How do you get rid of a rootkit infection? Removing rootkits presents two distinct problems: removal of the rootkit itself, then removal of the payload the rootkit was hiding. Because rootkits change the operating system, you might not be able to remove the rootkit without causing the system (especially a Windows machine) to become unstable. Russ Cooper, founder of the NTBugtraq mailing list, notes that "only a person with very little knowledge would try to remove a rootkit." Ultimately, the only safe and foolproof way to handle a rootkit infection is to reformat the hard drive and re-install the operating system.

Kay is a Computerworld contributing writer in Worcester, Mass. You can contact him at russkay@charter.net.

SIDEBAR

A Simple Rootkit Example

An important element of a kernel rootkit is its ability to hide itself and cover up what is really going on. Here's one way that some rootkits do that.