Best Free Rootkit Scanner and Remover

 
Introduction

My co-worker John C from our east coast office came across a page on Malwarebytes' forums and thought I would share since we are putting together our tools for threat removal. The use of italics is my clumsy way of differentiating what I'm writing to Gizmo's readers and what I published to colleagues. Here is the page Malware Removal Guides and Self Help Guides.

If you read the first post it refers to Chameleon. This is a tool within Malwarebytes that can find and stop running processes form malware and is very useful on fake alert threats. Chameleon is in a sub folder within the Malwarebytes' main folder.

Below are my testing results that I published to my colleagues with some edits in order to present this to you in an easier to understand language. We are all IT folk so I tend to write to them differently than I would write to Gizmo's readers. Below I speak about System Check which is a rather nasty fake alert. In my next upcoming post I am going to present some methods for removal of these threats along with reviews of Rootkit Scanners. It has been very busy at work and I perform testing in my spare time, of which there has been very little. But I wanted to share this with you so you can add Chameleon to your USB stick.

Below, MBAM is short for Malwarebytes' Anti-Malware. And Rkill is another tool for stopping processes which I will comment on later. The next two paragraphs are from my letter to co-workers:

I tested Chameleon on System Check which is worse than most of the fake alerts in that it hides, everything. I stepped through the instructions listed in the first post of the link provided. I clicked the first box and it opened a small DOS window and then proceeds to kill processes and then update and run MBAM. All of this worked great, and had an unexpected side effect. When it killed the process I think it also killed the ability of this ‘New and Improved’ System Check from deactivating your partitions. I rebooted and came right back into Windows albeit with a black desktop and everything hidden, but it booted!! (But keep in mind, I ran this right after infection, your user will have rebooted probably. More on this below.) I didn’t clean it when MBAM ran this first time because John found that you can run Chameleon as a standalone from your USB stick, and I wanted to test. Sure enough, I copied the whole Chameleon folder over and ran the file from there. Chameleon worked just as it did before, perfect.

So this will be a permanent addition to my USB stick. This will give us the ability to stop the processes fake alerts are running right from your USB and then be able to install and run MBAM without it being compromised. Rkill works much the same way, but is a bit dicey when it runs. In order to shutdown what’s running it will actually rename files. This can be bad however because now MBAM or whatever is being used may not find the renamed file. I would always note the path from Rkill and rename it back to original so MBAM could find it.

I have other news I wanted to share with you about a tool I'm building that will reverse the damage done by the these fake alerts like System Check I refer to above, when they hide all of your menus and folders. I had posted it here but it was too lengthy. I will post a link to it so that you can read it at your leisure. Until than please check out Chameleon as it will be a good addition to any USB stick.

  Read this article in Spanish (Español)

 
In a Hurry?

Go to details...  Go straight to the Quick Selection Guide

 
Discussion

There are a lot of anti-rootkit programs available, a lot of this software is very advanced and requires an experienced and technical minded user who is familiar with computers and operating systems. However, there are a couple of options that do not require much technical ability and are also very effective.

Kaspersky TDSSKillerThe new Top pick is Kaspersky TDSSKiller. It has an easy to use GUI, fast scan times, great detection rate and is user friendly.

TDSS Killer managed to detect and remove all modern rootkits tested (TDSS, Zeus, TDLV4, etc). The only down side is TDSS Killer seems to have a narrow range of the rootkits it detects but hopefully more types will be added over time. If more strains are added this may become the definitive tool for removal of rootkits.

In my testing what it’s designed to scan for it finds every time and removes it easily and positively. The positives far outweigh the negatives on this one. TDSS Killer also includes 64 bit functionality which is a huge plus.

 

GMERRootRepealI have two top choices for all the experienced and technical users GMER and RootRepeal. These are very popular applications, but it takes someone pretty knowledgeable about computer systems to be able to interpret the results. You can find a lot of documentation on both programs but if you are the type of person (like me) who likes to click the scan button and simply wait for the results, you would be better served with TDSS Killer.

