Get our latest top picks
Subscribe to our Top Picks RSS Feed or enter your email address below to get the feed delivered to you by email:
|
Follow Gizmo |
 |
 |
 |
Register/Login
Top Rated
Gizmo's Freeware is Recruiting
We are looking for people with skills or interest in the following:
- Mobile Platform Reviews
- Rootkit Scanner and Remover
- Streaming Media Recorder
- Email Client
- Archive Manager Interested? Click here
Best Free Rootkit Scanner and Remover
|
Other Language?
|
 Read this article in Spanish |
|
In a Hurry?
|
 Go straight to the Quick Selection Guide |
|
Introduction
|
|
Hello Gizmo’s readers! My co-worker John C from our east coast office came across a page on Malwarebytes' forums and thought I would share since we are putting together our tools for threat removal. The use of italics is my clumsy way of differentiating what I'm writing to Gizmo's readers and what I published to colleagues. Here is the page Malware Removal Guides and Self Help Guides. If you read the first post it refers to Chameleon. This is a tool within Malwarebytes that can find and stop running processes form malware and is very useful on fake alert threats. Chameleon is in a sub folder within the Malwarebytes' main folder. Below are my testing results that I published to my colleagues with some edits in order to present this to you in an easier to understand language. We are all IT folk so I tend to write to them differently than I would write to Gizmo's readers. Below I speak about System Check which is a rather nasty fake alert. In my next upcoming post I am going to present some methods for removal of these threats along with reviews of Rootkit Scanners. It has been very busy at work and I perform testing in my spare time, of which there has been very little. But I wanted to share this with you so you can add Chameleon to your USB stick. Below, MBAM is short for Malwarebytes' Anti-Malware. And Rkill is another tool for stopping processes which I will comment on later. The next two paragraphs are from my letter to co-workers: I tested Chameleon on System Check which is worse than most of the fake alerts in that it hides, everything. I stepped through the instructions listed in the first post of the link provided. I clicked the first box and it opened a small DOS window and then proceeds to kill processes and then update and run MBAM. All of this worked great, and had an unexpected side effect. When it killed the process I think it also killed the ability of this ‘New and Improved’ System Check from deactivating your partitions. I rebooted and came right back into Windows albeit with a black desktop and everything hidden, but it booted!! (But keep in mind, I ran this right after infection, your user will have rebooted probably. More on this below.) I didn’t clean it when MBAM ran this first time because John found that you can run Chameleon as a standalone from your USB stick, and I wanted to test. Sure enough, I copied the whole Chameleon folder over and ran the file from there. Chameleon worked just as it did before, perfect. So this will be a permanent addition to my USB stick. This will give us the ability to stop the processes fake alerts are running right from your USB and then be able to install and run MBAM without it being compromised. Rkill works much the same way, but is a bit dicey when it runs. In order to shutdown what’s running it will actually rename files. This can be bad however because now MBAM or whatever is being used may not find the renamed file. I would always note the path from Rkill and rename it back to original so MBAM could find it. I have other news I wanted to share with you about a tool I'm building that will reverse the damage done by the these fake alerts like System Check I refer to above, when they hide all of your menus and folders. I had posted it here but it was too lengthy. I will post a link to it so that you can read it at your leisure. Until than please check out Chameleon as it will be a good addition to any USB stick.
