Best Free Rootkit Scanner and Remover

 
Introduction

My co-worker John C from our east coast office came across a page on Malwarebytes' forums and thought I would share since we are putting together our tools for threat removal. The use of italics is my clumsy way of differentiating what I'm writing to Gizmo's readers and what I published to colleagues. Here is the page Malware Removal Guides and Self Help Guides.

If you read the first post it refers to Chameleon. This is a tool within Malwarebytes that can find and stop running processes form malware and is very useful on fake alert threats. Chameleon is in a sub folder within the Malwarebytes' main folder.

Below are my testing results that I published to my colleagues with some edits in order to present this to you in an easier to understand language. We are all IT folk so I tend to write to them differently than I would write to Gizmo's readers. Below I speak about System Check which is a rather nasty fake alert. In my next upcoming post I am going to present some methods for removal of these threats along with reviews of Rootkit Scanners. It has been very busy at work and I perform testing in my spare time, of which there has been very little. But I wanted to share this with you so you can add Chameleon to your USB stick.

Below, MBAM is short for Malwarebytes' Anti-Malware. And Rkill is another tool for stopping processes which I will comment on later. The next two paragraphs are from my letter to co-workers:

I tested Chameleon on System Check which is worse than most of the fake alerts in that it hides, everything. I stepped through the instructions listed in the first post of the link provided. I clicked the first box and it opened a small DOS window and then proceeds to kill processes and then update and run MBAM. All of this worked great, and had an unexpected side effect. When it killed the process I think it also killed the ability of this ‘New and Improved’ System Check from deactivating your partitions. I rebooted and came right back into Windows albeit with a black desktop and everything hidden, but it booted!! (But keep in mind, I ran this right after infection, your user will have rebooted probably. More on this below.) I didn’t clean it when MBAM ran this first time because John found that you can run Chameleon as a standalone from your USB stick, and I wanted to test. Sure enough, I copied the whole Chameleon folder over and ran the file from there. Chameleon worked just as it did before, perfect.

So this will be a permanent addition to my USB stick. This will give us the ability to stop the processes fake alerts are running right from your USB and then be able to install and run MBAM without it being compromised. Rkill works much the same way, but is a bit dicey when it runs. In order to shutdown what’s running it will actually rename files. This can be bad however because now MBAM or whatever is being used may not find the renamed file. I would always note the path from Rkill and rename it back to original so MBAM could find it.

I have other news I wanted to share with you about a tool I'm building that will reverse the damage done by the these fake alerts like System Check I refer to above, when they hide all of your menus and folders. I had posted it here but it was too lengthy. I will post a link to it so that you can read it at your leisure. Until than please check out Chameleon as it will be a good addition to any USB stick.

  Read this article in Spanish (Español)

 
In a Hurry?

Go to details...  Go straight to the Quick Selection Guide

 
Discussion

There are a lot of anti-rootkit programs available, a lot of this software is very advanced and requires an experienced and technical minded user who is familiar with computers and operating systems. However, there are a couple of options that do not require much technical ability and are also very effective.

Kaspersky TDSSKillerThe new Top pick is Kaspersky TDSSKiller. It has an easy to use GUI, fast scan times, great detection rate and is user friendly.

TDSS Killer managed to detect and remove all modern rootkits tested (TDSS, Zeus, TDLV4, etc). The only down side is TDSS Killer seems to have a narrow range of the rootkits it detects but hopefully more types will be added over time. If more strains are added this may become the definitive tool for removal of rootkits.

In my testing what it’s designed to scan for it finds every time and removes it easily and positively. The positives far outweigh the negatives on this one. TDSS Killer also includes 64 bit functionality which is a huge plus.

 

GMERRootRepealI have two top choices for all the experienced and technical users GMER and RootRepeal. These are very popular applications, but it takes someone pretty knowledgeable about computer systems to be able to interpret the results. You can find a lot of documentation on both programs but if you are the type of person (like me) who likes to click the scan button and simply wait for the results, you would be better served with TDSS Killer.

