Subscribe to our Best Free Rootkit Scanner/Remover
|
In a Hurry?
|
 Go straight to the Quick Selection Guide |
|
Introduction
|
|
When your computer gets a virus, that virus tries to spread, and eventually it will damage the host making it much easier to detect. A rootkit on the other hand is designed to hide certain elements such as files, processes, registry entries, or network connections, from the user and other programs thus making it very difficult to detect. This technology can be used for good as well as malicious purposes so it is important to be familiar with your computer to avoid deleting these legitimate objects. Within Windows rootkits are used to hide malware so that their execution goes unnoticed by your security applications. So imagine that a rootkit has been installed on your computer and that its purpose is to hide a virus, thus giving the malware time to complete its goal, steal your data, and damage your system all the while going undetected. Unfortunately, rootkits are extremely effective at this, which means that even though you may believe your PC to be totally clean, some of you could be infected right now. Most of the anti-virus vendors have integrated anti-rootkit technology into their more recent products. However, this is not a fool proof solution against rootkits because just as the AV companies improve their products detection abilities, so the malware creators find new ways to avoid detection. So as security conscious users we must rely on third party tools to help us, and there are several free applications which specialize in the detection and removal of rootkits. Keep in mind that none of these products will detect every single problem, so it is always a good idea to keep more than one of them to hand. |
|
Discussion
|
|
There are a lot of anti-rootkit programs available, but unfortunately not many of them will work on Windows 7 yet. A lot of this software is very advanced and requires an experienced and technical minded user who is familiar with computers and operating systems. However, there are a couple of options that do not require much technical ability and are also very effective.
|
 I have two top choices for all the experienced and technical users because I find it impossible to choose one over the other. GMER and RootRepeal are very popular applications, and they are definitely my favorites, but it takes someone pretty knowledgeable about computer systems to be able to interpret the results. You can find a lot of documentation on both programs but if you are the type of person who likes to click the scan button and simply wait for the results, you would be better served with either Sophos or F-Secure Blacklight. |
|
Windows Vista and XP users should download a copy of this great program because even though it is not supported anymore, it is still one of the best rootkit removal applications available.
|
|
|
|
Sometimes the only symptoms you will get from rootkits is an increase in network traffic, or a decrease in performance, and maybe an unknown process running. So with today's high bandwidth networks, and high performance computers it can be very hard to notice any signs. Prevention is always the best practice, but detection is just as important so make sure your AV has anti-rootkit capabilities, and make sure you have a good Firewall and HIPS combo. This and a combination of the tools I have mentioned are the best approach toward keeping your computer free of rootkits.
|
|
Additionally, Prevx Free can run customized scans from the context menu and also gives you the ability to schedule scans in the GUI to help assure that nothing has gotten by your normal security software. On my 320 GB hard drive a deep scan takes about three minutes on average. The free version also offers protection of stored cookies as well as protection for all of your saved credentials. There is also a browser protecton component in the free version but it only offers custom protection on only one web site of your choice. It does however, give the full Prevx Safe Online protection, which includes anti-phishing, protection against hijacks, keyloggers, and cookie stealers for a number of popular websites such as PayPal, CleverBridge, or Amazon and of course the one website of your choice. While the free version of Prevx can not clean a lot of rootkits, it can effectively warn you about new infections. Prevx is inherently built on their anti-rootkit technology, and has consistently been one of the first vendors to detect new rootkits. I believe that this application can play a very important role in keeping your computer clean of all infections, after all, you can't remove what you can not find. Please note: Some of the free version component features in Prevx/SafeOnline are either restricted or disabled altogether. Users should read the vendor's description carefully for the version they are downloading before deciding if the program is suitable for their own needs.
|
The free version of Prevx offers the same class leading real time detection of the full version, unfortunately it doesn't offer much more than this. Prevx Free is only capable of cleaning select infections, such as Adware, the ZEUS banking trojan, and MBR rootkits. When dealing with rootkits detection is definitely very important, so even if you can't clean all infections you might at least be alerted, enabling you to take further action and manually remove the rootkit or seek help in doing so. As hard as it is detect the newer, ever evolving rootkits and viruses, Prevx can be a very powerful and informative addition to your regular anti-virus software.
