Get our latest top picks
Subscribe to our Top Picks RSS Feed or enter your email address below to get the feed delivered to you by email:
|
Follow Gizmo |
 |
 |
 |
Register/Login
Top Rated
Gizmo's Freeware is Recruiting
We are looking for people with skills or interest in the following:
- Mobile Platform Reviews
- Rootkit Scanner and Remover
- Streaming Media Recorder
- Email Client
- Archive Manager Interested? Click here
Best Free Rootkit Scanner and Remover
|
Other Language?
|
 Read this article in Spanish |
|
In a Hurry?
|
 Go straight to the Quick Selection Guide |
|
Introduction
|
|
Hello Gizmo’s readers! My co-worker John C from our east coast office came across a page on Malwarebytes' forums and thought I would share since we are putting together our tools for threat removal. The use of italics is my clumsy way of differentiating what I'm writing to Gizmo's readers and what I published to colleagues. Here is the page Malware Removal Guides and Self Help Guides. If you read the first post it refers to Chameleon. This is a tool within Malwarebytes that can find and stop running processes form malware and is very useful on fake alert threats. Chameleon is in a sub folder within the Malwarebytes' main folder. Below are my testing results that I published to my colleagues with some edits in order to present this to you in an easier to understand language. We are all IT folk so I tend to write to them differently than I would write to Gizmo's readers. Below I speak about System Check which is a rather nasty fake alert. In my next upcoming post I am going to present some methods for removal of these threats along with reviews of Rootkit Scanners. It has been very busy at work and I perform testing in my spare time, of which there has been very little. But I wanted to share this with you so you can add Chameleon to your USB stick. Below, MBAM is short for Malwarebytes' Anti-Malware. And Rkill is another tool for stopping processes which I will comment on later. The next two paragraphs are from my letter to co-workers: I tested Chameleon on System Check which is worse than most of the fake alerts in that it hides, everything. I stepped through the instructions listed in the first post of the link provided. I clicked the first box and it opened a small DOS window and then proceeds to kill processes and then update and run MBAM. All of this worked great, and had an unexpected side effect. When it killed the process I think it also killed the ability of this ‘New and Improved’ System Check from deactivating your partitions. I rebooted and came right back into Windows albeit with a black desktop and everything hidden, but it booted!! (But keep in mind, I ran this right after infection, your user will have rebooted probably. More on this below.) I didn’t clean it when MBAM ran this first time because John found that you can run Chameleon as a standalone from your USB stick, and I wanted to test. Sure enough, I copied the whole Chameleon folder over and ran the file from there. Chameleon worked just as it did before, perfect. So this will be a permanent addition to my USB stick. This will give us the ability to stop the processes fake alerts are running right from your USB and then be able to install and run MBAM without it being compromised. Rkill works much the same way, but is a bit dicey when it runs. In order to shutdown what’s running it will actually rename files. This can be bad however because now MBAM or whatever is being used may not find the renamed file. I would always note the path from Rkill and rename it back to original so MBAM could find it. I have other news I wanted to share with you about a tool I'm building that will reverse the damage done by the these fake alerts like System Check I refer to above, when they hide all of your menus and folders. I had posted it here but it was too lengthy. I will post a link to it so that you can read it at your leisure. Until than please check out Chameleon as it will be a good addition to any USB stick.