|
|
Discussion
|
|
There are a lot of anti-rootkit programs available, a lot of this software is very advanced and requires an experienced and technical minded user who is familiar with computers and operating systems. However, there are a couple of options that do not require much technical ability and are also very effective. |
|
|
|
|
|
For the average user I cannot recommend either of these as without comprehensive computer knowledge the results would be very hard to interpret. I even have a hard time understanding the data. In my work I usually have no time to refer to the documentation and must move quickly to restore a computer to working condition. However, if a particularly difficult infection is present these tools are invaluable because of the wealth of information. I prefer GMER as I find the initial scanning process easier to use and it had a better detection rate han RootRepeal. |
|
|
|
Other Rootkit Scanners and Removers
|
|
|
|
Still works well for older rootkits but gives "Incompatible" error if ran on Windows 7. Blacklight is also unable to detect most modern rootkits and therefore, I recommend one of the other tools for now. |
|
Additionally, Prevx Free can run customized scans from the context menu and also gives you the ability to schedule scans. Another plus is that it scans quickly. The free version also offers protection of stored cookies as well as protection for all of your saved credentials. There is also a browser protection component in the free version but it only offers custom protection on only one web site of your choice. It does however, give the full Prevx Safe Online protection, which includes anti-phishing, protection against hijacks, keyloggers, and cookie stealers for a number of popular websites such as PayPal, or Amazon and of course the one website of your choice. I have included the previous editor’s information above but would note that given the limited functionality of Prevx Free, I mainly use it for detection. Often I need to not only detect but to remove in one scan using one tool. As I mentioned above I will leave links to the applications mentioned here as they might work for you and be your favorites. I don’t want to discourage the use of any of them but the ones I haven’t had much success with are in the Other Scanners section; so I cannot recommend them. If they work for you that’s great and I would love to hear of your successes in the comments section. Along with my goal to provide help is also to give you only what I have found that works. I am always open however to learning of new methods and tools. I love tools and am a firm believer that you cannot have too many. In the ever changing world of threat removal we need many tools to detect and remove. |
|
Editor
|
|
This software category is maintained by volunteer editor dslfreak. Registered members can contact the editor with any comments or questions they might have by clicking here. |
|
Tags
|
|
anti-rootkit, rootkit scanner, rootkit remover, free rootkit scanner, free rootkit remover, freeware, rootkit eliminator, rootkit detection |
Back to the top of the article
- Article type:
- Login or register to post comments
Printer-friendly version
Comments
Some of these rootkits are quite nasty. I am glad to hear that TDSS Killer got rid of it. I recommend you install or reinstall an Anti-virus and run a Full Scan with setting set to their highest. Some rootkits can still persist and this is really the only way to be sure it's gone. (besides reformatting).
Superantispyware has a load of rootkit scans that come in on every upgrade and scans all 3 sections of filing, regestry and memory at the same time cutting back on the time it takes now with their new scanner. You really should bring that up in one of your posts some time. Ive been using it for years and it's done real well and combined with Malwarebytes it's a pretty viscous combination. [commercial av] works great with Privatefirewall all settings fully up but with WIN7 Avast is the best because [commercial av] doesn't allow 7 to shut down, It just gets stuck on logging out. Thanks for this post as well I tried avast rootkit just now as I mentioned before, I still want that advice cause Im hoping it just isnt telling me anything cause the windows I'm running. I like avast and always have so let me know
avast free for home use, has boot scan, that scans before windows loads, works for me and my friends..
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
BOOT-TIME SCAN
The boot-time scan is one of the main weapons of avast!
It runs before Windows is loaded, and before potential
malware has a chance to activate, therby enabling an
infected system to be cleaned before any damage is done.
Moreover, the avast! boot-time scan uses direct hard drive
access which bypasses the OS file system drivers and is
thus able to handle even the most stubborn rootkits.
Thanks for the feedback! I have been using Avast! Home for years and love it. That Boot-time scan has saved me in the past. Avast! actually bought Gmer and has it built in as anti-rootkit technology so at least we know it's something good in their :)
Thanks,
Kyle Davidson
Very questionable article. Why is Sophos Anti-Rootkit recommended as the best program? All it did was come up with a list of 96 files it claims are "unknown hidden files". A quick check on a few files showed they aren't hidden. Elsewhere it is reported that this program is fairly useless.
e.g.
http://windowssecrets.com/forums/showthread.php/135536-What-Sophos-Anti-Rootkit-Is-%28And-IS-Not%29
Updated the page now.
I apologize for the delay. I am currently testing the software mentioned in the comments and retesting the ones mentioned in the article. I agree with you on Sophos not being an efficient solution and the update will reflect this. I will be putting each through a test like so:
test 1: Clean install
1) How fast does it scan?
2) Any bugs?
Test 2: Infected VM TDSS
1) Does it find the rootkit?
2) Does it remove the rootkit?
Test 3: Infected VM Zeus
1) Does it find the rootkit?