For the average user I cannot recommend either of these as without comprehensive computer knowledge the results would be very hard to interpret. I even have a hard time understanding the data. In my work I usually have no time to refer to the documentation and must move quickly to restore a computer to working condition. However, if a particularly difficult infection is present these tools are invaluable because of the wealth of information. I prefer GMER as I find the initial scanning process easier to use and it had a better detection rate han RootRepeal.

 

Avast Anti-Rootkit Avast Anti-Rootkit resembles a command prompt window but is fairly easy to use. It lets you scan your computer and MBR for rootkits and even fixes any issues. Understanding the output from Avast Anti-rootkit may be a little hard for some users but it does the job well. I tested it against TDSS and several other modern rootkits and it found all of them. Removal on the other hand was not as good as some of the other tools. But what it does have is a very useful tool that I personally would not be without; the ability to perform FixMBR right from within Windows. Normally one would have to boot to a Windows XP disc or Windows 7 recovery disc to perform this command but Avast Anti-Rootkit has a built in ‘FixMBR’ button that with one click will write a new Master Boot Record which is often necessary in the removal of rootkits. This is very useful as you may not always have a Windows disc on hand in the field. I keep this on my USB drive at all times.

 

Dr.Web CureIt!The next product that I looked at is one that I always keep in my toolkit. Dr.Web CureIt! is not a standalone anti-rootkit tool like the other tools I recommended, rather it is a free malware scanner and removal tool that happens to be pretty effective at removing some rootkits but doesn’t detect the modern threats in my testing. It is always a good idea to have more than one tool capable of removal, so Dr. Web's freeware scanner is a great addition to anybody's arsenal. What I have found useful is the sandbox environment it creates when it’s run. This is good as it stops all processes  that some malware may try to run. It is also able to deep scan your drive and you can reboot back into this environment for further scanning and removal.

 
Other Rootkit Scanners and Removers

Sophos Anti-Rootkit Sophos Anti-Rootkit has a small but easy to use interface with no options other than choosing where you want to scan. As it scans it opens up to a slightly larger interface where it lists the results of the scan and gives you information about each result as well as a recommendation for them. Additionally, a small help file is available that explains the program in a little more detail and gives directions on how to use the command line anti-rootkit tool which is also included. This would be a great tool if it was kept up-to-date but in my testing it failed to find or remove any of the modern threats I tested.

 

F-Secure BlacklightF-Secure Blacklight is another great tool for rootkit removal. Unfortunately, support for it ended a couple of years ago. However, you can still download it on the F-Secure web site and it is compatible with Windows Vista and XP.

Still works well for older rootkits but gives "Incompatible" error if ran on Windows 7. Blacklight is also unable to detect most modern rootkits and therefore, I recommend one of the other tools for now.

 

Prevx FreePrevx Free, the free version of Prevx, offers the same class leading real time detection of the full version but unfortunately it doesn't offer much more than this. Prevx Free is only capable of cleaning select infections, such as Adware, the ZEUS banking trojan, and MBR rootkits. When dealing with rootkits detection is definitely very important, so even if you can't clean all infections you might at least be alerted, enabling you to take further action and manually remove the rootkit or seek help in doing so. As hard as it is to detect the newer, ever evolving rootkits and viruses, Prevx can be a very powerful and informative addition to your regular anti-virus software.

Additionally, Prevx Free can run customized scans from the context menu and also gives you the ability to schedule scans. Another plus is that it scans quickly. The free version also offers protection of stored cookies as well as protection for all of your saved credentials. There is also a browser protection component in the free version but it only offers custom protection on only one web site of your choice. It does however, give the full Prevx Safe Online protection, which includes anti-phishing, protection against hijacks, keyloggers, and cookie stealers for a number of popular websites such as PayPal, or Amazon and of course the one website of your choice.

