Possible Rootkit

admin
15 September 2023
1925 Views

Question:

I was redirected to this website from lenovo.com because i detect a rootkit witch i have not been able to remove!
The rootkit was detected by GMER and was not given any name. GMER detected changes to the master boot record, hidden files in system32 and rootkit behavior. I remove all threats with GMER and reprogramed the master boot record but i still have suspicious activities on my computer. My firewall have a lot of listings which says XXXX-server and a lot of strange network connections, even when all programs are closed. Pleas help

Answer:

Discovering and dealing with a suspected rootkit infection can be challenging, but it’s crucial to take immediate action to secure your computer. Below, I’ll provide you with a structured guide to address this issue:

1. Confirming the Rootkit Infection

Before proceeding with the removal process, it’s essential to confirm whether your computer is indeed infected with a rootkit. While GMER detected suspicious behavior, it’s wise to get additional confirmation. You can use reputable anti-rootkit tools such as TDSSKiller or Kaspersky’s TDSS Rootkit Remover to scan your system.

2. Back Up Your Data

Before making any significant changes to your system, back up your important data to an external storage device or cloud service. This ensures that your data is safe in case you need to perform drastic measures like a system reinstall.

3. Isolation and Offline Scanning

To prevent the rootkit from causing further damage or communicating with its control server, consider disconnecting your computer from the internet. You can also boot into Safe Mode or use a Live CD/USB with a trusted antivirus scanner to perform a thorough offline scan of your system.

4. Removing the Rootkit

Once you have confirmed the presence of a rootkit, take these steps for removal:

  • Use Reputable Antivirus and Anti-Malware Tools: Run a full system scan using reputable antivirus and anti-malware programs. Make sure your virus definitions are up to date. Some popular options include Malwarebytes, AVG, and Avast.
  • Manual Removal (Advanced Users): If the rootkit is particularly stubborn, you may need to consider manual removal. However, this is a complex process and should only be attempted by experienced users with a deep understanding of Windows internals.
  • Consider a Rootkit Removal Toolkit: Some security companies offer specialized rootkit removal tools that can be effective in dealing with certain rootkits. Examples include Sophos Virus Removal Tool and Norton Power Eraser.

5. Restoring the Master Boot Record (MBR)

Since you mentioned changes to the master boot record, it’s important to ensure it’s clean. Follow these steps to restore your MBR:

  • Open a Command Prompt with administrative privileges.
  • Use the following commands to repair the MBR: bootrec /fixmbr bootrec /fixboot bootrec /scanos bootrec /rebuildbcd
  • Reboot your computer.

6. Monitoring and Cleanup

After removing the rootkit, it’s crucial to monitor your computer for any signs of suspicious activity. Ensure your firewall and antivirus software are active and up to date. Regularly check for system updates and patches.

7. Seek Professional Help

If you’re unsure about any of these steps or if the rootkit infection persists despite your efforts, consider seeking assistance from a professional computer technician or a trusted cybersecurity expert. They can provide more specialized guidance and tools for removal.

8. Prevent Future Infections

To prevent future rootkit infections, practice good cybersecurity hygiene:

  • Keep your operating system and software up to date.
  • Be cautious when downloading and installing software, especially from unverified sources.
  • Regularly back up your data to a secure location.
  • Use a reputable antivirus program and a firewall.
  • Avoid suspicious websites and email attachments.
Author admin