2) Does it remove the rootkit?
Test 4: MBR infection
1) Does it find the rootkit?
2) Does it remove the rootkit?
I will post again soon.
A new editor has taken over recently. Please give him time to test the programs, and update the article. Have patience please.
In addition to GMER and RootRepeal you are missing another topnotch expert tool - vba32 anti-rootkit. http://www.anti-virus.by/en/vba32arkit.shtml
Here's a comparison test that confirms the top 3 choices http://www.anti-malware-test.com/?q=node/184.
IMO the ONLY automated rootkit remover that's worth a damn is TDSSKiller from Kaspersky.
http://support.kaspersky.com/faq/?qid=208283363
Its limited to the TDSS rootkit variants only but they are VERY common and VERY hard to kill. This usually the first thing I run when I'm dealing with an infected PC.
I also scan for Bootkits using MBRcheck http://majorgeeks.com/MBRCheck_d7076.html or mbr.exe (from Gmer). http://www2.gmer.net/mbr/mbr.exe
If your master boot record is infected then it needs to be dealt with before doing anything else. The slow but reliable way is using the repair option from the windows installer CD (aka recovery console) http://helpdeskgeek.com/how-to/fix-mbr-xp-vista/
A faster way is to use the MBRfix command line app
http://www.sysint.no/products/Download/tabid/536/ItemID/2/language/en-US/Default.aspx
http://www.sysint.no/nedlasting/mbrfix.htm
Dr.web ican find some root kits but its REALLY slow.
Hitman Pro http://www.surfright.nl/en
is also decent but there is no 30 day free trial anymore so the best it can do is alert you to some rootkits without cleaning them.
A squared http://www.emsisoft.com/en/software/antimalware/is another option for automated rootkit detection but again it is slow and its the detection rates are poor compared to using a manual tool like GMER.
Sophos is a joke
F-secure is useless IMO
Prevx scanning engine is part of hitman pro so its redundant
Thank you for the links. I will test all of these and make some updates. TDSSKiller is my favorite so far.
F-secure is incompatible with windows 7 (Or at least I get a incompatible message every time I run it)
Sophos I have yet to try but it seems out of date.
I use Prevx daily with SOL. I like it because it protects against key loggers and my MBR. Prevx SOL has a pretty good scan time too, but I wouldn't recommend it for a rootkit scanner.
Thanks. Quite a helpful comment with links.
I would like to use GMER to check my pc for a rootkit infection...However I do not feel as if I would be able to correctly interpret the results. Any ideas on where/how I could obtain an accurate interpretation?
You may want to check out Avast! anti-root kit tool http://public.avast.com/~gmerek/aswMBR.htm it is based on gmer (avast now own GMER) and may be easier to use. I will add a review of it tomorrow.
Would this be the same as is already in Avast! AV? If so would not the AV be adequate for detecting rootkits?
Yes it is built into avast! AV. However this is a good option if you do not want avast! or simply want a dedicated rootkit scanner to use. I use it along side avast. I like the fact I can run a dedicated scan and see the results. I also mentioned it because this page is for rootkit scanners and not full AV's. I hope I cleared that up and Thanks for the reply :)
Submit your scan results to either Bleeping Computer....
http://www.bleepingcomputer.com/
or Geeks to Go....
http://www.geekstogo.com/forum/
One of the volunteers on either of these forums will help you.
Is Prevx free meant to be used with an existing antivirus such as Avast!? I am also using WinPatrol,SAS, Malwarebytes and a antilogger of which the name I will not mention but it is not SpyShelter. I am not sure if all these would be compatible.Thank You
I thnk u should add kaspersky tdsskiller to the list coz the alureon rootkit is the most prevalant rootkit right now and tdsskiller is the best one to do the job now
Hi there I am the new editor of this page, and I will keep that in mind. I am going to fix up the page, get used to the editing and do some testing first but I will be sure to include TDSS Killer in the next update to the page in the next few weeks.
I have gone through a few article here. Congrats for the well made reviews and good layout of your site. I would like to see answers for my questions.