For the average user I cannot recommend either of these as without comprehensive computer knowledge the results would be very hard to interpret. I even have a hard time understanding the data. In my work I usually have no time to refer to the documentation and must move quickly to restore a computer to working condition. However, if a particularly difficult infection is present these tools are invaluable because of the wealth of information. I prefer GMER as I find the initial scanning process easier to use and it had a better detection rate han RootRepeal.

 

Avast Anti-Rootkit Avast Anti-Rootkit resembles a command prompt window but is fairly easy to use. It lets you scan your computer and MBR for rootkits and even fixes any issues. Understanding the output from Avast Anti-rootkit may be a little hard for some users but it does the job well. I tested it against TDSS and several other modern rootkits and it found all of them. Removal on the other hand was not as good as some of the other tools. But what it does have is a very useful tool that I personally would not be without; the ability to perform FixMBR right from within Windows. Normally one would have to boot to a Windows XP disc or Windows 7 recovery disc to perform this command but Avast Anti-Rootkit has a built in ‘FixMBR’ button that with one click will write a new Master Boot Record which is often necessary in the removal of rootkits. This is very useful as you may not always have a Windows disc on hand in the field. I keep this on my USB drive at all times.

 

Dr.Web CureIt!The next product that I looked at is one that I always keep in my toolkit. Dr.Web CureIt! is not a standalone anti-rootkit tool like the other tools I recommended, rather it is a free malware scanner and removal tool that happens to be pretty effective at removing some rootkits but doesn’t detect the modern threats in my testing. It is always a good idea to have more than one tool capable of removal, so Dr. Web's freeware scanner is a great addition to anybody's arsenal. What I have found useful is the sandbox environment it creates when it’s run. This is good as it stops all processes  that some malware may try to run. It is also able to deep scan your drive and you can reboot back into this environment for further scanning and removal.

 
Other Rootkit Scanners and Removers

Sophos Anti-Rootkit Sophos Anti-Rootkit has a small but easy to use interface with no options other than choosing where you want to scan. As it scans it opens up to a slightly larger interface where it lists the results of the scan and gives you information about each result as well as a recommendation for them. Additionally, a small help file is available that explains the program in a little more detail and gives directions on how to use the command line anti-rootkit tool which is also included. This would be a great tool if it was kept up-to-date but in my testing it failed to find or remove any of the modern threats I tested.

 

F-Secure BlacklightF-Secure Blacklight is another great tool for rootkit removal. Unfortunately, support for it ended a couple of years ago. However, you can still download it on the F-Secure web site and it is compatible with Windows Vista and XP.

Still works well for older rootkits but gives "Incompatible" error if ran on Windows 7. Blacklight is also unable to detect most modern rootkits and therefore, I recommend one of the other tools for now.

 

Prevx FreePrevx Free, the free version of Prevx, offers the same class leading real time detection of the full version but unfortunately it doesn't offer much more than this. Prevx Free is only capable of cleaning select infections, such as Adware, the ZEUS banking trojan, and MBR rootkits. When dealing with rootkits detection is definitely very important, so even if you can't clean all infections you might at least be alerted, enabling you to take further action and manually remove the rootkit or seek help in doing so. As hard as it is to detect the newer, ever evolving rootkits and viruses, Prevx can be a very powerful and informative addition to your regular anti-virus software.

Additionally, Prevx Free can run customized scans from the context menu and also gives you the ability to schedule scans. Another plus is that it scans quickly. The free version also offers protection of stored cookies as well as protection for all of your saved credentials. There is also a browser protection component in the free version but it only offers custom protection on only one web site of your choice. It does however, give the full Prevx Safe Online protection, which includes anti-phishing, protection against hijacks, keyloggers, and cookie stealers for a number of popular websites such as PayPal, or Amazon and of course the one website of your choice.

