Step 3: Clean up the mess

I had good luck with both BlackLight and Anti-Rootkit in my test environment. Before you start cleaning house, though, make sure you have a backup of any important data files. Removing a rootkit with cleaning tools may actually leave Windows in an unstable or inoperable state depending on which files were infected and subsequently cleaned. Or, worse, a well-coded rootkit could conceivably detect the removal process and self-destruct taking your data out with it.

Again, having the right tools for the task is essential. To try and rid your system of a rootkit, you can use the two tools I demonstrated above. Figure 4 shows F-Secure's BlackLight in the removal phase of cleaning up Hacker Defender.

Figure 4: BlackLight: Hacker Defender removal phase

Using F-Secure's BlackLight to remove Hacker Defender

Similarly, with Sophos Anti-Rootkit, you can clean up rootkits pretty easily including Hacker Defender as shown in Figure 5.

Figure 5: Sophos Anti-Rootkit: Hacker Defender clean-up

There's another product already at commercial status (with a free 30-day evaluation version available) called UnHackMe that works very well. It has an easy-to-use GUI as shown in Figure 6 and its checks are extremely fast. UnHackMe can remove most of the "popular" Windows rootkits such as Vanquish, Hacker Defender, AFX and more.

Figure 6: UnHackMe

UnHackMe is a commercial alternative to the free tools currently available

Looking for more cleaning tools? Many people don't realize it, but you can even use Microsoft's Malicious Software Removal Tool and Windows Live OneCare online scanner to remove certain rootkits such as HackerDefender, so don't rule out those as an option.

Finding and removing a rootkit

 Home: Introduction
 Step 1: Is there a problem
 Step 2: Choose the right scanning tool
 Step 3: Clean up the mess
 Step 4: Bulletproof your efforts