Subscribe to our Best Free Rootkit Scanner/Remover
|
In a Hurry?
|
 Go straight to the Quick Selection Guide |
|
Introduction
|
|
Rootkits are a special kind of software tool used to hide trojans, viruses and other malware from your anti virus scanner and other security products. Unfortunately, they are extremely effective, which means that some of you who are reading this will be infected, even though you believe your PC to be totally clean. Thankfully, there is a new class of security product now available, called "rootkit detectors", that use specialized techniques to detect these dangerous intruders. The reality is that at the present time, full protection against rootkits may require the use of multiple products, and complete removal may require a system rebuild. For more details, see my introductory article on rootkits. |
|
Discussion
|
|
|
|
||||||||||||||||||
|
||||||||||||||||||
|
||||||||||||||||||
|
||||||||||||||||||
|
||||||||||||||||||
1.08 
Unrestricted Freeware 
Windows 2000 - XP2
|
This software category is maintained by Hirvesh Munogee. Hirvesh has has always been interested in software, especially free software and runs a blog, Codefusion Lab: Technology Re-Discovered. |
Delicious
Digg
StumbleUpon
Please rate this article
I would recommend a combination of Prevx3.0 and GMER to remove the hardest and hardest of the Rootkits. Prevx3.0 is free for detection of malware, even though its not free for full version with removal facility. Use Prevx to scan the system and find out the malwares. Then it can be removed using the GMER. This combination helped me from a worst situation recently.
Hello !
Panda Antirootkit and the old Rootkit Revealer, IceSword and DarkSpy are too bypassed by new rootkits, I'am afraid. GMer itself can't follow the evolution.
Now a day, after many tests, I prefer :
- Rootkit Unhooker (version 3.8)
http://infomars.fr/forum/index.php?showtopic=1906
- RootRepeal (version 1.2.3)
http://infomars.fr/forum/index.php?showtopic=1912
For "average users", what do you think about Avast! antirootkit tool ?
Regards.
Txon.
http://www.threatfire.com/
Do yourself a favor and check this out. It is fast, uses very little system resources and live scans everything. Only manual scan is rootkit scan. Auto and manual updates are fast. It is very new and FREE... Runs in background without changing main anti-virus.
ThreatFire is patent-pending, security software for your computer. This Help system covers both ThreatFire Free Edition and ThreatFire Pro.
If I already have antivirus software why do I need ThreatFire?
ThreatFire is dramatically different to traditional antivirus software. Normal antivirus products usually need to have first identified and seen a threat before they can provide adequate protection against it. The protection is then provided via a signature or fingerprint update, which must first be written by an antivirus researcher. This creates a large window of time where threats are undetected and can therefore infect your PC even when you have antivirus software installed.
How can ThreatFire protect me when traditional antivirus can't?
ThreatFire continually protects your PC against attacks by detecting malicious behavior, such as capturing your keystrokes or stealing your data, instead of only looking for known threats like normal antivirus software. By implementing sophisticated real-time behavioral analysis ThreatFire is able to stop never- before-seen "zero-day" threats solely by detecting their malicious activity.
Hello !
I tested ThreatFire. It's an HIPS but not really an ARK.
ThreatFire doensn't block the more astute rootkits.
Its scanner just detects a very few of them, old one's.
Regards.
Txon.
ThreatFire is reviewed here:
http://www.techsupportalert.com/best-free-hips.htm
This sounds like an ad.
Threatfire is not new, it's been around a few years, and was called Cyberhawk before that.
Now it's owned by Symantec.
I thought it was owned by PC Tools?
Symantec gobbled up all of PC Tools last year: http://www.symantec.com/about/news/release/article.jsp?prid=20080818_02
I installed Darkspy and got a STOP 24 when I ran it. When I tried to uninstall it I could not find it in either Win XP or REVO Uninstallers. I used Little Registry Cleaner and RegCure to get it out of the registry and then deleted the setup file. I have XP PRO SP3.
I don't like the red color of this type, but I do like this site. Thanks
Is it okay to run any of these products with service Pack 3?
Too bad Panda Anti Rootkit is not supported for Vista :-(.
F-Secure BlackLight 2.2.1092
http://majorgeeks.com/F-Secure_BlackLight_d5156.html
- avast! ΑntiΡootkit
see the 1st post at
http://forum.avast.com/index.php?topic=33753.0
u said antipootkit xDD
It is still in beta... and being tested.
Anupam Shriwatri, India
So what?
It has been very effective since it is based on the GMER Technology!!!
Trend Micro "RootkitBuster" is a rootkit scanner that scans
-hidden files,
-registry entries,
-processes, drivers,
and
-Master Boot Record (MBR) rootkits.
RootkitBuster can also clean
-hidden files
and
-registry entries.
http://www.trendmicro.com/download/rbuster.asp
- avast! ΑntiΡootkit
xxxxxxxxxxxxxx
- F-Secure BlackLight 2.2.1092
xxxxxxxxxxxxxxxxx
Please note that we do not permit direct links to executables.
Man, what a headache finding the download link! Here it is:
Panda AntiRootkit 1.08
http://research.pandasecurity.com/blogs/images/AntiRootkit.zip
Thanks! I couldn't find it either!
