Detect and remove rootkits with GMER
You don’t want a rootkit infection. Any malware compromise is bad, but rootkits—by their very nature—are especially nasty. The irony is that you might have a rootkit infection right now and not know it. That’s sort of the point of a rootkit.
Wikipedia defines it: “A rootkit is a stealthy type of software, often malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer.” The term rootkit actually derives from Unix—where the administrator-level system privileges are called “root”—combined with “kit,” which is commonly used to refer to a package of software tools. On a Windows PC it might make more sense to call it a “kernelkit” or “adminkit,” but the term “rootkit” has stuck.
Because a rootkit operates with elevated administrative privileges, it can do things that most software applications can’t do, functioning at a deeper level of the operating system than most security software is capable of scanning. A rootkit can hide files, processes, services, registry keys, hard disk sectors, and more so that the operating system itself, and other software running on the system don’t even realize they’re there.
When it comes to rootkits, you need a specialist—a sniper trained specifically to find and remove rootkits. That’s where a tool like GMER comes in handy.
GMER is available for Windows XP, Windows Vista, and Windows 7 and 8. You can download GMER for free from the site. The .zip file is a mere 348KB, and installing it on my Windows 8 PC took me only a few seconds.
If you run into problems installing GMER, it might indicate that you have a rootkit of some sort. Rootkits and other malware are often engineered to block known security software in order to evade detection. You can rename the gmer.exe file to something else, though, and likely bypass any file filter that the rootkit is using.
It’s not very fancy, but beneath its austere interface GMER is very good at what it’s designed to do. Just select the Rootkit/Malware tab at the top, and click Scan. GMER will analyze your system and create a log of any hidden items that might indicate evidence of a rootkit.
This is where you need to know what you’re doing—or get help from someone who does. Many legitimate software applications may have processes, files, services, or other elements detected by GMER, so you need to know what you’re looking at and be able to determine whether it’s legitimate or not before you erase it from your PC. Removing the wrong items could render valid software useless.
The GMER site includes sample logs of some common threats. You can compare results against the samples to see if any of the entries in your log match up. If you’re unsure, or just don’t know how to interpret the log data, you can also email a copy of the log to the GMER developers and they will help with analysis.
GMER is not the only option. You can also look at other specialized rootkit tools like Kaspersky’s TDSSKiller. For more information, check out the GMER FAQ. You can also send an email to firstname.lastname@example.org with any questions about the software or how to use it.