I have included the previous editor’s information above but would note that given the limited functionality of Prevx Free, I mainly use it for detection. Often I need to not only detect but to remove in one scan using one tool.

As I mentioned above I will leave links to the applications mentioned here as they might work for you and be your favorites. I don’t want to discourage the use of any of them but the ones I haven’t had much success with are in the Other Scanners section; so I cannot recommend them. If they work for you that’s great and I would love to hear of your successes in the comments section.

Along with my goal to provide help is also to give you only what I have found that works. I am always open however to learning of new methods and tools. I love tools and am a firm believer that you cannot have too many. In the ever changing world of threat removal we need many tools to detect and remove.

 
Related Products and Links

You might want to check out these articles too:

 
Quick Selection Guide

Kaspersky TDSSKiller
5
 
Gizmo's Freeware award as the best product in its class!

Runs as a stand-alone program on a user's computer
Easy to use GUI, high detection rate, removed all infected files in tests and is 64 bit compatible.
Limited scope and range of types of rootkits detected.
3.0.0.14
1870 KB
32 bit but 64 bit compatible
Unrestricted freeware
Windows
GMER
4
 
Runs as a stand-alone program on a user's computer
Considered class-leading technology.
No help file, but information online. Not suitable for average users.
http://www.gmer.net/
http://www.gmer.net/
2.1.19163
369 KB ZIP
Unrestricted freeware
A portable version of this product is available from the developer.
Windows 2000 to 8
Avast Anti-Rootkit
4
 
Runs as a stand-alone program on a user's computer
Works well. Detects most rootkits, easy to use. ‘FixMBR’ function within Windows is invaluable; a must have on any USB flash drive.
Results sometimes hard to interpret and removal failed on some rootkits.
http://www.avast.com/
0.9.9
1870 KB
Unrestricted freeware
There is no portable version of this product available.
Tested on Windows 7
Dr.Web CureIt!
3
 
Runs as a stand-alone program on a user's computer
Sandbox environment useful for halting processes and scanning MBR.
Unable to detect some of the modern rootkits.
6.00.4
115 MB
32 bit but 64 bit compatible
Unrestricted freeware
This product is portable.
All Windows Platforms

 
Editor

This software category is in need of an editor. If you would like to give something back to the freeware community by taking it over, check out this page for more details. You can then contact us from that page or by clicking here

anti-rootkit, rootkit scanner, rootkit remover, free rootkit scanner, free rootkit remover, freeware, rootkit eliminator, rootkit detection

Back to the top of the article.

 

Share this
4.217055
Average: 4.2 (129 votes)
Your rating: None

Comments

by AJNorth on 15. October 2013 - 17:25  (111505)

TDSSKiller has been updated to v3.0.0.14 (2013.10.15)

Malwarebytes Anti-Rootkit has been updated to v1.07.0.1007-Beta (2013.10.07).

by RockyStunner on 10. October 2013 - 11:43  (111374)

1) How can we know if some process is downloading something in the background silently ?

2)How to Identify which Process is downloading something in the background ?

3) How to track at what locations what files are being downloaded (other than the one which we choose to download at a particular location or the ones that we can usually see in the download managers etc.)

4) We can use the software like OpenedFilesView(http://www.nirsoft.net/utils/opened_files_view.html) which can give us an insight of which files are actively locked and being changed with the size, but one needs to be an expert to track what is happening.
So is there any software which can give us a realtime view of which process is downloading what thing from which site and downloading it to what location? (I feel Firewall does not give indepth information). This can help us find the Trojan/rootkit activities or the malicious softwares updating itself in the background or adding up space on our harddisk silently in the background without our notice.