Sophos Anti-Rootkit
|
||
 |
Easy to use and scans fast. Effective rootkit removal. Decent help file. Good recommendations about scan results. | |
 |
Unlocks one more feature only if you use Sophos Anti-Virus. | |
 |
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html | |
 |
https://secure.sophos.com/products/free-tools/sophos-anti-rootkit/download/ | |
 |
1.3 MB  1.5  Unrestricted Freeware  Windows 7/Vista/XP/2000 |
|
 |
64 Bit version available | |
Root Repeal
|
||
|
Can remove even the most advanced rootkits. Scans very fast. No installation | |
|
Very advanced, not recommended for average users. Win 7 compatible version is not out yet. | |
|
http://rootrepeal.googlepages.com/ | |
|
http://rootrepeal.googlepages.com/ | |
|
454 kb 1.3.5 Unrestricted Freeware Windows Vista/XP/2000 |
|
 |
Portable version available | |
GMER
|
||
|
Considered class leading technology. | |
|
Not compatible with Windows 7. No help file. Not suitable for average users. | |
|
http://www.gmer.net/ | |
|
http://www.gmer.net/ | |
|
284 kb 1.0.15.15281 Unrestricted Freeware Windows Vista/XP/2000 |
|
|
Portable version available | |
F-Secure Blacklight Rootkit Eliminator
|
||
|
Decent help file available. Simple GUI. Easy enough for everyone. No installation. | |
|
Not compatible with Windows 7. No support. | |
|
http://www.f-secure.com/en_EMEA/products/technologies/blacklight/ | |
|
http://www.f-secure.com/en_EMEA/security/security-lab/tools-and-services/blacklight/ | |
|
1.08 MB 2.2.1092.0 Unrestricted Freeware Windows Vista/XP/2000 |
|
|
Portable version available | |
Dr. Web Cure It!
|
||
|
Can detect and remove all infections. Very easy to use. No Install needed. | |
|
No updater included, so you have to download the whole program every time you need it to get the latest definitions. | |
|
http://www.drweb-online.com/en/cure_it.asp?rpid= | |
|
http://www.softpedia.com/get/Antivirus/Dr-WEB-CureIt.shtml | |
|
24 MB 5.00.9 Unrestricted Freeware All Windows Platforms |
|
|
64 Bit version available Portable version available |
|
Prevx Free
|
||
|
Real time anti-rootkit detection. Can detect all types of infections and is very good at it. Very light on resources. Scans in 5- 10 minutes. Provides some browser protection. Very easy to use and intuitive. | |
|
Free version will only clean select infections. Safe Online browser protection is only available on just 1 web site of the users choice. Some scan options disabled in the free version. | |
|
http://www.prevx.com/ | |
|
http://info.prevx.com/downloadcsi.asp | |
|
889 kb 3.0.5.50 Restricted Freeware (full commercial version available) Windows 98, XP, VISTA, 2000, 2003, 2008 and Windows 7 |
|
|
64 Bit version available | |
|
Editor
|
|
If you wish to contact me to request a product to be reviewed, or wish to send feedback or suggestions on how to improve this review, please feel free to do so. Registered users can contact me here if you wish to, but everyone is welcome to post a comment. This software category is maintained by volunteer editor DLC50. |
|
Tags
|
|
anti-rootkit, rootkit scanner, rootkit remover, free rootkit scanner, free rootkit remover, freeware, rootkit eliminator, rootkit detection |
Back to the top of the article
Delicious
Digg
StumbleUpon
Please rate this article
Combofix is also an effective tool against malware. How much is it effective for rootkit removal?
I have seen it recommended for rootkit removal on a few quality PC-Help Websites...
There are several reasons why I didn't include combofix. The main reason being that it has a lot of stability issues and bugs. Another reason is that it is very powerful and sould mainly only be used when guided by tech support at one of these forums. Combofix is normally available on Bleeping Computer forums all the time but even they will not offer it for download now because of all the problems. Once it gets updated and all the bugs fixed, I might include it and write a tutorial on how to properly use it.