How about RootAlyzer from safer-networking.org? Any good?
What you probably are downloading is a ROOTKIT! And how on Earth would you know?
Don't download ANYTHING ever again :P
Well, these tools are fairly popular among security experts. If something suspicious was going on we would probably have known about it by now. Software recommendations on this site are given only to totaly safe and legitimate software so there's no need not to worry:)
thank's
I need a good rootkit remover and finder that works for vista I tried getting Ice sword and it failed to work any help?
It failed to work or you couldn't figure out how to use it? Besides, IceSword is recommended to experienced users only
They said it failed to work, maybe they are experienced.
The latest version of Rootkit Unhooker works on Windows Vista Ultimate, SP1. I read about it in Help file.
Anyone like Threatfire? I have it and like it it has a rootkit scanner.
I use Rootkit Unhooker. It's great tool and is considered as one of the best antirootkit.
The latest vesion can be downloaded from http://www.rootkit.com/
Most of these tools are out of date. The best rootkit/trojan remover is Unhackme. They offer a free Russian version but if you install the trial and print out some screenshots the Russian version is pretty easy to navigate, since there aren't that many options or menus. It has saved me more times than all other crapware removal tools combined. Bold statement, but see for yourself.
Panda isnt at all a very good ark! GMER & IceSword are much better...and how about RootkitUnhooker still the best ark out there!!!
GMER & IceSword better for expirienced users.
Hi,
Interesting article. Sophos Anti-Rootkit is another free rootkit removal tool which i find to be very effective and the scanning speed is also very admirable.
James
Hi,
I think, like a year ago or something, I checked this section and there were only about two 32bit programs. So I tried to search around for 64bit support, and I finished when I read somewhere that rootkits don't work on 64bit systems. Now I'm wondering if that's true.
Thanks.
I'd like to know if that is true too(Rootkits not being a problem for 64bits) - am using AVG which has a rootkit part but I'd been using Panda on my older computer. Bought a new computer which had XP 64bit put on it. I didn't realise the hassles involved.......
I've had a few systems that have been heavily infected and despite the use of many a removal tool still persist with actions like redirecting Google searches. However I have found that a small application called Combofix fixes the problem nicely. Information can be found on the following webpage;
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Note: If you find that combofix isn't running try renaming it to something like cfx.exe or sausage.exe. A lot of rootkits look for removal tools by executable name and pause them, thus preventing them from running.
When I downloaded ComboFix.exe from the link, Windows Defender claimed it contains Trojan:Win32/AgentBypass.gen!K
That is a false positive. Many programs detect NirCmd.exe, which is packaged in Combofix, as riskware.
I was reading the NYTimes and they referenced BotHunter developed by SRI which seems to be supported by the US Army. They are found at www.bothunter.net. Any information on them? I had some reservations because for all I know the army might be putting in its own spyware, but then I realized while being paranoid so could any of these products. I tried too install it anyway but the install wouldn't complete.
The Vermin8tor says: Gmer is good,but know what you're doing.Aries rootkit remover is ok, but it contains a warning: could ruin your PC. AVG anti-rootkit is ok, but doesn't detect much or all.Bit defender anti-rootkit is ok, but never detected any with this.Most others as suggested are just rootkit revealers, and don't do much at all.Threatfire's not bad, better to have the full version though.Sysinternals doesn't do nothing for me.
The free, standalone BlackLight is still available: http://www.f-secure.com/security_center/ You'll find it at the bottom of the page. Here is the direct download link: ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe
Something interesting is that there doesn't seem to be a time limit on the latest versions of BlackLight. I just downloaded a fresh copy today (version 2.2.1092.0), but I've had version 2.2.1067.0 on my flashdrive since 12/1/2007, and it still works (I don't usually use it unless IceSword won't work). Can it be put back in the review?
DarkSpy is no lnger under development.
Refer to link below.
http://www.fyyre.net/~cardmagic/index_en.html
It gets the job done for now and that's the only thing that matters. By the way your link is broken. I read somewhere that Icesword and DarkSpy have been bought by Trend Micro and Gmer by Anvil Software, cant't find a reputable source though
Hi, does anyone have any positive experience from using these scanners. i.e. have any of them found rootkits on your computers and if so which ones?
Just looking for feedback as to which were the most successful
Thanks
Fergus
I have been using IceSword for somewhere in the neighborhood of 2-3 years. Throughout the time I've been using it, I've only found an actual rootkit once. All the rest of the time, all hidden items I've found have always been legitimate ones. That said, it only takes a few seconds to see if a hidden process is actually running. And if you don't recognize the file, a quick Google search should point you to enough resources for you to determine whether it is malicious.
Thank you for the information. I am new user and am in need of some elementary advice. How do I find out if a "hidden process is running"? Also, how do I do "a quick Google search to point me to the resources to determine whether it is malicious"?
Thanks,
Mike
I think you should also be concerned with false positives, if an anti-rootkit incorrectly flags a rootkit, it doesn't suit, does it ? There are legitimate rootkits, like the well know alcohol and daemon tools who cause no damage. First line of defense against rootkits is a good AV with anti-rootkit bundled.