Rootkits

F-14 Ace · **on:** July 04, 2012, 10:31:05 PM

Rootkits are pure evil, plain and simple. If you don't know what a rootkit is, it's a form of malware that burrows deep into your files and makes itself almost impossible to detect or remove with regular antivirus software. They install viruses, spyware, and malware, change settings, and basically cause all kinds of trouble. And they're a real pain in the butt to get rid of

I had the misfortune of getting the 0access.h rootkit from an infected email (I accidentally clicked on it) and had to do a complete reinstall of my OS to get rid of it, and I'm still nervous because I have heard that this one is sometimes capable of surviving a reinstall. I have not seen any indication that it is still on here but I'm still nervous. I'd sure like to find the creeps who create these rootkits and give them a few good whacks in the head with a baseball bat for all the trouble they cause. The world would be a better place without them.

So for our more computer savvy users, any thoughts on the matter? How would you go about removing a rootkit (specifically the 0access.h rootkit) permanently? Is there a way to do it without having to reinstall the operating system?

DarkHououmon · **Reply #1 on:** July 04, 2012, 10:45:41 PM

There are some programs that can detect rootkits and remove them. Gmer is one. Threatfire adds an extra layer of protection and can detect things like rootkits before they can install. A great program are host intrusion prevention systems, such as Defensewall and Geswall (which I used at one time), as they prevent unwanted changes from being made to the system.

F-14 Ace · **Reply #2 on:** July 04, 2012, 10:54:17 PM

I tried every kind of removal software I could find but it just kept coming back each time I rebooted.

pokeplayer984 · **Reply #3 on:** July 04, 2012, 11:10:48 PM

There are actually Anti-Rootkit Systems out there. However, you need to be careful with them. Basically, unless you know what you are doing, you could end up deleting an important file.

The absolute best solution without it costing you a penny is to download one of the following in the link below.

http://www.windowsreference.com/security/l...re-for-windows/

What they will essentially do is scan your system in the places where rootkits do tend to hide. At this point, you have the power to delete whatever file you wish from those areas. This is why you have to know what you are doing. Unless you know the file, chances are you are going to cause problems for yourself. It is best to show the list to someone who really knows what kind of files go into the area where the rootkit is and have them tell you what you should delete.

Also, note that after you delete the main rootkit, there will likely be other malware files left behind by it. Still if you give your computer a good scan with Malwarebytes and other protection software of that level, you should be able to remove most of it.

Remember, rootkits are tricky little buggers to get rid of and you have to know what you are doing before attempting to get rid of them.

Best of luck!

DarkHououmon · **Reply #4 on:** July 04, 2012, 11:18:14 PM

Here's a page I found.

http://www.anvisoft.com/wiki/how-to-remove....0access.h.html

F-14 Ace · **Reply #5 on:** July 04, 2012, 11:38:04 PM

I'm pretty sure the rootkit is gone now but I'm worried about my external hard drive. I plugged it into my computer to backup pictures and word documents. I didn't backup anything else and I only left it plugged in long enough to transfer the word documents and pictures, but I don't know if the rootkit could have installed itself on the external hard drive or not. I was in safe mode when I did the transfer but I'm afraid to plug the thing in. The external hard drive contains the only backups on those pictures and word documents that I have so I'd rather not lose it.

I'm not sure how rootkits operate as far as infecting external devices but I did have the thing plugged in to the computer while the computer was infected. Would it be safe to plug it in while running in safemode?

DarkHououmon · **Reply #6 on:** July 05, 2012, 01:05:34 AM

Booting into safe mode doesn't load up all the drives. Most malware will not function because of this. So yes, it is safer to plug a potentially infected external drive into a computer in safe mode than one in normal mode.

My recommendation is to update all your antimalware tools (antivirus plus any other program you use to scan with), then boot into safemode without networking (this makes the malware even more powerless as it no longer receives instructions over the net). Run the scan on the external machine to see if it finds anything. Boot back into normal mode after that and see if it worked.

If the rootkit comes back, there's a number of places online you can go. Since you know the name of the rootkit, you can do searches and get specific help. It's also important to get second opinions; don't rely on just one person. Ask multiple people and see what they say before deciding on what course of action to take.