Ah yes, BleepingComputer had removed the download, because of some bug. I remember now. That has not been solved yet? :O.. wow.. its been a lot of time.
Anyways, yes, its a powerful tool, and not suitable for average users. Nevertheless, I just wanted to know if it is effective in removing rootkits.
Thanks for the reply, and information :).
As a matter of fact it is very effective or was. I haven't used it in a fairly long time. It is one of those programs that is very touchy, but when it gets working again or if they plan to update it and fix the problems, it will definitely be included but I will also have to include a tutorial. Also, their are a lot of copies of Combofix floating around the net right now and I have seen on the old combofix website and bleeping computer that the only safe place to download the app was at Bleeping Computer forums. So I searched for Combofix and their were several variations of the Combofix home page, I found combofix[DOT]org, .net, plus some like combofix3.com so be very careful and only download this at Bleeping Computer
Yes, there are several sites offering the downloads. The sites you mentioned.. combofix[DOT]org, and .net have unsatisfactory WOT ratings. BleepingComputer mentions only two sites to download ComboFix from, one of the sites being their own.
BTW, I looked up the Twitter of BleepingComputer, and the tweet of 24th Jan says the bug had been fixed and the download was available. I also checked up the download links offered on the guide here :
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
and the download links seem to be working.
I found this post over at Wilders Security. Hope it helps...
"It's not possible to get an entire rootkit into a bios, but you could fit a jump or starter code in the bios, which means a persistence somewhere else along with the bios. That means a Hidden Partition Area on the HDD or modification of the nic firmware, which would be a PXE boot situation.
If there is this type of infection it would most likely be Bios/HPA-HDD.
1. Average wiping doesn't remove the HPA from the HDD.
2. If you fix only one, the infection can return.
To fix you must wipe the HDD with a program capable of wiping all partitions including HPA/DCO. Then while the HDD is dorment and free of any code, flash the bios."
I think this is one of the articles I read on the newer bios rootkits...
http://www.tomshardware.com/news/bios-virus-rootkit-security-backdoor,74...
Well even now that have an education and am knowledgeable enough to get rid of a rootkit without help, they still make me nervous. But this type of rootkit that the article explains would be awful, but they just did a demonstration to show that it is possible not that in fact they cauhgt it "in the wild". In any case, the malware creators are always a step ahead so there is no telling what else they will come up with.
Who knows what else they will come up with indeed. The only real secure computer is one that has never been connected to the internet.
What if the malware infects printers and other peripheral devices, then moves back in after a wipe and reinstall ? Heck, even changing the computer would not help, you would have to change everything, all printers and peripheral devices.
I think one solution or at least a help, would be having two or three completely separate computers or systems in on box or tower. One computer strictly for business, another to deal with friends and family, another for general surfing and playing around. Not virtualization because that too can be compromised, but actual separate systems. Basically, it seems you need to dedicate a computer for a specific task, in order to stay on top of things.
John
The average user, including myself, would have to take PC into the shop to get something like this type of Rootkit cleaned out.
Once you detect a rootkit, do you need to wipe your hard drive with something like dban (I heard some kits can survive formatting) and reinstall windows, or can you scan with a few rootkit detectors and anti-malware programs and continue using the computer ?
I have even heard that some rootkits infect the bios and wiping the hard drive or even changing the hard drive will not get rid of them (good grief).
John
Yes flashing the BIOS will get rid of the rootkit if you do it at the right time. As for wiping, I always recommend wiping to people who are going to reinstall, not because it handles rootkits better, but because it will get rid of all left over file fragment and rid the HDD of any recoverable information
I have read of PC-Geek's who have bought a new Harddrive because of getting infected with a rootkit. That is the Only Sure way of "knowing" if the rootkit is gone...Prevention is the key and HIPPs and,or, Sandboxie will help there.
But if it is one of the new versions of rootkits that infect the bios, then it will return even if you change the hard drive. I guess you could flash the bios, but who knows, I guess if you get a rootkit you need to throw the computer in the trash and start over.
John
I wouldn't trash anything, and it would have to be something worse than anything I have ever seen to get me to replace the harddrive. The truth is rootkits are a pain in the back side, and some of them do an awful lot of destruction. But others do not harm the computer much. So it all depends on what variant it is and most of all, what other malware it is hiding.
