Best Free Rootkit Scanner and Remover

 
Introduction

My co-worker John C from our east coast office came across a page on Malwarebytes' forums and thought I would share since we are putting together our tools for threat removal. The use of italics is my clumsy way of differentiating what I'm writing to Gizmo's readers and what I published to colleagues. Here is the page Malware Removal Guides and Self Help Guides.

If you read the first post it refers to Chameleon. This is a tool within Malwarebytes that can find and stop running processes form malware and is very useful on fake alert threats. Chameleon is in a sub folder within the Malwarebytes' main folder.

Below are my testing results that I published to my colleagues with some edits in order to present this to you in an easier to understand language. We are all IT folk so I tend to write to them differently than I would write to Gizmo's readers. Below I speak about System Check which is a rather nasty fake alert. In my next upcoming post I am going to present some methods for removal of these threats along with reviews of Rootkit Scanners. It has been very busy at work and I perform testing in my spare time, of which there has been very little. But I wanted to share this with you so you can add Chameleon to your USB stick.

Below, MBAM is short for Malwarebytes' Anti-Malware. And Rkill is another tool for stopping processes which I will comment on later. The next two paragraphs are from my letter to co-workers:

I tested Chameleon on System Check which is worse than most of the fake alerts in that it hides, everything. I stepped through the instructions listed in the first post of the link provided. I clicked the first box and it opened a small DOS window and then proceeds to kill processes and then update and run MBAM. All of this worked great, and had an unexpected side effect. When it killed the process I think it also killed the ability of this ‘New and Improved’ System Check from deactivating your partitions. I rebooted and came right back into Windows albeit with a black desktop and everything hidden, but it booted!! (But keep in mind, I ran this right after infection, your user will have rebooted probably. More on this below.) I didn’t clean it when MBAM ran this first time because John found that you can run Chameleon as a standalone from your USB stick, and I wanted to test. Sure enough, I copied the whole Chameleon folder over and ran the file from there. Chameleon worked just as it did before, perfect.

So this will be a permanent addition to my USB stick. This will give us the ability to stop the processes fake alerts are running right from your USB and then be able to install and run MBAM without it being compromised. Rkill works much the same way, but is a bit dicey when it runs. In order to shutdown what’s running it will actually rename files. This can be bad however because now MBAM or whatever is being used may not find the renamed file. I would always note the path from Rkill and rename it back to original so MBAM could find it.

I have other news I wanted to share with you about a tool I'm building that will reverse the damage done by the these fake alerts like System Check I refer to above, when they hide all of your menus and folders. I had posted it here but it was too lengthy. I will post a link to it so that you can read it at your leisure. Until than please check out Chameleon as it will be a good addition to any USB stick.

  Read this article in Spanish (Español)

 
In a Hurry?

Go to details...  Go straight to the Quick Selection Guide

 
Discussion

There are a lot of anti-rootkit programs available, a lot of this software is very advanced and requires an experienced and technical minded user who is familiar with computers and operating systems. However, there are a couple of options that do not require much technical ability and are also very effective.

Kaspersky TDSSKillerThe new Top pick is Kaspersky TDSSKiller. It has an easy to use GUI, fast scan times, great detection rate and is user friendly.

TDSS Killer managed to detect and remove all modern rootkits tested (TDSS, Zeus, TDLV4, etc). The only down side is TDSS Killer seems to have a narrow range of the rootkits it detects but hopefully more types will be added over time. If more strains are added this may become the definitive tool for removal of rootkits.

In my testing what it’s designed to scan for it finds every time and removes it easily and positively. The positives far outweigh the negatives on this one. TDSS Killer also includes 64 bit functionality which is a huge plus.

 

GMERRootRepealI have two top choices for all the experienced and technical users GMER and RootRepeal. These are very popular applications, but it takes someone pretty knowledgeable about computer systems to be able to interpret the results. You can find a lot of documentation on both programs but if you are the type of person (like me) who likes to click the scan button and simply wait for the results, you would be better served with TDSS Killer.

For the average user I cannot recommend either of these as without comprehensive computer knowledge the results would be very hard to interpret. I even have a hard time understanding the data. In my work I usually have no time to refer to the documentation and must move quickly to restore a computer to working condition. However, if a particularly difficult infection is present these tools are invaluable because of the wealth of information. I prefer GMER as I find the initial scanning process easier to use and it had a better detection rate han RootRepeal.

 

Avast Anti-Rootkit Avast Anti-Rootkit resembles a command prompt window but is fairly easy to use. It lets you scan your computer and MBR for rootkits and even fixes any issues. Understanding the output from Avast Anti-rootkit may be a little hard for some users but it does the job well. I tested it against TDSS and several other modern rootkits and it found all of them. Removal on the other hand was not as good as some of the other tools. But what it does have is a very useful tool that I personally would not be without; the ability to perform FixMBR right from within Windows. Normally one would have to boot to a Windows XP disc or Windows 7 recovery disc to perform this command but Avast Anti-Rootkit has a built in ‘FixMBR’ button that with one click will write a new Master Boot Record which is often necessary in the removal of rootkits. This is very useful as you may not always have a Windows disc on hand in the field. I keep this on my USB drive at all times.

 

Dr.Web CureIt!The next product that I looked at is one that I always keep in my toolkit. Dr.Web CureIt! is not a standalone anti-rootkit tool like the other tools I recommended, rather it is a free malware scanner and removal tool that happens to be pretty effective at removing some rootkits but doesn’t detect the modern threats in my testing. It is always a good idea to have more than one tool capable of removal, so Dr. Web's freeware scanner is a great addition to anybody's arsenal. What I have found useful is the sandbox environment it creates when it’s run. This is good as it stops all processes  that some malware may try to run. It is also able to deep scan your drive and you can reboot back into this environment for further scanning and removal.

 
Other Rootkit Scanners and Removers

Sophos Anti-Rootkit Sophos Anti-Rootkit has a small but easy to use interface with no options other than choosing where you want to scan. As it scans it opens up to a slightly larger interface where it lists the results of the scan and gives you information about each result as well as a recommendation for them. Additionally, a small help file is available that explains the program in a little more detail and gives directions on how to use the command line anti-rootkit tool which is also included. This would be a great tool if it was kept up-to-date but in my testing it failed to find or remove any of the modern threats I tested.

 

F-Secure BlacklightF-Secure Blacklight is another great tool for rootkit removal. Unfortunately, support for it ended a couple of years ago. However, you can still download it on the F-Secure web site and it is compatible with Windows Vista and XP.

Still works well for older rootkits but gives "Incompatible" error if ran on Windows 7. Blacklight is also unable to detect most modern rootkits and therefore, I recommend one of the other tools for now.

 

Prevx FreePrevx Free, the free version of Prevx, offers the same class leading real time detection of the full version but unfortunately it doesn't offer much more than this. Prevx Free is only capable of cleaning select infections, such as Adware, the ZEUS banking trojan, and MBR rootkits. When dealing with rootkits detection is definitely very important, so even if you can't clean all infections you might at least be alerted, enabling you to take further action and manually remove the rootkit or seek help in doing so. As hard as it is to detect the newer, ever evolving rootkits and viruses, Prevx can be a very powerful and informative addition to your regular anti-virus software.

Additionally, Prevx Free can run customized scans from the context menu and also gives you the ability to schedule scans. Another plus is that it scans quickly. The free version also offers protection of stored cookies as well as protection for all of your saved credentials. There is also a browser protection component in the free version but it only offers custom protection on only one web site of your choice. It does however, give the full Prevx Safe Online protection, which includes anti-phishing, protection against hijacks, keyloggers, and cookie stealers for a number of popular websites such as PayPal, or Amazon and of course the one website of your choice.

I have included the previous editor’s information above but would note that given the limited functionality of Prevx Free, I mainly use it for detection. Often I need to not only detect but to remove in one scan using one tool.

As I mentioned above I will leave links to the applications mentioned here as they might work for you and be your favorites. I don’t want to discourage the use of any of them but the ones I haven’t had much success with are in the Other Scanners section; so I cannot recommend them. If they work for you that’s great and I would love to hear of your successes in the comments section.

Along with my goal to provide help is also to give you only what I have found that works. I am always open however to learning of new methods and tools. I love tools and am a firm believer that you cannot have too many. In the ever changing world of threat removal we need many tools to detect and remove.

 
Related Products and Links

You might want to check out these articles too:

 
Quick Selection Guide

Kaspersky TDSSKiller
5
 
Gizmo's Freeware award as the best product in its class!

