How to Remove RootKit Virus Infections

by Security Admin

computer_virus_monsterAfter years of removing viruses and software trojans from computers, I’ve found a really easy way to remove Root Kits from computers. First, you may ask, “What is a Root Kit?” Well, a Rootkit is software or a program that is designed to hide itself or obscure the fact that the system has been compromised. Rootkits typically replace vital system executable that may be used to hide the files that the attacker has installed. RootKits usually evade the antivirus programs that are installed to protect the system. So… they are usually not detected. Rootkits today usually get to systems via mailware and install themselves as drivers or kernel modules. A successfully installed rootkit allows the unauthorized user to maintain access to the computer as an administrator so having one installed is a real security threat as they usually include a “Back door” to give the attacker access whenever they want.

Backup your computer before running antivirus software. Always backup your important data before trying to clean a virus infected computer. Backup your data to a CD, DVD or USB drive. This is necessary because removing a virus with antivirus software can deteriorate the computer’s ability to function correctly and you may have to reinstall.

Steps to remove a rootkit

These steps are an overview. Each step is outlined below in detail.

  1. First, you need to obtain sav32cli.exe and the the latest virus identity IDE files. It is very important that every time you run this program, you download a new version of the software IDE’s.
  2. Burn the files to a CD
  3. Boot your computer into safemode with command prompt
  4. Put in CD
  5. Change to the CD by typing CD <drive letter>. You change the <drive letter> to the letter of your CD drive
  6. type in SAV32CLI -P=C:\SCANLOG.TXT and let the program scan your computer. This may take hours to complete.
  7. Reboot and view the Log file on your computer at C:\SCANLOG.TXT. this file will tell you what virus/root kit you had on your computer and if it cleaned it.

Your computer should now be cleaned up. You should now review your installed antivirus and firewall software you have installed and determine if it is up to date and functioning properly.

Obtain sav32cli.exe and IDE’s

 To get sav32cli.exe software and IDE’s use this link to the sophos savewcli.exe program and this link to obtain the IDE files.

Burn the software to CD

Burn the sav32cli.exe and the extracted IDE files to the root of a CD and close the CD. 

How to get into safemode

To successfully remove a rootkit, you must boot up into safemode. Here is how:

  1. Restart your computer
  2. Once your computer starts booting up, you will hear a beep. Immediately after this beep, press the F8 key continually over and over until you get to the Advanced Options menu.
  3. Select “Windows in Safe Mode with Command Prompt” and press enter
  4. If it asks for credentials, put in your administrator username and password (if it asks).
  5. You should now be in safemode.

Now that you’re in safemode, you need to insert your sophos sav32cli disk. and change to your CD drive letter. This drive may be on the drive D, E, F, and so on. Every computer is different so you may need to experiment until you find the drive with the software on it. Once you change to a drive letter, simply type in DIR to list out the files in the directlry. Once you find the drive with the files on it, then type in SAV32CLI -P=C:\SCANLOG.TXT and let it scan.

Once it is done, then reboot and remove the CD.

Now review the log file scanlog.txt in the root of your C: drive. If it found a rootkit, it should have removed it and logged in this file.

Ok. So, you should be cleaned up and it’s time to review your security software. You should determine if you have antivirus software and if it is running properly. If this is a daunting task for you, please be patient and take your time. It’s very important that your antivirus software is up to date and running properly. The typical scenario we run into is people having the antivirus software installed that came with their computer but the “free trial” ran out and they are no longer protected. If this is the case. I’d recommend either purchasing the product already installed or uninstalling it and installing one of the recommended antivirus products on our home page. If your computer is over a year old, then you really should get the latest antivirus software to protect you from the latest threats.

I hope this information helps in your quest to clean your virus infection up. Please post comments and questions below and we will try to help resolve your issues.

Comments on this entry are closed.

Previous post:

Next post: