Best Free Rootkit Scanner and Remover

 
Introduction

My co-worker John C from our east coast office came across a page on Malwarebytes' forums and thought I would share since we are putting together our tools for threat removal. The use of italics is my clumsy way of differentiating what I'm writing to Gizmo's readers and what I published to colleagues. Here is the page Malware Removal Guides and Self Help Guides.

If you read the first post it refers to Chameleon. This is a tool within Malwarebytes that can find and stop running processes form malware and is very useful on fake alert threats. Chameleon is in a sub folder within the Malwarebytes' main folder.

Below are my testing results that I published to my colleagues with some edits in order to present this to you in an easier to understand language. We are all IT folk so I tend to write to them differently than I would write to Gizmo's readers. Below I speak about System Check which is a rather nasty fake alert. In my next upcoming post I am going to present some methods for removal of these threats along with reviews of Rootkit Scanners. It has been very busy at work and I perform testing in my spare time, of which there has been very little. But I wanted to share this with you so you can add Chameleon to your USB stick.

Below, MBAM is short for Malwarebytes' Anti-Malware. And Rkill is another tool for stopping processes which I will comment on later. The next two paragraphs are from my letter to co-workers:

I tested Chameleon on System Check which is worse than most of the fake alerts in that it hides, everything. I stepped through the instructions listed in the first post of the link provided. I clicked the first box and it opened a small DOS window and then proceeds to kill processes and then update and run MBAM. All of this worked great, and had an unexpected side effect. When it killed the process I think it also killed the ability of this ‘New and Improved’ System Check from deactivating your partitions. I rebooted and came right back into Windows albeit with a black desktop and everything hidden, but it booted!! (But keep in mind, I ran this right after infection, your user will have rebooted probably. More on this below.) I didn’t clean it when MBAM ran this first time because John found that you can run Chameleon as a standalone from your USB stick, and I wanted to test. Sure enough, I copied the whole Chameleon folder over and ran the file from there. Chameleon worked just as it did before, perfect.

So this will be a permanent addition to my USB stick. This will give us the ability to stop the processes fake alerts are running right from your USB and then be able to install and run MBAM without it being compromised. Rkill works much the same way, but is a bit dicey when it runs. In order to shutdown what’s running it will actually rename files. This can be bad however because now MBAM or whatever is being used may not find the renamed file. I would always note the path from Rkill and rename it back to original so MBAM could find it.

I have other news I wanted to share with you about a tool I'm building that will reverse the damage done by the these fake alerts like System Check I refer to above, when they hide all of your menus and folders. I had posted it here but it was too lengthy. I will post a link to it so that you can read it at your leisure. Until than please check out Chameleon as it will be a good addition to any USB stick.

  Read this article in Spanish (Español)

 
In a Hurry?

Go to details...  Go straight to the Quick Selection Guide

 
Discussion

There are a lot of anti-rootkit programs available, a lot of this software is very advanced and requires an experienced and technical minded user who is familiar with computers and operating systems. However, there are a couple of options that do not require much technical ability and are also very effective.

Kaspersky TDSSKillerThe new Top pick is Kaspersky TDSSKiller. It has an easy to use GUI, fast scan times, great detection rate and is user friendly.

TDSS Killer managed to detect and remove all modern rootkits tested (TDSS, Zeus, TDLV4, etc). The only down side is TDSS Killer seems to have a narrow range of the rootkits it detects but hopefully more types will be added over time. If more strains are added this may become the definitive tool for removal of rootkits.

In my testing what it’s designed to scan for it finds every time and removes it easily and positively. The positives far outweigh the negatives on this one. TDSS Killer also includes 64 bit functionality which is a huge plus.

 

GMERRootRepealI have two top choices for all the experienced and technical users GMER and RootRepeal. These are very popular applications, but it takes someone pretty knowledgeable about computer systems to be able to interpret the results. You can find a lot of documentation on both programs but if you are the type of person (like me) who likes to click the scan button and simply wait for the results, you would be better served with TDSS Killer.

For the average user I cannot recommend either of these as without comprehensive computer knowledge the results would be very hard to interpret. I even have a hard time understanding the data. In my work I usually have no time to refer to the documentation and must move quickly to restore a computer to working condition. However, if a particularly difficult infection is present these tools are invaluable because of the wealth of information. I prefer GMER as I find the initial scanning process easier to use and it had a better detection rate han RootRepeal.

 

Avast Anti-Rootkit Avast Anti-Rootkit resembles a command prompt window but is fairly easy to use. It lets you scan your computer and MBR for rootkits and even fixes any issues. Understanding the output from Avast Anti-rootkit may be a little hard for some users but it does the job well. I tested it against TDSS and several other modern rootkits and it found all of them. Removal on the other hand was not as good as some of the other tools. But what it does have is a very useful tool that I personally would not be without; the ability to perform FixMBR right from within Windows. Normally one would have to boot to a Windows XP disc or Windows 7 recovery disc to perform this command but Avast Anti-Rootkit has a built in ‘FixMBR’ button that with one click will write a new Master Boot Record which is often necessary in the removal of rootkits. This is very useful as you may not always have a Windows disc on hand in the field. I keep this on my USB drive at all times.

 

Dr.Web CureIt!The next product that I looked at is one that I always keep in my toolkit. Dr.Web CureIt! is not a standalone anti-rootkit tool like the other tools I recommended, rather it is a free malware scanner and removal tool that happens to be pretty effective at removing some rootkits but doesn’t detect the modern threats in my testing. It is always a good idea to have more than one tool capable of removal, so Dr. Web's freeware scanner is a great addition to anybody's arsenal. What I have found useful is the sandbox environment it creates when it’s run. This is good as it stops all processes  that some malware may try to run. It is also able to deep scan your drive and you can reboot back into this environment for further scanning and removal.

 
Other Rootkit Scanners and Removers

Sophos Anti-Rootkit Sophos Anti-Rootkit has a small but easy to use interface with no options other than choosing where you want to scan. As it scans it opens up to a slightly larger interface where it lists the results of the scan and gives you information about each result as well as a recommendation for them. Additionally, a small help file is available that explains the program in a little more detail and gives directions on how to use the command line anti-rootkit tool which is also included. This would be a great tool if it was kept up-to-date but in my testing it failed to find or remove any of the modern threats I tested.

 

F-Secure BlacklightF-Secure Blacklight is another great tool for rootkit removal. Unfortunately, support for it ended a couple of years ago. However, you can still download it on the F-Secure web site and it is compatible with Windows Vista and XP.

Still works well for older rootkits but gives "Incompatible" error if ran on Windows 7. Blacklight is also unable to detect most modern rootkits and therefore, I recommend one of the other tools for now.

 

Prevx FreePrevx Free, the free version of Prevx, offers the same class leading real time detection of the full version but unfortunately it doesn't offer much more than this. Prevx Free is only capable of cleaning select infections, such as Adware, the ZEUS banking trojan, and MBR rootkits. When dealing with rootkits detection is definitely very important, so even if you can't clean all infections you might at least be alerted, enabling you to take further action and manually remove the rootkit or seek help in doing so. As hard as it is to detect the newer, ever evolving rootkits and viruses, Prevx can be a very powerful and informative addition to your regular anti-virus software.

Additionally, Prevx Free can run customized scans from the context menu and also gives you the ability to schedule scans. Another plus is that it scans quickly. The free version also offers protection of stored cookies as well as protection for all of your saved credentials. There is also a browser protection component in the free version but it only offers custom protection on only one web site of your choice. It does however, give the full Prevx Safe Online protection, which includes anti-phishing, protection against hijacks, keyloggers, and cookie stealers for a number of popular websites such as PayPal, or Amazon and of course the one website of your choice.

I have included the previous editor’s information above but would note that given the limited functionality of Prevx Free, I mainly use it for detection. Often I need to not only detect but to remove in one scan using one tool.

As I mentioned above I will leave links to the applications mentioned here as they might work for you and be your favorites. I don’t want to discourage the use of any of them but the ones I haven’t had much success with are in the Other Scanners section; so I cannot recommend them. If they work for you that’s great and I would love to hear of your successes in the comments section.

Along with my goal to provide help is also to give you only what I have found that works. I am always open however to learning of new methods and tools. I love tools and am a firm believer that you cannot have too many. In the ever changing world of threat removal we need many tools to detect and remove.

 
Related Products and Links

You might want to check out these articles too:

 
Quick Selection Guide

Kaspersky TDSSKiller
5
 
Gizmo's Freeware award as the best product in its class!

Runs as a stand-alone program on a user's computer
Easy to use GUI, high detection rate, removed all infected files in tests and is 64 bit compatible.
Limited scope and range of types of rootkits detected.
3.0.0.14
1870 KB
32 bit but 64 bit compatible
Unrestricted freeware
Windows
GMER
4
 
Runs as a stand-alone program on a user's computer
Considered class-leading technology.
No help file, but information online. Not suitable for average users.
http://www.gmer.net/
http://www.gmer.net/
2.1.19163
369 KB ZIP
Unrestricted freeware
A portable version of this product is available from the developer.
Windows 2000 to 8
Avast Anti-Rootkit
4
 
Runs as a stand-alone program on a user's computer
Works well. Detects most rootkits, easy to use. ‘FixMBR’ function within Windows is invaluable; a must have on any USB flash drive.
Results sometimes hard to interpret and removal failed on some rootkits.
http://www.avast.com/
0.9.9
1870 KB
Unrestricted freeware
There is no portable version of this product available.
Tested on Windows 7
Dr.Web CureIt!
3
 
Runs as a stand-alone program on a user's computer
Sandbox environment useful for halting processes and scanning MBR.
Unable to detect some of the modern rootkits.
6.00.4
115 MB
32 bit but 64 bit compatible
Unrestricted freeware
This product is portable.
All Windows Platforms

 
Editor

This software category is in need of an editor. If you would like to give something back to the freeware community by taking it over, check out this page for more details. You can then contact us from that page or by clicking here

anti-rootkit, rootkit scanner, rootkit remover, free rootkit scanner, free rootkit remover, freeware, rootkit eliminator, rootkit detection

Back to the top of the article.

 

Share this
4.204725
Average: 4.2 (127 votes)
Your rating: None

Comments

by The_Original_Dudeman (not verified) on 3. March 2012 - 16:44  (89863)

Just to throw in my $0.02, I agree with MC about the compiler being the issue. As of late ComboFix is flagged by Symantec as being a Gen.Trojan. This is because ComboFix is made up of about 6 different apps all compiled with in it. Also the hash could be causing the detection as well. But I use ComboFix almost daily and I can assure you 100% it is not a threat. So I agree that this Bitdefender detection is a false positive.

Dudeman

by squibbon on 21. February 2012 - 3:29  (89156)

Comodo Cleaning Essentials

by The_Original_Dudeman (not verified) on 26. February 2012 - 23:04  (89548)

Awesome! Thanks for the heads up about Comodo.

I would like to say also to all readers out there that this kind of information and interaction contribute greatly to the success of this article and the information about removal I hope to provide.

While I have experience with this material, there are many of you out there who have technical skill and experience as well and I welcome you all, and urge you to contribute with your comments and insights.

Together, we can get this information out there and hopefully help folks fight the numerous threats that exists and the new ones written every day.

Thanks again, squibbon!

Dudeman

by Anonymous1234 (not verified) on 20. February 2012 - 14:44  (89103)

I believe Avast rootkit scanner is a OEM and watered down version of GMER. Also, as far as Prevx, I would not put a lot of faith in it. At one time it was one of the best but webroot is gradually phasing it out. Hitman Pro has Prevx as one of its scanners but is removing Prevx because the detection rate has dropped to around 3% since the servers used are no longer getting updated. Those are not the same servers as what is used for the consumer products but gives an indication the Prevx line and its freeware version is on the way out the door.

by The_Original_Dudeman (not verified) on 20. February 2012 - 18:00  (89129)

Thanks! It's great to see so many knowledgeable folks commenting.

