It's one thing to find a rootkit, but quite another to remove it and any malware it's hiding. It may or may not be possible -- again, you'll never really know since a rootkit can interfere with your scanning and removal program. You still need to try.
I had good luck with both BlackLight and Anti-Rootkit in my test environment. Before you start cleaning house, though, make sure you have a backup of any important data files. Removing a rootkit with cleaning tools may actually leave Windows in an unstable or inoperable state depending on which files were infected and subsequently cleaned. Or, worse, a well-coded rootkit could conceivably detect the removal process and self-destruct taking your data out with it.
Again, having the right tools for the task is essential. To try and rid your system of a rootkit, you can use the two tools I demonstrated above. Figure 4 shows F-Secure's BlackLight in the removal phase of cleaning up Hacker Defender.
Figure 4: BlackLight: Hacker Defender removal phase
Using F-Secure's BlackLight to remove Hacker Defender
Similarly, with Sophos Anti-Rootkit, you can clean up rootkits pretty easily including Hacker Defender as shown in Figure 5.
Figure 5: Sophos Anti-Rootkit: Hacker Defender clean-up
There's another product already at commercial status (with a free 30-day evaluation version available) called UnHackMe that works very well. It has an easy-to-use GUI as shown in Figure 6 and its checks are extremely fast. UnHackMe can remove most of the "popular" Windows rootkits such as Vanquish, Hacker Defender, AFX and more.
Figure 6: UnHackMe
UnHackMe is a commercial alternative to the free tools currently available
Looking for more cleaning tools? Many people don't realize it, but you can even use Microsoft's Malicious Software Removal Tool and Windows Live OneCare online scanner to remove certain rootkits such as HackerDefender, so don't rule out those as an option.
Finding and removing a rootkit
Step 1: Is there a problem
Step 2: Choose the right scanning tool
Step 3: Clean up the mess
Step 4: Bulletproof your efforts
|About the author:|
|About the author: Kevin Beaver is an independent information security consultant and expert witness with Atlanta-based Principle Logic, LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Kevin has written six books, including Hacking For Dummies (Wiley), Hacking Wireless Networks For Dummies, and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at firstname.lastname@example.org. Copyright 2006 TechTarget|