It's about Prevention of Rootkits...That is or should be the top priority, and Common Sense tops that list, besides, HIPPs and Sanboxie and maybe even throw returnil into the mix.
I am writing an article that will give you a better understanding of rootkits I think. HIPS is without a doubt the best way to stop a rootkit, no scratch that running a 64 bit system with SRP and LUA is the best way to stop rootkits.
Hi DLC50,
Regarding my Dell Studio 1537 laptop, I have reinstalled on the new replacement HD, a fresh clean copy of Win 7 and so far it rebooted several tmes smoothly. Though I am a bit concerned that the image restore I had previously made on this same HD (using Acronis) may still have some rootkits hiding inside the HD? I have a copy of Kaspersky Internet Security Suite which I will install later. Is Kaspersky's TDSSkiller available in the Kaspersky Internet Security Suite version? Thank you for whatever help you can give here.
SonarB
TDSS killer can be found on the Kaspersky web site but not in their suite. It is available for free.
About the problem with your Dell PC. I believe that I can help you fix it, IRQ9 is your ACPI controller. I have dealt with a similar problem before so please contact me using this form and we will see if we can get it fixed for you. http://www.techsupportalert.com/user/13309/contact
Hi DLC50,
I have signed up and sent you my tech issue thru the contact link. Hope it is not a rootkit infection but something much easier to fix.
Thanks, SonarB
No as far as I know TDSSkiller is not in the suite. You can get it on their web site, along with several other free virus removal tools. I am confused with the rest of your comment though, you say you reinstalled but then you say something about an immage that might be infected. Pleas clarify.
I can tell you this, if you have other backup images other than that one, then delete it.
Hi DLC50 and forum users here,
I bought (about Oct 2009) a used but fairly new DELL Studio 1537 (T6400 core2duo Vista 64-bit home prem) from ebay (factory warranty expired 1/20/2010). The laptop looked like it was restored to factor install when I received it and I did not activate the included TrendMicro, since I planned on replacing later with Zone Alarm ISS or Kaspersky's ISS. When I started to regularly use the laptop (Jan 2010), it began having reboot problems with windows attempting to repair but failed. I backed up the 3 original factory partitions (1st one -86mb size, 2nd one -10.gb recovery, and 3rd one -287gb) with Acronis TI Home 2010 and used WinPE cd (created from WinAIK with help from Wilders Security forum) to recover original factory install (it seemed previous f8 at bootup time will not open the factory restore option). However, after successfully reinstalling the original factory installation (Vista 64 Home Prem) and after it rebooted up to two times (drivers loading etc.), it started giving me a blue screen error message "IRQ9L .... not equal or less ... etc". I tried restoring all 3 partitions using the Acronis backup and still it comes up to the same blue screen error. I had also replaced with a new similar sized (320gb) HD, restored all 3 partitions (thru Acronis) and still encounter the same blue screen error. Could this be a rootkit infection? I guessed this is one frustrating reason why the previous owner wanted to sell this laptop sooner (less than 1 year owned). I pulled out each HD (the original and the 2nd new one), hooked up as an external USB HD and ran chkdsk (using another laptop w/ win XP) with option /r. On the first pass (on each HD), chkdsk notified it corrected some files and next reruns came out OK. By the way, are rootkits infection transferrable to other PCs, even while running tests on the infected HD hooked up as an external USB? I would appreciate any helpful response here. I am also interested in using sophos and at least another software tool (Dr. WebCureIt, Avast, Threatfire, TDSSkiller, Combofix or Unhackme) - which please recommend. Thank you for sharing your tech notes at this forum site. God bless your work. SonarB
I am creating a new thread in the forum to help with your problem, I am sorry if you did not want to register but the forum is more suited for this. I think you have hardware problems and I think I can help you, IRQ9L is ACPI controller and my guess is thats conflicting with PCI so register( it is fast and easy) and come and post in the forum here I have created a thread.
http://www.techsupportalert.com/freeware-forum/general-computer-support/...
I have already created some steps for you to follow, so do this and let me know, Good Luck.