Yes Avast is either made by GMER or uses it's engine. I have yet to confirm which is correct.

I have used Prevx in the past but not so much anymore because as you mention the detection rate is rather low now. This is why it has been moved to the Other Scanners section and no longer appears in the quick selection guide.

I have done some initial testing with Hitman and will include the results in an upcoming post.

As I mention the older unsupported and no longer updated apps will remain as links in case folks would still like to try them but many of them will be moved to the Other section in this article. I hope to present new tools and the apps that still are supported, but feature the ones that actually work.

Dudeman

by samit (not verified) on 1. September 2012 - 13:27  (98617)

aswMBR rootkit removal tool is based on GMER technology.....developer of GMER now works for Avast.....aswMBR is also developed by him.....

by cinnamon toast crunch (not verified) on 19. February 2012 - 7:08  (89043)

obviously people need to learn about emsisoft anti-malware.. my top arsenal againest rootkits and other forms of malware and viruses includeing zero day attacks are as follows.

process explorer
emsisoft anti-malware
the new and improved ad-aware
root repeal
gmer
no auto-runs

never trust just a automatic scanner. use all manual search criteria in your defense. learn it, live it.
treat everything as the enemy!! and dont trust nobody but your own mother, and then cut the deck!!! good luck.

by SamG (not verified) on 9. March 2012 - 14:57  (90138)

Some people can't trust their mother. Not 1 bit. Checked reviews on Emsisoft and am not impressed. PCMAG, Cnet. May try it to see for myself. Also it was confusing as to which download was free. AND IT'S A LARGE DOWNLOAD. For trial software? Fairly certain this computer is malware free as I test it at least once a month mainly because I run as admin to avoid installing other users. And backup system once a month to give updates time to work their magic.

by The_Original_Dudeman (not verified) on 19. February 2012 - 16:36  (89053)

Hello, and thanks for the heads up about emisoft. I will test it and review it here. Glad you mention Process Explorer, no toolbox is complete without it. In an upcoming post I plan to review and list what I use and keep on my USB stick and are must have tools for anyone trying to remove threats.

Manual searches are fine for those us with technical knowledge and what I hope to present in my articles are methods and tools for the average users as well as the experienced technical folks.

Dudeman

by killed_by_TDSS (not verified) on 21. January 2012 - 21:55  (87558)

I've run Kaspersky TDSSKiller on a notebook. It found and removed one file. Now my network does not work!! Ethernet does not connect. Wireless connects sometimes for a second and drops connection.

I've not wrote down the file name Kasperski deleted :-( !!
I expected that like any decent program it saves the log.
But Kasperski saved no log!! of what it did!!!

ARGH!!!!!!!!!!!!!!!!!!
Beware

by AMDFAN (not verified) on 3. February 2012 - 21:09  (88251)

If it says it's a windows file of any kind or a legit driver program you don't remove that. If it had the brand of computer in it's explanation such as dell, toshiba Hewlett Packard. Some times even exe. files run what is called rootkit technology witch is legit but can be confusing. You must have run the extra 2 choices it gives you that can potentially be more dangerous if you dont know whats going on. Probably removing your TCP drivers. Sorry dude thats one thing you need to watch out for when ever using such devices. Next time dont use the extra 2 options it gives you, that can and obviously has proven dangerous for you. I ran it as well and got 4 windows uploads and 2 InCD files and I know not to touch windows but I wasnt sure what to do about the InCD devices sense its a program been on this computer as long as I remember so I left it alone. If it was something I knew I added I might have tried removing it though cause it wouldnt have caused any real damage except maybe having to re install the program. Sorry dude hopefully you got it fixed and next time you just let it run its regular priority process just to be safe.

by FrankT (not verified) on 20. February 2012 - 16:29  (89119)