Runs as a stand-alone program on a user's computer
Easy to use GUI, high detection rate, removed all infected files in tests and is 64 bit compatible.
Limited scope and range of types of rootkits detected.
3.0.0.14
1870 KB
32 bit but 64 bit compatible
Unrestricted freeware
Windows
GMER
4
 
Runs as a stand-alone program on a user's computer
Considered class-leading technology.
No help file, but information online. Not suitable for average users.
http://www.gmer.net/
http://www.gmer.net/
2.1.19163
369 KB ZIP
Unrestricted freeware
A portable version of this product is available from the developer.
Windows 2000 to 8
Avast Anti-Rootkit
4
 
Runs as a stand-alone program on a user's computer
Works well. Detects most rootkits, easy to use. ‘FixMBR’ function within Windows is invaluable; a must have on any USB flash drive.
Results sometimes hard to interpret and removal failed on some rootkits.
http://www.avast.com/
0.9.9
1870 KB
Unrestricted freeware
There is no portable version of this product available.
Tested on Windows 7
Dr.Web CureIt!
3
 
Runs as a stand-alone program on a user's computer
Sandbox environment useful for halting processes and scanning MBR.
Unable to detect some of the modern rootkits.
6.00.4
115 MB
32 bit but 64 bit compatible
Unrestricted freeware
This product is portable.
All Windows Platforms

 
Editor

This software category is in need of an editor. If you would like to give something back to the freeware community by taking it over, check out this page for more details. You can then contact us from that page or by clicking here

anti-rootkit, rootkit scanner, rootkit remover, free rootkit scanner, free rootkit remover, freeware, rootkit eliminator, rootkit detection

Back to the top of the article.

 

Share this
4.217055
Average: 4.2 (129 votes)
Your rating: None

Comments

by Kyle Davidson on 1. November 2011 - 7:55  (82520)

Hi,

I just noticed this too. My scan showed 20 Unsigned files. Basically anything the isn't signed will show up using this scan so I recommend only using it in an emergency (if you know you are infected and it doesn't see anything). Use this option with caution, especially if you are going to remove detected files. There are plenty of ways to verify malware (including the links above and other free AV's).

Thanks for the comment!

by AMDFAN (not verified) on 3. February 2012 - 20:31  (88246)

Agreedd, I had to take a second look myself then found it was just an old program that this computer has had forever (inCd) and the others where just MS updates using rootkit tech. No big deal, I just let it go.

by mook (not verified) on 21. October 2011 - 23:56  (81889)

Thanks for the review. Recently I foolishly allowed a program to install thinking it was a Firefox Nightly upgrade, of course this was around a week after my AV had expired. To make a weeks worth of story short, everything I tried including Sophos, PCTools, Reg Mech, and various Microsoft tools did not find what I suspected to be a rootkit.

One pass with TDSS killed the b*st*rd fast. Running Win7 SP1 64bit. I never do this type of stupid behavior, but I was not paying attention and as a result my index finger caused me grief.After the TDSS, I renewed my AV, had harsh words with my index finger and verified that the brain and index finger were communicating again :)

Thanks!!!

[Moderators edit] - commercial program details removed.

by Kyle Davidson on 1. November 2011 - 7:51  (82519)

Hi there,

I'm sorry to hear you were infected, but I am glad to hear TDSS Killer worked for you!

Thanks for the comment!

by steves123 (not verified) on 14. October 2011 - 20:41  (81413)

hi, ive just started to download Dr web cure it, after reading your review i thought i'd give it a whirl as ive tried most other security software, i know im probably being picky, but from following your link to the download, you have to fill out personal details just to get the download started ie name email age,etc i think you should make people aware of this as i dont like giving info to sites i dont know, also you stated the file size is 49.2 mb, but the size is 75.4, a slight difference i think you'd agree, dont mean to moan keep up the good work it really is appreciated.thank you

by Kyle Davidson on 1. November 2011 - 7:47  (82518)

Thanks for the feed back!

I will adjust the review to reflect these changes/errors. I agree you shouldn't need to give personal info for the download.

I appreciate the feedback!

by PeterW (not verified) on 12. October 2011 - 3:41  (81266)

I ran TDSS Killer and it came back with one hit: Servic:sptd. I looked it up on Bleepingcomputer.com and it came back as a necessary Windows file that's used for Daemon Tools CD emulation. So, while I'm glad that nothing else was found, I don't know if it then missed something out there. After all, the worst rootkit killer out there would come up with nothing, right? I'm going to hope that no news (or a false positive - you can and should look up what is found anyway before you trash it) is good news, and will keep it around for awhile.

I tried Sophos and found it difficult to work with and lacking a good gui. My humble opinion.

For what it's worth, I run Win7 on a 64-bit
Windows firewall
Microsoft Security Essentials
Malwarebytes (paid subscription)
RUbotted

Thanks for the great article and for your work on our behalf.

Peter

by Kyle Davidson on 1. November 2011 - 7:44  (82517)

Hi there! Sorry for the late reply.

I notice the same thing when running TDSS Killer. I will send an e-mail to them about the false positive.

I think what is happening here is Daemon Tools CD Driver acts in a way that TDSS detects it as a rootkit.

I have tested Daemon tools with several other AV's and all seems fine.

Thanks for the comment!

by AMDFAN (not verified) on 3. February 2012 - 16:20  (88224)

I just used Avast rootkit on XP and it found nothing BUT i looked and noticed that it was tested on WIN7. In your opinion was I in the wrong to try it and should I try another or is this going to be ok?

by Susan C. (not verified) on 28. September 2011 - 2:52  (80473)

Thanks Kyle the Kaspersky tool worked like a charm - hooray I have my computer back!

by Kyle Davidson on 30. September 2011 - 22:14  (80661)

Glad it worked!

by Celsus (not verified) on 22. September 2011 - 18:03  (80127)

How About Universal Virus sniffer (it makes one image of system from the system and makes second image from another system or CD and then comparatives both images to detect autorun of rootkit)
How about AVZ?

by DM (not verified) on 13. September 2011 - 13:06  (79522)

TDSS Killer got 4 negative hits using Virus Total and one negative hit using Jotti.
Can anybody comment?

by Kyle Davidson on 15. September 2011 - 18:02  (79682)

Hi,

Virus Total is not a great source as it uses out-of-date virus definitions. TDSS killer is legit (it is created by Kaspersky one of the biggest AV Companies out there).

This is just a FP.

by Humperdinctum (not verified) on 10. September 2011 - 9:00  (79356)

Just to endorse some earlier comments here re Avast AV Free. I'm a long-time Avast user, having tried everything else (including Microsoft Security Essentials) but have never found a better or more complete suite than Avast.

Last week, a non-techie friend of mine said his laptop was playing up: every email he printed out contained both the text and the source code. His Internet Explorer also seemed "iffy". I worked through the usual options before wondering -- belatedly! -- if his laptop was being screwed up by malware.

He had McAfee installed (ye Gods, why??) so as he'd only a month's subscription left, I dumped it and installed Avast Free instead. I then asked Avast to run a full scan at boot-up, i.e., before Windows was launched.

Avast was, well. . . Brilliant. It rapidly identified Zwangi in umpteeen different variations. It tracked and traced every affected file and process. It offered a host of different options for dealing with it via a GUI which even my friend could understand.

And after 90 minutes' work, during which we went step-by-step through identification and removal, the laptop was 100% clean. And Firefox has now replaced his IE as browser of choice.

I agree with the reviewer here: that more than one rootkit detector is always advisable. But this post is to flag up that Avast, with its plethora of 'live shields' and scanners and daily updates, is actually outstanding at detecting and killing rootkits, too: just hit the 'schedule' button to scan on boot-up, and away it goes.

Oh: and don't wait until you *think* you might have an infection: I run Avast on start-up at least once a month. That something as this continue to be free for home use is pretty astonishing.

by Kyle Davidson on 10. September 2011 - 23:26  (79394)

Thanks for the reply! I agree with you. Avast is awesome! I run it with PrevX and have MBAM do hourly scans. Those 3 programs catch everything I have encountered.

by Rocky (not verified) on 8. September 2011 - 12:47  (79218)

Hello Guys,
Anyone heard about PrevX issues working with Avira antivirus Free + Online armor Premium?, it slows down the computer to considerable amount which is as good as a Frozen Computer?
I certain disagree with people who said PrevX is extremely low on resources, if we try to run any process first time, the prevX takes a long time scan all the components getting loaded.

by Kyle Davidson on 10. September 2011 - 23:27  (79395)

I have yet to confirm this with PrevX. However I can not reproduce the issue. Are there any other programs running on this computer?

by Rocky (not verified) on 16. September 2011 - 13:55  (79721)

Hello Kyle,
Thank you very much for the response, there are no other Security softwares other than Avira Free+OA premium and PrevX safeonline.
I lately tested PrevX safeonline with Ashampoo Antimalware and still the same problem.
I will be trying it with Avast Free this weekend, lets see how things goes.
BTW, if you find any known issues with PrevX, please do reply.

Thanks!

by Kyle Davidson on 8. September 2011 - 18:23  (79238)

Hi,

I have read on Wildersscurity forums that their is a conflict. You may want to try WebRoot Secure Anywhere Beta (which is going to be the new prevx). I have been running it with OA and no problems so far. I will add a warning for other users and attempt to confirm this with PrevX support. What system are you running?

by TechLady (not verified) on 6. September 2011 - 23:26  (79100)

Prevx Free is not FREE it is really just a 90 trial. Please note this in the summery.

by Kyle Davidson on 6. September 2011 - 23:36  (79101)

There are two version of PrevX:

1) Is the free 90 day trial available on their site.

2) Is the full version of Safe Online which is free via https://www.facebook.com/safeonline

I added that link and details into the review when I did my update. I have been using the free version for almost a year now. The only thing you don't get is Real Time protection and removal. BUT you can set Safe online to scan once an hour when you connect to an HTTPS/SSL web site. (this is what I do).

Sorry I didn't make it clear enough I will try to fix this.

by Sperrin (not verified) on 6. September 2011 - 23:08  (79099)

I'm pleased to see a mention of ThreatFire, because no review that I've read has mentioned that it includes a dedicated rootkit scanner.

Why is this? If it's good, why is it unknown? If it's bad, why doesn't some competent reviewer tell us so?

by BillBrad (not verified) on 6. September 2011 - 16:36  (79084)

Thanks for your hard work!

When I read the description "64 bit version available" for the Tdss Killer, it meant to me that your download url links to a 32 bit version, but the author also has another version available on the website for 64 bit users.

So I went to the website looking for the 64 bit version, but there is none! Actually your download link works on both 32 bit and 64 bit systems. The author puts it this way: "The utility supports 32-bit and 64-bit operation systems."

My comment is this:
The Gizmo format in a case like this can be misleading. It would be more accurate to have two different 64 bit descriptions: "64 bit version available" or "includes 64 bit functionality."

by Kyle Davidson on 6. September 2011 - 19:17  (79091)

Thank you for your feedback. I will add a note next to the download for others to see.

Thank you,

Kyle Davidson

by Burl (not verified) on 6. September 2011 - 14:55  (79081)

Tried Avast antirootkit twice last night. Both times it stalled on 87% completed. This was the full scan. Did I just become impatient or has anyone else experienced this?

by honest..john (not verified) on 7. September 2011 - 3:58  (79112)

It does slow when it hits a large file, also, if it hits a virus it will stall out until it gets a response from you.

by Kyle Davidson on 6. September 2011 - 19:19  (79092)

Strange. May I ask what OS you are running? (Windows 7, XP, etc.)? It works fine for me on windows 7 and XP. This could also be because of the number of files it is trying to scan. Can you try TDSS Killer and tell me how long it takes to scan?

Thank you,

Kyle Davidson

by Burl (not verified) on 7. September 2011 - 16:21  (79148)

Yes-Vista Home Premium.Intel Pentium T3400. 2GB,160GB HDD. TDSS Killer just took 21 seconds. Would already having Avast! antivirus installed make a difference?

by Kyle Davidson on 8. September 2011 - 18:20  (79237)

Hi,

Avast Anti-rootkit is part of Avast! home. I would use one of the other tools in this case because if avast! Anti rootkit is able to detect it the main program will detect it too. The slow down is probably due to scanning large files. TDSS killer only scans known locations of rootkits such as TDLV4 and others. This way it doesn't have to scan as many files.

Gizmos Needs You

Gizmo's Freeware is Recruiting

 We are looking for people with skills or interest in the following areas:
 -  Mobile Platform App Reviews for Android and iOS
 -  Windows, Mac and Linux software reviews       Interested? Click here