|
|
Discussion
|
|
There are a lot of anti-rootkit programs available, a lot of this software is very advanced and requires an experienced and technical minded user who is familiar with computers and operating systems. However, there are a couple of options that do not require much technical ability and are also very effective. |
|
|
|
|
|
For the average user I cannot recommend either of these as without comprehensive computer knowledge the results would be very hard to interpret. I even have a hard time understanding the data. In my work I usually have no time to refer to the documentation and must move quickly to restore a computer to working condition. However, if a particularly difficult infection is present these tools are invaluable because of the wealth of information. I prefer GMER as I find the initial scanning process easier to use and it had a better detection rate han RootRepeal. |
|
|
|
Other Rootkit Scanners and Removers
|
|
|
|
Still works well for older rootkits but gives "Incompatible" error if ran on Windows 7. Blacklight is also unable to detect most modern rootkits and therefore, I recommend one of the other tools for now. |
|
Additionally, Prevx Free can run customized scans from the context menu and also gives you the ability to schedule scans. Another plus is that it scans quickly. The free version also offers protection of stored cookies as well as protection for all of your saved credentials. There is also a browser protection component in the free version but it only offers custom protection on only one web site of your choice. It does however, give the full Prevx Safe Online protection, which includes anti-phishing, protection against hijacks, keyloggers, and cookie stealers for a number of popular websites such as PayPal, or Amazon and of course the one website of your choice. I have included the previous editor’s information above but would note that given the limited functionality of Prevx Free, I mainly use it for detection. Often I need to not only detect but to remove in one scan using one tool. As I mentioned above I will leave links to the applications mentioned here as they might work for you and be your favorites. I don’t want to discourage the use of any of them but the ones I haven’t had much success with are in the Other Scanners section; so I cannot recommend them. If they work for you that’s great and I would love to hear of your successes in the comments section. Along with my goal to provide help is also to give you only what I have found that works. I am always open however to learning of new methods and tools. I love tools and am a firm believer that you cannot have too many. In the ever changing world of threat removal we need many tools to detect and remove. |
|
Editor
|
|
This software category is maintained by volunteer editor dslfreak. Registered members can contact the editor with any comments or questions they might have by clicking here. |
|
Tags
|
|
anti-rootkit, rootkit scanner, rootkit remover, free rootkit scanner, free rootkit remover, freeware, rootkit eliminator, rootkit detection |
Back to the top of the article
- Article type:
- Login or register to post comments
Printer-friendly version
Comments
Dr.Web CureIt! 8 on-demand virus scanner has been released - http://www.freedrweb.com/cureit/?lng=en . A favorable review by Martin Brinkmann at Ghacks.net can be found at http://www.ghacks.net/2013/04/06/dr-web-cureit-8-on-demand-virus-scanner... .
TechRepublic have published an article many will find worthwhile, "Rootkit coders beware: Malwarebytes is in hot pursuit" (2013.03.18) -- http://www.techrepublic.com/blog/security/rootkit-coders-beware-malwareb... .
Though Malwarebytes Anti-Rootkit is still in beta, an updated version has been released -- http://www.malwarebytes.org/products/mbar/ .
Bitdefender Labs have released a free rootkit remover tool -- http://labs.bitdefender.com/projects/rootkit-remover/rootkit-remover/.
Martin Brinkmann has a brief review article at Ghacks.net -- http://www.ghacks.net/2013/02/07/bitdefender-releases-rootkit-remover-to....
Hi all! It seems that F-Secure's website doesn't provide BlackLight any more.
Provided link redirects to http://www.f-secure.com/en/web/home_global/internet-security that is other product and it's not free. I have found a valid download link here: http://www.softpedia.com/progDownload/F-Secure-BlackLight-Rootkit-Detect... (it's a beta).
Thanks & regards!
Thank you for the link. We would not advise the use of beta software in this category though for anything other than testing on a spare machine. MC - Site Manager.
Why no mention of Vba32arkit?
This is beta software with a very sporadic development cycle and therefore not recommended. MC - Site Manager.
Can you please see if Comodo Cleaning Essentials (CCE) would be well suited for inclusion in this article? It's already featured in the article about the Best Free Trojan Scanner and Remover:
http://www.techsupportalert.com/best-free-trojan-scanner-trojan-remover.htm
but it also appears to be quite good at finding rootkits.
Thanks.
Malwarebytes have released the first beta version of their dedicated stand-alone anti-rootkit application, Malwarebytes Anti-Rootkit (MBAR) -- http://www.malwarebytes.org/products/mbar/. They have a detailed discussion at http://blog.malwarebytes.org/news/2012/11/meet-malwarebytes-anti-rootkit/ .
Ghacks.net also have a brief discussion -- http://www.ghacks.net/2012/11/11/malwarebytes-anti-rootkit-beta-is-out/?....
@Midnight Cowboy,
Thank you for planning to write for the non-techies. I've been around computers since the punch cards, and had lots of programmers around to make me a star, writing command files that made it look like I was at work every day. I can hardly sit here long enough to read through this. I have 3 PCs on my desk, all windows based and all with problems. Rootkit on the nice, fast HP Pavillion that is stuck on XP SP2. I did a sys restore supposed to save my data but it didn't. fortunately,not much but had my list of how to do the upgrade to SP3 (done) and got the rootkit back almost immediately. My other PC was working fine until I turned them both on plugged into my ISPs modem/whatever and it says it has 14 trojans. I'm getting to know the Mcafee peeps but their stuff just says "didn't scan the rootkit". Not even polite enough to give me a name.
Do the Tech Defenders of the Users load a thumb drive with their favorite programs, learn how to use them, and shove them into infected PCs? Is there a command to keep the malware from writing to the thumb drive? I studied RootKitRevealer link, and am not sure I would understand the output even though I am familiar with file naming conventions and the basics but NOT with Win OS. I feel they distribute software for users to test and then charge $99 to gank my hard drive. aarrgh.
Is there an operating system out there I can trust? I hear Apple has less problems but is more expensive all around. Thank you for reading my rant.
Rootkits can be very hard to remove. As MC says, sometimes the only way to get rid of them is to format the hard disk.
First thing to do when the system is majorly infected with malware, is to turn off the system restore, and delete the restore points. Because, malware often hide in the system restore, and get back when you think that you have scanned, and cleaned the PC. So, system restore should not be used when PC is infected majorly, and should be turned off, and all restore points deleted. After that, scan the PC, and that will ensure the PC is clean.
You should try the top choice here, TDSSKiller for rootkit removal. Have only read good things about it. You may need help with the results though... so, like MC says, look for help on specialized malware removal forums like BleepingComputer, or any other which you search from the internet.
You can also scan the computer with a rescue disk, like Kaspersky Rescue Disk, which is free to download and use. This ensures that the malware does not become active, as the computer boots from the rescue disk.
If you are looking for an alternate OS, as MC already said, no other better choice than Linux.
I agree with all said so far, but I have one generic comment. Windows isn't vulnerable to malware because it's less secure than MacOS or Unix variants (well, it might be, but that's really hard to measure). Windows gets more malware because it has the highest market share and thus offers the biggest return on investment for malware authors.
That said, you *will* reduce your chances of becoming infected if you use a less-popular OS like Linux or MacOS. However, an equally effective approach is to use "best practices". For example, enable automatic OS updates, don't use Internet Explorer and keep certain applications up-to-date (like Adobe products, Java, etc). Keeping your OS and applications updated and using a less-targeted browser will go a long way to preventing infection.
With regards to rootkits...I agree with MC on this point. Once you have positive evidence of a rootkit infection, it can be very hard to permanently remove. In fact, some variants will even infect hardware making it almost impossible to remove. Your best bet after detecting a rootkit is a full system reinstallation. This includes a low-level format of your HDD. This will remove all but the best rootkits (the best being those which hide in bios or firmware).
Hi. Rootkits can be as easy as standard malware to remove or if they're of the deeply embedded type (worse case scenario) can sometimes require a complete system rebuild.
At the risk of upsetting Mac users, why pay through the nose for anything? I'm sure a lot of Samsung Galaxy owners will say the same. In terms of virus exposure Linux offers the best platform. It is virtually virus free and in terms of rootkits you would have to be pretty dumb and log in with root privileges to get one. I long ago got fed up with updating and nursing a collection of malware apps trying to secure Windows and switched to Linux for 95% of my use. I now only use Windows to test Windows programs.