1. Do anti virus or anti malware have the protection for root-kits, Trojan etc...?
2. What are the possible ways of rootkits coming to a PC?
3. Except reducing the bandwidth, are they affect the performance of the machine?
I have a few remarks for the other topics also.
1. Free Antivirus programs - Avira antivirus is excellent in detection and better than Avast in detection rate. But avast updates faster, much faster than Avira. Avira's demand scanner is choppy compared to Avast.
2. Free antimalware - SAS is definitely have the crown. Update is fast. Scanning is slow compared to MBAM. Updating MBAM is a headache. You have to update all the definitions from time to time. It is always a 7MB file.
Threat fire having a good GUI. But what it does is unknown or unnoticed. It is a drawback as a user always want to know how his product perform and want to compare them with other tools available. During scans, it detected a few root kits left untouched by SAS and MBAM.
3. Free firewalls - Comodo is the winner as a firewall, but CIS is a crap. I do not prefer PC tools Firewall as it is not more effective than windows firewall. A few pop-ups and a digital signature library is exceptional.
All the above are my own experience and nothing against any of the software vendor, their products or the users of those products. Even I am not a fan of windows.
Thanks to Chris for the outstanding articles.
Thanks for sharing, Phoenix-abhi.
Avira does to some extent search for rootkits and other non-virus malware.
Ways to infect a computer? I have installed PeerBlock - highly recommended! - to block incoming requests to my computer while browsing. It is shocking how many spy instances there are out there, trying to make their way into our computers.
Gone are the days when only those who visited dubious sites were infected. Spyware crawls in via all the third parties connected to the *normal* seemingly unsuspicious pages we're visiting.
I also recommend WOT, a browser addon that will warn against bad sites. Of course, only against known bad sites. No protection against all the many spy vendors that connect to your computer via a "good site". WOT can be installed for FF, Chrome and it's derivates, Opera, even IE.
Detailed responses are not possible here in the comments. Also, this article currently has no editor. Please register and post your questions in our forum.
Hi,
I'm familiar with the first four ones and have noticed that, except for Gmer, the others don't update often - Sophos is about a year old and Root Repeal & F-Secure Blacklight Rootkit Eliminator are about two years old.
This may be a silly question, but I'm wondering, are they considered to still be very effective because rootkits' updates are slow as well?
Thanks in advance.
P.S. I don't count Dr. Web Cure It (which I use from time to time), because, as you already said, it's not a standalone anti-rootkit tool.
GMER now works on Win-7
Thanks for pointing out. It's now updated.
CHris,
My computer shuts down before I can download any Rootkit remover. How else can obtain a product for this infected computer.
Best Buy charges $200 to bring my tower.
Any ideas.
Thanks!
IMO if this truly is a rootkit infection, depending on the type it's often better to reformat rather than trying to remove it.
Please follow this guide as a first step:
http://www.techsupportalert.com/content/spyware-removal-guide.htm
If this is not successful, please register and post in our forum as we are unable to provide dedicated support here in the comments.
http://www.techsupportalert.com/freeware-forum/general-computer-support/
I couldn't read all the comments, so except for those the following applies. BTW I am an old tech support guy getting back up to speed to reenter the arena. There seems to be a dearth - that means nothing - about the best procedure to work on customer PC's for root kit cleanup. I'm thinking I need advice-tips on
* Using a USB link cable or wifi/bluetooth
AFA safety - probably not a starter because the subject computer is going to be defective, and beyond that because the subject computer is going to be running at all.
* Using a second computer (the tech's) to service just the drive attached by USB port. This I think would be the usual approach - I think the safety profile is good as long as nothing is run from the culprit drive, and I assume these packages will work against it even better, no? Should IMO.
* Safe Mode - I have no idea why the Sophos and RootRepeal sites don't even mention it. Will they run? Maybe won't work any better in the case of a root kit - but it cuts the noise level to minimum (maybe to 20%.)
I think that's it. Thanks - you got a lot of comments here.
Regards,
J-C
I just downloaded the Sophos Anti-Rootkit tool and MS Security Essential identified it as a Trojan? Anyone else experience this? I'm guessing it's a false positive but I'm a little reluctant to install it. Thanks
Defining competitive products as malware is an old and well-known strategy.