I have disapproved the above mentioned thread. Reasons being, the thread does not say anything at all about the original problem, nor does it refers to this comment here. People can't just give help, if they don't know what is the thread referring to.
Second, if a user has a problem, which will be difficult to track here, they have to register on the forum. If they do not want to register, it will be quite difficult for us to provide help in an organized, and effective manner. We will not post queries on behalf of the users on the forum. They themselves have to do that, unless they have a genuine problem registering on the forum. Many of the users register on the forum, and then post their queries, and others should do the same.
The proper place to make requests for assistance of this nature is here in the forum:
http://www.techsupportalert.com/freeware-forum/general-computer-support/
Please be aware that we are having some difficulty tying down just exactly which features are included in the free version of Prevx linked to above. We are attempting to clarify this now with the vendor and will amend the article if necessary after we receive their reply.
From a posting at Wilders Security...I agree
"If all you need is on-demand, I'd personally go with Hitman Pro. Fast, multi-engined and better on-demand detection and removal of advanced stuff both MBAM and SAS misses, like the latest TDL3.3 rootkit. Obviously, keep something for on-demand".
Well a lot of people from Surfright have said that this is true. The first TDL3 rootkit was more advanced, or maybe successful is a better word. Any way I will be sure to include Hitman in the testing and I am in the process of updating this and writing an article on rootkit detection and removal. I did not like the earlier versions of Hitman but have not tried the new one. Has it improved a lot?
Hi DLC50, from reading Wilders Security forum, yeah Hitman Pro has matured into a very reliable scanner.
Hi,
I cant find the portable version of Root Repeal.
Can somebody give me a hint
Thx
Andi
The link above is it
Thanks alot !
Hi DLC50, thanks for answering our questions, I am quite new to this rootkit infection as I though anti virus scanner can identify a rootkit and remove it from the system, but apparently even anti virus can't remove it.
So I've been using the scanners listed above sophos anti rootkit, Dr web, and (was going to use F secure blacklight but I read above is out of date so I didn't bother to use it) and they all came up clean. I had use gmer and it was a pain to use cos every time it scan and I save the text log onto notepad my PC crashes and then it restart itself every time. I one time manage to save it to notepad once before it restart my PC and the results looked clean I think as it did not display hidden items, but gmer was not very user friendly in displaying the results.
So my question is sophos anti rootkit scanner does not have an update database like an antivirus, so how can it detect newer release rootkits. Also how would you rate Avira antivirus rootkit scanner to scan for rootkits, is it as good as the list above.
Thanks
Well neither GMER nor RootRepeal are very user friendly, they are advanced tools. A lot of the ARK tools do not have an update database because they do not scan using signatures. Since rootkits hide so well from user and OS signatures are almost pointless within a On-Line Operating System, if you are in a recovery environment such as Win PE, signatures have a better chance. Sophos and some of the other tools scan for hidden files, processes, registry keys, and some search the Windows API. The point is that they all work differently.
I just read this on a Wilders Security posting. I didn't know getting a rootkit infection was so easy. A little scary...
"rootkits can be introduce not only from trojans but now from rouges and fake antivirus also and some of them are not detected by antivirus companies."
Yeah getting a rootkit can be very dangerous, and yes it is very serious. Fortunately there are several forums that can help you out if you need it. The scary thing about a rootkit is that you probably will never even know you have one installed. They can intercept request for a list of file or processes and only show you what it wants you to see. So there will be nothing suspicious in task manager. They even have the ability to detect when an AV starts a scan, and they can suspend their activity and hide so the AV doesn't notice any suspicious activity in the file system and all is clean. The first rootkit infection I ever removed from a computer taught me a lesson. Sometimes the only thing you will notice is a couple of files missing in explorer. Two things to remember, there is no such thing as a perfect rootkit, and there is definitely no such thing as a perfect anti rootkit.
Just ran Sophos and it came up with a couple of hundred "hidden" files that (1) were not hidden, and (2) as far as I can see are legitimate files. What's the point of that? Next up - uninstall Sophos.