I have included the previous editor’s information above but would note that given the limited functionality of Prevx Free, I mainly use it for detection. Often I need to not only detect but to remove in one scan using one tool.

As I mentioned above I will leave links to the applications mentioned here as they might work for you and be your favorites. I don’t want to discourage the use of any of them but the ones I haven’t had much success with are in the Other Scanners section; so I cannot recommend them. If they work for you that’s great and I would love to hear of your successes in the comments section.

Along with my goal to provide help is also to give you only what I have found that works. I am always open however to learning of new methods and tools. I love tools and am a firm believer that you cannot have too many. In the ever changing world of threat removal we need many tools to detect and remove.

 
Related Products and Links

You might want to check out these articles too:

 
Quick Selection Guide

Kaspersky TDSSKiller
5
 
Gizmo's Freeware award as the best product in its class!

Runs as a stand-alone program on a user's computer
Easy to use GUI, high detection rate, removed all infected files in tests and is 64 bit compatible.
Limited scope and range of types of rootkits detected.
3.0.0.14
1870 KB
32 bit but 64 bit compatible
Unrestricted freeware
Windows
GMER
4
 
Runs as a stand-alone program on a user's computer
Considered class-leading technology.
No help file, but information online. Not suitable for average users.
http://www.gmer.net/
http://www.gmer.net/
2.1.19163
369 KB ZIP
Unrestricted freeware
A portable version of this product is available from the developer.
Windows 2000 to 8
Avast Anti-Rootkit
4
 
Runs as a stand-alone program on a user's computer
Works well. Detects most rootkits, easy to use. ‘FixMBR’ function within Windows is invaluable; a must have on any USB flash drive.
Results sometimes hard to interpret and removal failed on some rootkits.
http://www.avast.com/
0.9.9
1870 KB
Unrestricted freeware
There is no portable version of this product available.
Tested on Windows 7
Dr.Web CureIt!
3
 
Runs as a stand-alone program on a user's computer
Sandbox environment useful for halting processes and scanning MBR.
Unable to detect some of the modern rootkits.
6.00.4
115 MB
32 bit but 64 bit compatible
Unrestricted freeware
This product is portable.
All Windows Platforms

 
Editor

This software category is in need of an editor. If you would like to give something back to the freeware community by taking it over, check out this page for more details. You can then contact us from that page or by clicking here

anti-rootkit, rootkit scanner, rootkit remover, free rootkit scanner, free rootkit remover, freeware, rootkit eliminator, rootkit detection

Back to the top of the article.

 

Share this
4.217055
Average: 4.2 (129 votes)
Your rating: None

Comments

by Russells5 (not verified) on 6. September 2011 - 12:53  (79074)

Timely article/update as I have just been infected with a rootkit through kids use of Facebook which turned off and terminated various antivirus/rootkit programs.

TDSSkiller was the only one that got rid of it - although (as I discovered on various other advice sites) since the rootkit was aware of TDSSkiller you have to rename it to something completely different before running - both filename and extension.

by AMDFAN (not verified) on 3. February 2012 - 16:34  (88225)

If youre using firefox DL this into your browser

https://addons.mozilla.org/en-US/firefox/addon/facebook-phishing-protector/

From that link is a tracker script blocker. I use it and have had allot less problems sense but be warned FB tried to inject allot of them in there so it gets annoying as you switch page to page and tells you it blocked one right after another. But FB is awful about that and sense time line is in it's only gotten worse. I hope they fix it though I doubt they will sense I really like Time line but you know how that goes. Hope this helps. FB is terrible about that.

by Kyle Davidson on 6. September 2011 - 19:23  (79095)

Some of these rootkits are quite nasty. I am glad to hear that TDSS Killer got rid of it. I recommend you install or reinstall an Anti-virus and run a Full Scan with setting set to their highest. Some rootkits can still persist and this is really the only way to be sure it's gone. (besides reformatting).

