how to open a pdf file using the free Foxit Reader program.
A computer virus can be called a program that operates covertly and causes harm to the entire system or some individual part of it. Every second programmer has encountered this problem. There is not a single PC user left who does not know what
Types of computer viruses:
- Worms. These are programs that clutter the system by constantly reproducing and copying themselves. The more of them there are in the system, the slower it works. There is no way the worm can merge with any safe program. It exists as a separate file(s).
- merge with harmless ones and disguise themselves in them. They do not cause any damage to the computer until the user runs the file that contains the Trojan. These viruses are used to delete and change data.
- Spyware collects information. Their goal is to detect codes and passwords and transfer them to the person who created them and launched them on the Internet, in other words, to the owner.
- Zombie viruses allow a hacker to control an infected computer. The user may not even know that his PC is infected and someone is using it.
- Blocking programs prevent you from logging into the system at all.
What is a rootkit?
A rootkit is one or more programs that hide the presence of unwanted applications on a computer, helping attackers operate undetected. It contains absolutely the entire set of malware functions. Since this application is often located deep in the depths of the system, it is extremely difficult to detect it using an antivirus or other security tools. A rootkit is a set of software tools that can read stored passwords, scan various data, and also disable PC security. In addition, there is a backdoor function, which means that the program provides the hacker with the opportunity to connect to the computer from a distance.
In other words, a rootkit is an application that is responsible for intercepting system functions. For the Windows operating system, the following popular rootkits can be identified: TDSS, Necurs, Phanta, Alureon, Stoned, ZeroAccess.
Varieties
There are several variants of these virus programs. They can be divided into two categories: user-mode (user) and kernel-mode (kernel-level rootkits). Utilities of the first category have the same capabilities as regular applications that can be run on the device. They can use the memory of already running programs. This is the most popular option. Rootkits of the second category are located deep in the system and have full access to the computer. If such a program is installed, then the hacker can do almost whatever he wants with the attacked device. Rootkits of this level are much more difficult to create, which is why the first category is more popular. But a kernel-level virus program is not at all easy to find and remove, and protection against computer viruses is often completely powerless here.
There are other, rarer variants of rootkits. These programs are called bootkits. The essence of their work is that they gain control of the device long before the system starts. More recently, rootkits have been created to attack Android smartphones. Hacker technologies develop in the same way as computer software - they keep up with the times.
Homemade rootkits
A huge number of infected computers are located on the so-called zombie network and are used to send spam messages. At the same time, users of these PCs do not suspect anything about such “activity”. Until today, it was common to think that only professional programmers could create these networks. But very soon everything could change dramatically. You can actually find more and more tools for creating virus programs on the Internet. For example, using a kit called Pinch, you can easily create a rootkit. The basis for this malware will be the Pinch Builder Trojan, which can be enhanced with various functions. This application can easily read passwords in browsers, recognize entered data and send it to scammers, and cleverly hide its functions.
Ways to infect a device
Initially, rootkits are introduced into the system in the same way as other virus programs. If a plugin or browser is vulnerable, it will not be difficult for the application to get onto your computer. Flash drives are often used for these purposes. Sometimes hackers simply leave flash drives in crowded places, where a person can take the infected device with them. This is how a rootkit gets onto the victim’s computer. This leads to the application exploiting the weaknesses of the system and easily gaining dominance in it. The program then installs auxiliary components that are used to control the computer from a distance.
Phishing
Often the system is infected through phishing. There is a high possibility of code getting onto your computer during the process of downloading unlicensed games and programs. Very often it is disguised as a file called Readme. We should never forget about the dangers of software and games downloaded from unverified sites. Most often, the user launches a rootkit on his own, after which the program immediately hides all signs of its activity, and it is very difficult to detect it later.
Why is a rootkit difficult to detect?
This program intercepts data from various applications. Sometimes the antivirus detects these actions immediately. But often, when the device has already been infected, the virus easily hides all information about the state of the computer, while traces of activity have already disappeared, and information about all harmful software has been deleted. Obviously, in such a situation, the antivirus has no way to find any signs of a rootkit and try to eliminate it. But, as practice shows, they are capable of containing such attacks. And companies that produce security software regularly update their products and add the necessary information about new vulnerabilities.
Search for rootkits on your computer
To find these, you can use various utilities specially created for these purposes. Kaspersky Anti-Virus copes well with this task. You just need to check your device for all kinds of vulnerabilities and malware. Such a check is very important to protect the system from viruses, including rootkits. Scanning detects malicious code that anti-unwanted program protection could not detect. In addition, the search helps to find operating system vulnerabilities through which attackers can distribute malicious programs and objects. Are you looking for suitable protection? Kaspersky is quite suitable for you. A rootkit can be detected by simply running a periodic search for these viruses on your system.
To search for such applications in more detail, you need to configure your antivirus to check the operation of the most important system files at the lowest level. It is also very important to ensure a high level of self-protection of the antivirus, since a rootkit can easily disable it.
Checking drives
In order to be sure that your computer is safe, you need to check all portable drives when you turn them on. Rootkits can easily penetrate your operating system through removable disks or flash drives. Kaspersky Anti-Virus monitors absolutely all removable devices when they are connected to the device. To do this, you just need to set up a drive scan and be sure to keep your antivirus updated.
Removing a rootkit
There are many challenges in fighting these malicious applications. The main problem is that they are quite successful at resisting detection by hiding registry keys and all their files in such a way that antivirus programs cannot find them. There are helper programs for removing rootkits. These utilities were created to search for malware using various methods, including highly specialized ones. You can download a fairly effective program called Gmer. It will help destroy most known rootkits. You can also recommend the AVZ program. It successfully detects almost any rootkit. How to remove dangerous software using this program? This is not difficult: we set the necessary settings (the utility can either send infected files to quarantine or delete them independently), then select the type of scan - full PC monitoring or partial. Then we run the test itself and wait for the results.
The special program TDSSkiller effectively fights the TDSS application. AVG Anti-Rootkit will help remove remaining rootkits. It is very important after using such assistants to check the system for infection using any antivirus. Kaspersky Internet Security will cope with this task perfectly. Moreover, this program is capable of removing simpler rootkits through its disinfection function.
You must remember that when searching for viruses with any security software, you should not open any applications or files on your computer. Then the check will be more effective. Naturally, you must remember to regularly update your antivirus software. The ideal option is daily automatic (set in the settings) program update, which occurs when connected to the Internet.