Of all the commercial AV software, I have found McAfee to be one of the best known but least effective. Any of the top free programs will outperform this.
http://www.virusbtn.com/vb100/rap-index.xml
This is just my opinion but I would never try to clean a rootkit infected PC. I would rather re-format and be done with it in the hope that this will be enough. If you have important data on the infected machines, this might not be an option, in which case you will need to seek expert help. Be aware though that this area is a minefield of scammers and amateurs pretending to be professionals, and you can soon end up spending out a wad of cash for little or no result. An alternative is to register with one of the free specialist malware removal forums and follow the steps suggested by them. This can be quite a time consuming process but at least it's at no cost. It will also involve the use of quite aggressive tools which can cause their own issues if used incorrectly, so it is important to follow any instructions you receive to the letter.
Lastly, but before you do anything, it is important to try to tie down the source and method of the original infection, and take the necessary steps to prevent this in the future. Otherwise, you can just end up with new or cleaned machines becoming instantly reinfected.
I would like to know if runscanner would be considered a rootkit scanner. It tends to always find something that I missed.
www.runscanner.net
It is not a rootkit scanner. It's a tool similar to HiJackThis.
The reason I asked is because it always seems to find hidden drivers that are of no use to the OS.
How do you know those drivers are not of use to the OS?
Also, finding hidden drivers does not mean that the program is a rootkit scanner.
Actually that is a good question, the reason I stated "it is of no use to the OS" is because of my knowledge of computers. Now rootkit scanners are supposed to detect hidden drivers if they do not it is not a rootkit scanner. Rootkits tend to hide their drivers so they will not be detected. Just stating the facts.
To be honest, I don't have much knowledge about rootkits. Maybe RunScanner can be considered as more of a tool to help detect rootkits, rather than a rootkit scanner, because it does not scan for rootkits specifically. And neither does it claim to be a rootkit scanner itself. It's more of a hijack utility.
Security programs can hide their stuff all over the place as part of their anti-tamper strategy.
aswMBR is not GMER but is based on GMER technology. The aswMBR detects 64bit rootkits which GMER does not.
I have yet to have TDSSKiller detect anything, and I have now removed it from my tech disk.
I work on many a machines/wk and TDSSkiller is a frontline app for me. It has found and killed many of the most common rootkits. I always run it and mbr check to find root and boot kits before I do anything else. In my office(s) we have very few 64 bit machines however.
I will give aswmbr a try.
Thanks
I've used tdskiller from kaspersky over a hundred times in the last year, and I commonly do find things with it. It is the first process out of many that I use when fixing a customers computer.
PC Technician from Utah
is smartpc fixer any good. I keep getting a buffer overrun detected error.
The host website for this software is red rated by WOT and is listed as a scam/rogue application. Consider using WOT next time before choosing software to avoid this type of situation. It isn't infalible but is mostly reliable.
http://www.mywot.com/
See also the notes attached to the results here:
http://urlvoid.com/scan/smartfixer.software-phile.com/
http://global.sitesafety.trendmicro.com/result.php
Don't download avast free rootkit from here...I was just using it and my bitdefender blocked a trojan.peed.gen virus it was carring
This is a false detection. Please consult the help file for your antivirus to understand why this has happened.
If you check the results below, you will see that Bitdefender is clear. Others though alert it on the basis of "reputation" (great word from Norton which covers them for everything they miss :D), others are heuristic/suspicious etc. The very nature of how this program is compiled is the cause of these detections.
https://www.virustotal.com/file/58d820a137dd500232c6a09a9267dfd36621a737...
Just to throw in my $0.02, I agree with MC about the compiler being the issue. As of late ComboFix is flagged by Symantec as being a Gen.Trojan. This is because ComboFix is made up of about 6 different apps all compiled with in it. Also the hash could be causing the detection as well. But I use ComboFix almost daily and I can assure you 100% it is not a threat. So I agree that this Bitdefender detection is a false positive.
Dudeman
Comodo Cleaning Essentials