pixel_dreams - Fotolia

Manage Learn to apply best practices and optimize your operations.

How can I ensure a rootkit removal was successful?

A rootkit was found and you think you've removed it, but how do you confirm it? Enterprise threats expert Nick Lewis explains the next steps to ensure rootkit removal.

After a recent website hack, I tested my computer for rootkits; the results were positive. I believe they have been removed, but is there any way to check if these items were deleted (the log was apparently not stored on my computer, or if it was, it's impossible to view). And what are the best ways to mitigate rootkit issues and ensure rootkit removal?

Given the way the hack is described, I am going to assume the user asking this question is not asking about a server getting hacked, but a personal computer.

The first step someone should take in this rootkit removal scenario is to disconnect the affected computer from any network connection. Next, back up all data to removable media (e.g., a USB hard drive) to ensure the data isn't lost. On a separate computer free from malware, first make sure the antimalware software is updated, then connect the USB hard drive and scan it for malware. Once the malware scan is successfully completed and no malware found, make sure you can open a sample of the saved files to ensure they weren't encrypted. These steps should be done prior to making any additional changes to the potentially infected computer in case a decryption key is still on it (which could be needed to decrypt the data encrypted by the malware).

Once a good copy of the data has been saved, stay offline and rerun the tool that initially found the rootkit to see if it identifies a rootkit as being installed. It doesn't really matter if the same rootkit is found, but only if any rootkit is identified. (It is unlikely a new rootkit would have gotten installed since you cleaned your computer from the initial rootkit removal, but it is possible.) If no rootkits are found, try booting in safe mode and rerun the scan. You may want to use a different rootkit detector to scan the computer as well, or you may even want to monitor network connections for the computer in question from a separate computer to see if any suspicious connections are observed. If suspicious activity is found, the rootkit may not have been removed.

The safest way to recover your computer would be to restore from a known-good full backup stored on a USB hard drive disconnected from the computer so the backup couldn't be infected. This will remove almost all malware commonly found on personal computers with the exception of APT-related malware. To prevent a rootkit from returning to the restored computer, users and enterprises should follow multiple steps such as removing unnecessary software, installing updates for all software on the computer, installing antimalware software, not using an administrative account, among other preventative measures.

Once the computer has been secured, another known-good backup should be made.

Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Next Steps

Don't miss this SearchSecurity rootkit detection and removal know-how

This was last published in June 2015

Dig Deeper on Malware, virus, Trojan and spyware protection and removal