Detect and remove rootkits with GMER

Rootkits are particularly insidious and hard to eradicate. A tool like GMER is often a better way to handle a suspected rootkit infection.

You don't want a rootkit infection. Any malware compromise is bad, but rootkits--by their very nature--are especially nasty. The irony is that you might have a rootkit infection right now and not know it. That's sort of the point of a rootkit.

Wikipedia defines it: "A rootkit is a stealthy type of software, often malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer." The term rootkit actually derives from Unix--where the administrator-level system privileges are called "root"--combined with "kit," which is commonly used to refer to a package of software tools. On a Windows PC it might make more sense to call it a "kernelkit" or "adminkit," but the term "rootkit" has stuck.

Because a rootkit operates with elevated administrative privileges, it can do things that most software applications can't do, functioning at a deeper level of the operating system than most security software is capable of scanning. A rootkit can hide files, processes, services, registry keys, hard disk sectors, and more so that the operating system itself, and other software running on the system don't even realize they're there.

When it comes to rootkits, you need a specialist--a sniper trained specifically to find and remove rootkits. That's where a tool like GMER comes in handy.

GMER is available for Windows XP, Windows Vista, and Windows 7 and 8. You can download GMER for free from the site. The .zip file is a mere 348KB, and installing it on my Windows 8 PC took me only a few seconds.

If you run into problems installing GMER, it might indicate that you have a rootkit of some sort. Rootkits and other malware are often engineered to block known security software in order to evade detection. You can rename the gmer.exe file to something else, though, and likely bypass any file filter that the rootkit is using.

It's not very fancy, but beneath its austere interface GMER is very good at what it's designed to do. Just select the Rootkit/Malware tab at the top, and click Scan. GMER will analyze your system and create a log of any hidden items that might indicate evidence of a rootkit.

This is where you need to know what you're doing--or get help from someone who does. Many legitimate software applications may have processes, files, services, or other elements detected by GMER, so you need to know what you're looking at and be able to determine whether it's legitimate or not before you erase it from your PC. Removing the wrong items could render valid software useless.

The GMER site includes sample logs of some common threats. You can compare results against the samples to see if any of the entries in your log match up. If you're unsure, or just don't know how to interpret the log data, you can also email a copy of the log to the GMER developers and they will help with analysis.

GMER is not the only option. You can also look at other specialized rootkit tools like Kaspersky's TDSSKiller. For more information, check out the GMER FAQ. You can also send an email to with any questions about the software or how to use it.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityWindowssoftwareoperating systemswikipediamalwarebusiness security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tony Bradley

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place