Incd is the system driver used to enable formatting a CDRW so you can treat it as a hard drive being able to read and write many times to it. Old tech, stay away from it as it never really worked properly. If you do not use the CDRW or DVDRW disks then you can delete it.

by MidnightCowboy on 22. January 2012 - 5:00  (87581)

As indicated in the review text, these tools require an experienced knowledge of Windows to avoid deleting legitimate files. The same applies to so called registry cleaners and tweak tools.

by Slimc0der on 20. April 2013 - 2:20  (107211)

Registry cleaners... Ha, never used them, I know better. I have been editing my registry files by hand since their beginning. Messed up my fair share I'd have to say... but I have learned all kinds of things from and about them.
Learning... what an adventure!
Lesson 1. Export that registry entry before editing it... hehehe.

Great site here.

by Rocky (not verified) on 11. January 2012 - 14:55  (87012)

Hello Guys,
Happy New Year to all!
Can someone tell me:

1. Which is the best Realtime Rootkit prevention/Detection software?
2. Is online Armor Free version/ComodoFirewall Free/Outpost Firewall Free/Adaware Free able to detect/prevent and stop the Rootkit from Impacting?

Thanks in Advance!!
Rocky.

by Arjan Groenewoud (not verified) on 6. January 2012 - 8:59  (86671)

I had a very nasty backdoor tdss rootkit who turned off Kaspersky TDSSKiller... Dr web was the only one who found it. Before I tried Dr web TDSSKiller didn't do anything, after it was killed by Dr web it worked good, but found nothing duh! Before Dr web I tried spyware terminator, spybot search and destroy, ad-aware, microsoft sec. essentials, avast but IE automaticly started up randomly , and TDSSKiller didn't do anything (no reaction after double click), but after the scan of avast it came up with a screen about to trust this program etc. and then nothing. But after Dr web it worked it could scan...with no results...
Its a pitty but I don't know the exact name of it. And the above I found out after. Dr web doesn't make a log anyware?
Hope this helps..

by SamG (not verified) on 9. March 2012 - 15:11  (90139)

downloading Dr web live cd now. There's also an option in the program to install to a dedicated usb drive said softpedia. A few people call me to fix their infected computer and this will be another additional to the toolbox, thank you.

by Chuckmerja (not verified) on 5. January 2012 - 16:21  (86619)

Very useful article. I had TDL4@MBR on my main home computer. AVG free and Malewarebytes did not find it. GMER found it, but when trying to remove I got BSOD. Kaspersky TDSSkiller got it and now I have my computer back!

But what do I now do with the half dozen thumbdrives that have "setup50045.fon, setup50045.lnk, autorun.inf, myporno.avi.lnk, pornmovs.lnk" on them? How do I clean them up???

by Anupam on 6. January 2012 - 9:09  (86672)

You can use a virtualization software. Plug-in the pen drives while the virtualization software is running, and then either format the pen drives, or try to remove malware from them. If the data is not important in those drives, then format would be the best thing to do.

One such virtualization software you can use is Toolwiz Time Freeze : http://www.toolwiz.com/products/toolwiz-time-freeze

Make sure to remove the pen drive, while the software is running too, otherwise, if you reboot with the pen drive still intact, the changes will be rolled back, and computer might get infected.

by Rocky (not verified) on 26. December 2011 - 10:32  (86011)

Hello Guys,

Does anyone have any Idea if running the Avira12 Free AV + Online armor Free cause any issues?
I have recently seen a very High CPU usage by Hardware Interrupts on my system, it also does not accept the Shutdown command aswell, Any suggestions please ?

by MidnightCowboy on 26. December 2011 - 10:40  (86012)

This could be due to many things but we are unable to provide individual support here in the comments. Please post your issue including full system details in our forum.

by neuerung on 18. December 2011 - 22:23  (85252)

Avast! has been telling there is a rootkit infection in my PC, something called rootkit-gen. Then, it asks me to press 1 to delete it, and so on. But when I press 1 (or 3, to put it in the vault), nothing really happens. I get a message to the effect that the operation is incompatible with this sort of file. TDSS Killer, otherwise, says that there is no infection. What to think? I will appreciate any help.