Any Expert input on this will be highly appreciated.
Thanks in Advance :)

by AJNorth on 6. April 2013 - 13:35  (106853)

Dr.Web CureIt! 8 on-demand virus scanner has been released - http://www.freedrweb.com/cureit/?lng=en . A favorable review by Martin Brinkmann at Ghacks.net can be found at http://www.ghacks.net/2013/04/06/dr-web-cureit-8-on-demand-virus-scanner... .

by AJNorth on 6. April 2013 - 13:56  (106375)

TechRepublic have published an article many will find worthwhile, "Rootkit coders beware: Malwarebytes is in hot pursuit" (2013.03.18) -- http://www.techrepublic.com/blog/security/rootkit-coders-beware-malwareb... .

Though Malwarebytes Anti-Rootkit is still in beta, an updated version has been released -- http://www.malwarebytes.org/products/mbar/ .

by AJNorth on 8. February 2013 - 22:27  (105217)

Bitdefender Labs have released a free rootkit remover tool -- http://labs.bitdefender.com/projects/rootkit-remover/rootkit-remover/.

Martin Brinkmann has a brief review article at Ghacks.net -- http://www.ghacks.net/2013/02/07/bitdefender-releases-rootkit-remover-to....

by arcedo on 13. January 2013 - 13:53  (104442)

Hi all! It seems that F-Secure's website doesn't provide BlackLight any more.

Provided link redirects to http://www.f-secure.com/en/web/home_global/internet-security that is other product and it's not free. I have found a valid download link here: http://www.softpedia.com/progDownload/F-Secure-BlackLight-Rootkit-Detect... (it's a beta).

Thanks & regards!

by MidnightCowboy on 13. January 2013 - 23:45  (104460)

Thank you for the link. We would not advise the use of beta software in this category though for anything other than testing on a spare machine. MC - Site Manager.

by Paxmilitaris on 21. February 2013 - 22:34  (105645)

Why no mention of Vba32arkit?

by MidnightCowboy on 22. February 2013 - 0:56  (105647)

This is beta software with a very sporadic development cycle and therefore not recommended. MC - Site Manager.

by Chiron on 9. January 2013 - 17:01  (104356)

Can you please see if Comodo Cleaning Essentials (CCE) would be well suited for inclusion in this article? It's already featured in the article about the Best Free Trojan Scanner and Remover:
http://www.techsupportalert.com/best-free-trojan-scanner-trojan-remover.htm
but it also appears to be quite good at finding rootkits.

Thanks.

by AJNorth on 19. March 2013 - 8:43  (102802)

Malwarebytes have released the first beta version of their dedicated stand-alone anti-rootkit application, Malwarebytes Anti-Rootkit (MBAR) -- http://www.malwarebytes.org/products/mbar/. They have a detailed discussion at http://blog.malwarebytes.org/news/2012/11/meet-malwarebytes-anti-rootkit/ .

Ghacks.net also have a brief discussion -- http://www.ghacks.net/2012/11/11/malwarebytes-anti-rootkit-beta-is-out/?....

by Sun813 (not verified) on 3. November 2012 - 22:47  (101825)

@Midnight Cowboy,
Thank you for planning to write for the non-techies. I've been around computers since the punch cards, and had lots of programmers around to make me a star, writing command files that made it look like I was at work every day. I can hardly sit here long enough to read through this. I have 3 PCs on my desk, all windows based and all with problems. Rootkit on the nice, fast HP Pavillion that is stuck on XP SP2. I did a sys restore supposed to save my data but it didn't. fortunately,not much but had my list of how to do the upgrade to SP3 (done) and got the rootkit back almost immediately. My other PC was working fine until I turned them both on plugged into my ISPs modem/whatever and it says it has 14 trojans. I'm getting to know the Mcafee peeps but their stuff just says "didn't scan the rootkit". Not even polite enough to give me a name.

Do the Tech Defenders of the Users load a thumb drive with their favorite programs, learn how to use them, and shove them into infected PCs? Is there a command to keep the malware from writing to the thumb drive? I studied RootKitRevealer link, and am not sure I would understand the output even though I am familiar with file naming conventions and the basics but NOT with Win OS. I feel they distribute software for users to test and then charge $99 to gank my hard drive. aarrgh.

