How to Remove Hackers From a Computer
By John Wu
Updated September 15, 2017
Items you will need
External hard drive
Operating system installation CD/DVD
When a computer has been broken into, the hackers leave behind software called a rootkit. A rootkit is used by hackers to gain administrative privileges on the computer as well as put in additional security holes to regain access if the rootkit has been discovered. Rootkits are also designed to hide themselves from the real administrators of the computer, as well as disable any anti-virus programs that might discover them. As soon as hackers gain administrative access, it is almost impossible to remove all traces of the intrusion since they may have added many extra security holes on top of what's included in the rootkit.
Turn off the computer suspected of having hackers. This step will prevent the hackers from breaking into other computers on the local network.
Power up the computer. Follow the on-screen instructions during the boot up to enter BIOS setup and configure boot-up order to boot up from the CD-ROM first, then the USB drive as the second option. Remember to save the BIOS changes after they have been made. If the BIOS allows booting up from other external hard drive interfaces such as Firewire or SCSI, they can be used instead of the USB external drive.
Connect an external hard drive to the suspect computer.
Insert the operating system CD/DVD in the CD/DVD-ROM drive.
Reboot the computer after the BIOS change and boot up the operating system via CD/DVD-ROM which should occur automatically due to the BIOS changes from earlier. Install the operating system onto the external hard drive.
Once the operating system is installed on the external hard drive, remove the installation CD/DVD from the CD/DVD drive, reboot and boot the operating system which should boot automatically from the external hard drive due to the BIOS boot change from earlier.
Install an anti-virus program that is capable of detecting rootkits or an anti-rootkit detection program. The anti-virus program's website will list rootkit detection as a feature, if it's capable of it. Some suitable rootkit detection programs are listed in the Resources Section below. Other anti-virus and anti-rootkit programs can be found by searching the internet.
Run the anti-virus program or rootkit detection program against the disks on the suspected system. If a rootkit is detected, hackers are in the computer system and the operating system needs to be reinstalled from scratch. Copy any data that needs to be saved to an external hard drive.
Reinstall the operating system on the infected computer's internal hard drive by booting the operating system's installation CD/DVD again. Make sure the installation destroys all previous data on the computer, including those on other hard drives installed internally. If there is a backup copy of the system from before the intrusion, it can be restored as an alternative to reinstalling the operating system.
Install any security updates from the operating system vendor that will prevent another intrusion. This can usually be downloaded from the operating system's automatic update program or can be downloaded separately from the operating system vendor's website.
Any effort to remove the rootkit and other software left by hackers is much better spent saving any data and reinstalling the computer system from scratch. Only a complete reinstall gives you 100 percent assurance that the hackers have been removed from the computer. Relying on a anti-rootkit tool to remove the hacker has a high risk of failure.
John Wu is a writer who has covered computers, health, fitness and business since 2008 for various online publications. He is also an IT manager at a government agency. Wu holds a B.A. in legal studies from University of California, Berkeley and a B.S. in computer science from San Jose State University.