Well there is a lot of software that use rootkit techniques for various reasons, such as a security app does. A lot of anti rootkit tools will detect these as well malicious ones. Sophos also gives recommendations on all of those files that it listed as suspicious.
DLC50 has asked me to inform visitors to his categories that he will be away for a while but will respond to any comments as soon as he is able to.
I'm a long-time Gizmo 'fan', and an old-timer with PC's, but I seem to recall the rootkit 'scare' from years back, when we used PREV? or an AVG rootkit scanner/remover {or was it from Lavasoft?}. Even back then, I scanned like hell but never found a rootkit.
So I thought, just for fun, I'd run all the recommended software listed above, as I'm long overdue to scan and remove any!, and here's my comments:
1. SOPHOS: took awhile {45 mins elapsed for 30 gb of data}. Seems thorough. It found 3 'unknown and hidden' files {4 from grandson's gaming software from 2+ years back}.
2. Root Repeal: Lots of options to run makes it confusing, but overall, it was faster than SOPHOS by 15 minutes. Found 16 ‘SSTD’ files, and an MPG video file that were ‘suspect’. Problem was that there was little documentation as to what these really are, so didn’t take any action!
3. GMER: this one took off like a bat outa' hell. I have no idea what it did, but for the first time in YEARS, literally, it hung my PC and I had to reboot. A 2nd try did the SAME THING! I was NOT impressed. I’d leave this one alone!
4. F-SECURE Blacklight: ran quickly, found nothing. And since it's no longer supported, it probably doesn't have all the guts to find any newer rootkits?
5. Dr. Web Cure It: I always shrug when I run web-based stuff, wondering what it's really doing, if anything. This was a great example. I have no idea what it did after 'registering' from the pretty green splash-screen. To me, useless.
I am currently in the process of upgrading the review, but a lot of the same programs will still be included. All of these apps look for rootkits in different ways, that is why one scans a long time and the others can scan fast. Dr. Web Cure It is not web based, I do not know if you went to the hame page I provided their is a web based scanner but Dr Web Cure It is a downloaded exe application and is no way web based, it does not even connect to the internet unless you choose to buy the commercial version. You are correct about F-Secure, it is not too good at removing newer rootkits as others. The most effective at removing sophisticated rootkits are GMER and RootRepeal,DSE, Kernel Detective, but these are very advanced like you said. You can however save the report from the rootrepeal scan that you did and upload it to a forum for help, there are several such forums areound the net. A lot of the anti rootkit tools that were around a couple of years ago are not supported now so it is more difficult to find tools that are capable of removing the latest threats, and are also easy enough for everyone to use and understand. I will be publishing an article sometime soon to give tips on how to recognize when your infected as well as some tips on removal and prevention.
Can you provide the names of some of the forums you mentioned where we can send the reports from our scans?
Here you go. Their are several such forums around the net but these are the ones I usually direct people to. Please read the TOS and suggestions before posting because if you do not post with all the information that they require, you will not get an answer. Also, a lot of these forums request you to submit a Hijack This Log first. Always post the HJT log and the info about your OS and hardware before posting logs from the rootkit tools. After you do this they will give you a chance to post the rootkit logs. The reason for this is that these logs contain a lot of information and if you post it first you will not get a reply. Good Luck and if none of these forums are right for you, contact me or run a search, but I will be glad to help out.
http://www.dslreports.com/forum/cleanup~filter=Rootkit
http://malwareremoval.com/forum/viewforum.php?f=11
http://www.spywareinfoforum.com/index.php?showforum=18
After formating and installing Windows several times in a machine that previously had XP SP1, I came to the conclusion the rootkit lived in the boot sector. I have also come across rootkits that hide programing in the pagefile.sys.
HitMan Pro used to be quite good - their version 3 is cloud-based - any recommendations?
http://www.surfright.nl/en
You have to fill out a registration form for Sophos. I like F-Secure; it scanned in only 6 minutes.
see posts below re download links for sophos, no reg required!
F-Secure is a great tool, the only problem is that sense it hasn't been updated in a while it can't detect more modern and advanced rootkits that are being developed today. For this you need Sophos, or RootRepeal to better detect the newer rootkits.
Is there a difference between the home and business versions of the Sophos product?
Post new comment