Is there an operating system out there I can trust? I hear Apple has less problems but is more expensive all around. Thank you for reading my rant.

by Anupam on 4. November 2012 - 7:15  (101841)

Rootkits can be very hard to remove. As MC says, sometimes the only way to get rid of them is to format the hard disk.

First thing to do when the system is majorly infected with malware, is to turn off the system restore, and delete the restore points. Because, malware often hide in the system restore, and get back when you think that you have scanned, and cleaned the PC. So, system restore should not be used when PC is infected majorly, and should be turned off, and all restore points deleted. After that, scan the PC, and that will ensure the PC is clean.

You should try the top choice here, TDSSKiller for rootkit removal. Have only read good things about it. You may need help with the results though... so, like MC says, look for help on specialized malware removal forums like BleepingComputer, or any other which you search from the internet.

You can also scan the computer with a rescue disk, like Kaspersky Rescue Disk, which is free to download and use. This ensures that the malware does not become active, as the computer boots from the rescue disk.

If you are looking for an alternate OS, as MC already said, no other better choice than Linux.

by shiftygypsy on 7. November 2012 - 1:46  (101967)

I agree with all said so far, but I have one generic comment. Windows isn't vulnerable to malware because it's less secure than MacOS or Unix variants (well, it might be, but that's really hard to measure). Windows gets more malware because it has the highest market share and thus offers the biggest return on investment for malware authors.

That said, you *will* reduce your chances of becoming infected if you use a less-popular OS like Linux or MacOS. However, an equally effective approach is to use "best practices". For example, enable automatic OS updates, don't use Internet Explorer and keep certain applications up-to-date (like Adobe products, Java, etc). Keeping your OS and applications updated and using a less-targeted browser will go a long way to preventing infection.

With regards to rootkits...I agree with MC on this point. Once you have positive evidence of a rootkit infection, it can be very hard to permanently remove. In fact, some variants will even infect hardware making it almost impossible to remove. Your best bet after detecting a rootkit is a full system reinstallation. This includes a low-level format of your HDD. This will remove all but the best rootkits (the best being those which hide in bios or firmware).

by MidnightCowboy on 4. November 2012 - 0:49  (101829)

Hi. Rootkits can be as easy as standard malware to remove or if they're of the deeply embedded type (worse case scenario) can sometimes require a complete system rebuild.

At the risk of upsetting Mac users, why pay through the nose for anything? I'm sure a lot of Samsung Galaxy owners will say the same. In terms of virus exposure Linux offers the best platform. It is virtually virus free and in terms of rootkits you would have to be pretty dumb and log in with root privileges to get one. I long ago got fed up with updating and nursing a collection of malware apps trying to secure Windows and switched to Linux for 95% of my use. I now only use Windows to test Windows programs.

Of all the commercial AV software, I have found McAfee to be one of the best known but least effective. Any of the top free programs will outperform this.

http://www.virusbtn.com/vb100/rap-index.xml

This is just my opinion but I would never try to clean a rootkit infected PC. I would rather re-format and be done with it in the hope that this will be enough. If you have important data on the infected machines, this might not be an option, in which case you will need to seek expert help. Be aware though that this area is a minefield of scammers and amateurs pretending to be professionals, and you can soon end up spending out a wad of cash for little or no result. An alternative is to register with one of the free specialist malware removal forums and follow the steps suggested by them. This can be quite a time consuming process but at least it's at no cost. It will also involve the use of quite aggressive tools which can cause their own issues if used incorrectly, so it is important to follow any instructions you receive to the letter.

