How to Remove Rootkits Using Sophos Anti-Rootkit

A rootkit is a Trojan or technology that is used to hide the presence of a malicious object (process, file, registry key, or network port) from the standard computer user or the administrator. Although your antivirus program can detect and prevent a known rootkit from infecting your system, yet there is a possibility that it cannot find if a rootkit has already penetrated your computer system. This is where Sophos Anti-Rootkit comes. Sophos Anti-Rootkit scans, detects and removes any rootkit that is hidden on your computer using advanced rootkit detection technology.

Sophos Anti-Rootkit

You can download the latest version of the Sophos Anti-Rootkit from http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html . You have to fill up a mandatory form before you can download it. You can also download the user manual in the PDF file format from the same webpage. Sophos advises that you always download the latest version as this software cannot auto-update itself. The Sophos Anti-Rootkit can be used in all the Windows versions from Windows 2000 to Windows 7. It also supports the 64-bit editions of Windows.

You can also download the Sophos Anti-Rootkit version 1.54 from this direct download link : sar_15_sfx.exe.

The installation of the program is a very easy. Just double-click on the downloaded file and follow the on-screen directions. After the installation is finished, you can access the Sophos Anti-Rootkit from the Start Menu. Typically the shortcut would be located under Start Menu → All Programs → Sophos → Sophos Anti-Rootkit as shown :

Start Sophos Anti-Rootkit from Start Menu

After you run the Sophos Anti-Rootkit (which should be run with Administrator level privileges) it will show you a window with options for which area you want to scan for the hidden rootkits. You can choose the following items :

  • Windows registry where some rootkits hide their data invisible from the regular tools like Registry Editor.
  • Running processes as some processes use stealth technology to hide themselves from tools like Task Manager.
  • Local hard disks where the rootkits store data in such a way that Windows cannot see it.

By default, all these items are selected and you should leave them all selected. Click on the Stat Scan button to start the scanning. When the scan is complete, a dialog box is displayed showing whether Sophos Anti-Rootkit has found any suspicious files.

Select items to remove in Sophos Anti-Rootkit

The names of suspicious files are displayed in the results list in the upper panel of the Sophos Anti-Rootkit window. The results list may also display registry keys or values. These items cannot be marked for removal. However, after you have cleaned up any rootkits, these items will disappear from the results list.

Click the name of a suspicious file or process to display information about it. The information displayed includes whether the item is recommended for removal :

  • Removable: No These files cannot be marked for removal.
  • Removable: Yes (clean up recommended) These files are automatically marked for removal by default.
  • Removable: Yes (but clean up not recommended) These files are not automatically marked for removal.

After you have selected items to be removed, click the button labeled Clean up checked items. When the confirmation dialog box appears, click Yes. The checked items are marked for removal and will be cleaned up when you restart your computer. When the dialog box appears, click Restart now or Restart later.

For more information about Sophos Anti-Rootkit, you can visit http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html.