by MidnightCowboy on 19. December 2011 - 3:31  (85263)

Unfortunately we cannot provide individual support here in the comments. The best place to post this is either in the Avast! forum or another that can analyze a HijackThis log for you.

by humpty (not verified) on 6. December 2011 - 23:10  (84535)

so Panda Antirootkit is no good anymore?

by geeksquad (not verified) on 24. November 2011 - 10:02  (83832)

hey kyle,
ive tried so many antiviruss its so annoying over the past year i would say: microsoft security essentials-garabage, bitdefender-garbage, brain fart sorry theres more just cant think rite now. avast worked great with me but when i went online to look alot of the ratings in labs said it wasnt too good? :( thats why i got rid of it. i am using comodo right now but i got a nasty nasty nasty rootkit that i think infected comodo because it freezes and wont let me delete it. 2 questions first which antivirus do you prefer with antimalware and second did my comodo get infected because it showed on the search that the rootkit went into a lot of my comodo files and now it swont let me delete it? ohh ya sorry one more question what antimaleware should i use or does it matter? because if you run both does it mess up ur functions? thanks for your time

by AMDFAN (not verified) on 3. February 2012 - 16:08  (88221)

Screw Comodo dude, I used it's firewall for about 2 years and was constantly having to re DL it cause updates kept causing operation problems and it wouldn't block right. Won't pass the ping tests either with XP. I tried some of their other freewares and none of them worked right and some of them just caused problems with my computer, Causing lock up, downloads wouldnt download right, I just gave up on them altogether, and its to bad too cause when I first got Comodo I loved it and told everyone I knew they should try it over [commercial AVs]. I just use private firewall now, Been doing great sense I started it 6 months ago and havnt had a single issue. Blocks people trying to get remote access quite well cause nothing has been out of place. I combine it with [commercial av] and on win7 with avast cause some reason [commercial av] wont allot the computer to shut down properly. Nice thing is unlike Comodo they know when to just shut up and do their jobs.

by SamG (not verified) on 9. March 2012 - 15:17  (90141)

Just downloaded Comodo and after reading this probably will try it but not install. Used Panda for 3 years and it too was annoying. AVG-ok, Avira-ok, Avast is what I've stayed with. Dislike anything Norton.

by Chiron on 17. December 2011 - 3:14  (85164)

Hi, if you believe that you were infected while using Comodo Internet Security then please report this on the Comodo forums:
http://forums.comodo.com/news-announcements-feedback-cis-b129.0/

This is something that the developers really need to know. That said, I've never heard of anyone who did get infected while using CIS, unless they disabled something at one point. So if this is a genuine bypass then it's very important.

Thank you.

by Kyle Davidson on 27. November 2011 - 6:42  (83976)

You can't take those tests verbatim as they can be wrong or exaggerated depending on how they tested the product. I can say in my experience I have never seen Avast! Home miss any "in the wild" malware.

To answer your questions:

1) I would scan your system with TDSS Rootkit scanner (or another one listed here) and make sure you are infected. You can feel free to contact me via the link at the bottom of the post and send me the report if you want.

2) I recommend Avast Home or take a look at this page http://www.techsupportalert.com/best-free-anti-virus-software.htm for some other good ones.

by LilJon (not verified) on 31. October 2011 - 12:32  (82464)

If you run TDSS Killer and enable signature verification, it will usually pick up 1 or more unsigned files. To be more confident these are just false positives, submit them to any of the following Online MultiVirus Scanners to check (listed in no particular order):
http://www.virustotal.com
http://virusscan.jotti.org/en
http://virscan.org
http://vscan.novirusthanks.org

Cheers!
LJ

Gizmos Needs You

Gizmo's Freeware is Recruiting

 We are looking for people with skills or interest in the following areas:
 -  Mobile Platform App Reviews for Android and iOS
 -  Windows, Mac and Linux software reviews       Interested? Click here