Removing Rootkits Using the Trend Micro RootkitBuster

A rootkit is a special program that gives administrator privileges to malware while hiding itself from the operating system using some lesser known techniques. The Trend Micro RootkitBuster is a rootkit scanner that can scan through hidden files, registry entries, processes, drivers, and hooked system services. It can also clean out hidden files and registry entries that were created by the malicious software. This software is meant to be used only by advanced users.

Trend Micro RootkitBuster can scan both user mode and the kernel mode rootkits (ring 0). It can scan hidden files, registry entries, processes, drivers, kernel code patches, operating system hooks, ports and file streams. It can also clean detected malicious hidden files and registry entries. It is available for both the 32-bit and 64-bit editions of Windows separately. It is a portable program so you do not have to install anything on your system.

The RootkitBuster tool requires administrator level privileges, so when running RootkitBuster, you would be prompted with UAC in Windows Vista and above, while in Windows XP you must be logged in as an administrator. In Windows Vista, 7 and 8, you can also right-click on the downloaded file (in my case RootkitBusterV5.0-1171×64.exe) and select Run as administrator from the context-menu.

Trend Micro Rootkit Buster

In the RootkitBuster window, you can select the hidden items that you want to scan for. You can select from MBR, registry entries, processes, drivers, services, kernel code patches, operating system hooks, ports and file streams. But it is recommended that you leave the default options as they are (select all types except File Streams). Then click on the Scan Now button to start the scanning.

Trend Micro Rootkit Buster

In a few minutes, you will be shown the results of the scan in a list. The list would show the type of hidden type found, its name, location and the action taken by RootkitBuster. You can select one or more items from the list and click on the Fix Now button to remove them. You should make sure that you select only really malicious items from the list. If RootkitBuster removes a hidden item, then it would display Fixed in the action status else it would show Unable to fix.

Trend Micro Rootkit Buster

After the threats are fixed, you might have to restart your computer. Restarting is required for complete cleanup of the threats. The Trend Micro RootkitBuster also saves the log of the detected items in a subfolder called TMRBLog. You can use this log to see what was detected and what you removed in case you ask the help of an expert.

Trend Micro RootkitBuster is an easy to use but advanced rootkit removal application. Using it you can scan and remove rootkits like FU2, TDSS, Sinowal etc. It is a portable application so you can keep it on your USB key and use it on any Windows system to scan for hidden rootkits.

You can download Trend Micro RootkitBuster from