Rootkit Detection and Removal for Windows XP, Vista, Windows 7 & Windows 8.0/8.1
What is a Rootkit?
A Rootkit is a malicious type of software that, much like your Windows PC’s Administrator User Account, gains access to your Windows Operating System memory and makes changes without your knowledge. Of particular concern is the fact that many Rootkits are able to by-pass anti-virus and anti-spyware programs. Rootkit programs can execute local as well as remote commands, change your computer’s configuration and default settings, spy on your online activity and e-mails, monitor everything you type on your keyboard, and even redirect you from a legitimate website to a “Phishing” (look-a-like) website without your knowledge or permission. (Note: Whenever accessing your online banking, financial, or insurance company’s websites, or other online accounts, be sure to check the address bar to be sure you are on the correct website.)
Rootkits can gain “back-door” access to your computer through known vulnerabilities in popular software programs, even through your Windows Operating System programs, or through Instant Messaging (“IM”) programs which, once gaining a foothold on your Administrator User Account, can attach malicious links to your IM program, and send these links to everyone in your contact list. When the recipient clicks on these links, their computer then becomes infected with the Rootkit. Rootkits as well as other forms of malware can also embed themselves in PDF files and other popular document formats.
“User-Mode” Rootkits can run on computers with full “Administrator Rights”, allowing the Rootkit access to your Windows Operating System files that interrupt running services and processes, even disable network ports. User-Mode Rootkits can also copy their malicious files directly to your computer’s hard drive and run automatically every time you boot your PC. The only good thing to say about User-Mode Rootkits is that today’s anti-virus and anti-spyware programs are specifically designed to detect these kinds of threats.
“Kernel-Mode” Rootkits. Realizing that Rootkits running in User-Mode can be detected by Rootkit detection software running in Kernel-Mode, sophisticated Rootkit developers have found a way to embed their malicious software in your Windows Operating System and Rootkit detection software.
“User-Mode/Kernel-Mode” Hybrid Rootkits combine User-Mode Rootkit characteristics, which are easy to use and stable, with the more “stealthy” Kernel-Mode characteristics.
“Firmware” Rootkits display similar characteristics of many other types of Rootkits but operate inside of “firmware” when your computer is shut down; restart your computer and the Firmware Rootkit re-installs itself. Even if a removal program finds and eliminates the Firmware Rootkit, the next time the computer starts, the Rootkit begins running again. (Note:Firmware is legitimate software installed in memory chips built into computer hardware by the manufacturer; in optical drives, network cards, routers, PCI expansion cards, micro-processors, scanners, and other types of peripheral hardware.)
“Polymorphic” Rootkits are probably the most “stealthy” type of Rootkits, making them very difficult to detect. These types of Rootkits can re-write core operating system code, even by-pass behavioral-based (“heuristic”) programs, thus rendering your anti-virus and anti-spyware signature-based programs useless. The only hope of finding Rootkits that use polymorphism is using technology capable of scanning deep inside your Windows Operating System, which then compares the results to a known good “baseline” of the system.