Lastly, but before you do anything, it is important to try to tie down the source and method of the original infection, and take the necessary steps to prevent this in the future. Otherwise, you can just end up with new or cleaned machines becoming instantly reinfected.

by rudyg on 15. August 2012 - 6:41  (97727)

I would like to know if runscanner would be considered a rootkit scanner. It tends to always find something that I missed.

www.runscanner.net

by Anupam on 15. August 2012 - 6:46  (97728)

It is not a rootkit scanner. It's a tool similar to HiJackThis.

by rudyg on 16. August 2012 - 10:10  (97778)

The reason I asked is because it always seems to find hidden drivers that are of no use to the OS.

by Anupam on 16. August 2012 - 13:50  (97796)

How do you know those drivers are not of use to the OS?
Also, finding hidden drivers does not mean that the program is a rootkit scanner.

by rudyg on 17. August 2012 - 6:48  (97841)

Actually that is a good question, the reason I stated "it is of no use to the OS" is because of my knowledge of computers. Now rootkit scanners are supposed to detect hidden drivers if they do not it is not a rootkit scanner. Rootkits tend to hide their drivers so they will not be detected. Just stating the facts.

by Anupam on 17. August 2012 - 7:32  (97842)

To be honest, I don't have much knowledge about rootkits. Maybe RunScanner can be considered as more of a tool to help detect rootkits, rather than a rootkit scanner, because it does not scan for rootkits specifically. And neither does it claim to be a rootkit scanner itself. It's more of a hijack utility.

by MidnightCowboy on 16. August 2012 - 15:38  (97808)

Security programs can hide their stuff all over the place as part of their anti-tamper strategy.

by My Hackintosh (not verified) on 3. May 2012 - 1:24  (92935)

aswMBR is not GMER but is based on GMER technology. The aswMBR detects 64bit rootkits which GMER does not.
I have yet to have TDSSKiller detect anything, and I have now removed it from my tech disk.

by -J (not verified) on 31. October 2012 - 17:42  (101661)

I work on many a machines/wk and TDSSkiller is a frontline app for me. It has found and killed many of the most common rootkits. I always run it and mbr check to find root and boot kits before I do anything else. In my office(s) we have very few 64 bit machines however.

I will give aswmbr a try.

by The_Original_Dudeman (not verified) on 13. August 2012 - 21:23  (97670)

Thanks

by Aron (not verified) on 12. August 2012 - 22:36  (97623)

I've used tdskiller from kaspersky over a hundred times in the last year, and I commonly do find things with it. It is the first process out of many that I use when fixing a customers computer.

PC Technician from Utah

by Ernest Harris (not verified) on 2. April 2012 - 23:11  (91590)

is smartpc fixer any good. I keep getting a buffer overrun detected error.

by MidnightCowboy on 3. April 2012 - 4:22  (91596)

The host website for this software is red rated by WOT and is listed as a scam/rogue application. Consider using WOT next time before choosing software to avoid this type of situation. It isn't infalible but is mostly reliable.

http://www.mywot.com/

See also the notes attached to the results here:

http://urlvoid.com/scan/smartfixer.software-phile.com/
http://global.sitesafety.trendmicro.com/result.php

by Anonymousishkabible (not verified) on 2. March 2012 - 6:28  (89794)

Don't download avast free rootkit from here...I was just using it and my bitdefender blocked a trojan.peed.gen virus it was carring

by MidnightCowboy on 2. March 2012 - 7:54  (89796)

This is a false detection. Please consult the help file for your antivirus to understand why this has happened.

If you check the results below, you will see that Bitdefender is clear. Others though alert it on the basis of "reputation" (great word from Norton which covers them for everything they miss :D), others are heuristic/suspicious etc. The very nature of how this program is compiled is the cause of these detections.

https://www.virustotal.com/file/58d820a137dd500232c6a09a9267dfd36621a737...

Gizmo's Freeware is Recruiting!

Gizmos Needs YouShare your knowledge of free software with millions of Gizmo's readers by joining our editing team.  Details here.