by AMDFAN (not verified) on 3. February 2012 - 16:44  (88227)

Superantispyware has a load of rootkit scans that come in on every upgrade and scans all 3 sections of filing, regestry and memory at the same time cutting back on the time it takes now with their new scanner. You really should bring that up in one of your posts some time. Ive been using it for years and it's done real well and combined with Malwarebytes it's a pretty viscous combination. [commercial av] works great with Privatefirewall all settings fully up but with WIN7 Avast is the best because [commercial av] doesn't allow 7 to shut down, It just gets stuck on logging out. Thanks for this post as well I tried avast rootkit just now as I mentioned before, I still want that advice cause Im hoping it just isnt telling me anything cause the windows I'm running. I like avast and always have so let me know

by honest..john (not verified) on 6. September 2011 - 9:44  (79070)

avast free for home use, has boot scan, that scans before windows loads, works for me and my friends..
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
BOOT-TIME SCAN
The boot-time scan is one of the main weapons of avast!
It runs before Windows is loaded, and before potential

malware has a chance to activate, therby enabling an

infected system to be cleaned before any damage is done.
Moreover, the avast! boot-time scan uses direct hard drive

access which bypasses the OS file system drivers and is

thus able to handle even the most stubborn rootkits.

by Kyle Davidson on 6. September 2011 - 19:24  (79096)

Thanks for the feedback! I have been using Avast! Home for years and love it. That Boot-time scan has saved me in the past. Avast! actually bought Gmer and has it built in as anti-rootkit technology so at least we know it's something good in their :)

Thanks,

Kyle Davidson

by Dontz (not verified) on 30. July 2011 - 21:16  (76564)

Very questionable article. Why is Sophos Anti-Rootkit recommended as the best program? All it did was come up with a list of 96 files it claims are "unknown hidden files". A quick check on a few files showed they aren't hidden. Elsewhere it is reported that this program is fairly useless.
e.g.
http://windowssecrets.com/forums/showthread.php/135536-What-Sophos-Anti-Rootkit-Is-%28And-IS-Not%29

by Kyle Davidson on 5. September 2011 - 21:26  (79040)

Updated the page now.

by Kyle Davidson on 31. July 2011 - 21:32  (76635)

I apologize for the delay. I am currently testing the software mentioned in the comments and retesting the ones mentioned in the article. I agree with you on Sophos not being an efficient solution and the update will reflect this. I will be putting each through a test like so:

test 1: Clean install
1) How fast does it scan?
2) Any bugs?

Test 2: Infected VM TDSS
1) Does it find the rootkit?
2) Does it remove the rootkit?

Test 3: Infected VM Zeus
1) Does it find the rootkit?
2) Does it remove the rootkit?

Test 4: MBR infection
1) Does it find the rootkit?
2) Does it remove the rootkit?

I will post again soon.

by Anupam on 30. July 2011 - 21:18  (76565)

A new editor has taken over recently. Please give him time to test the programs, and update the article. Have patience please.

by -J (not verified) on 30. July 2011 - 19:08  (76555)

In addition to GMER and RootRepeal you are missing another topnotch expert tool - vba32 anti-rootkit. http://www.anti-virus.by/en/vba32arkit.shtml

Here's a comparison test that confirms the top 3 choices http://www.anti-malware-test.com/?q=node/184.

IMO the ONLY automated rootkit remover that's worth a damn is TDSSKiller from Kaspersky.

http://support.kaspersky.com/faq/?qid=208283363

Its limited to the TDSS rootkit variants only but they are VERY common and VERY hard to kill. This usually the first thing I run when I'm dealing with an infected PC.

I also scan for Bootkits using MBRcheck http://majorgeeks.com/MBRCheck_d7076.html or mbr.exe (from Gmer). http://www2.gmer.net/mbr/mbr.exe

If your master boot record is infected then it needs to be dealt with before doing anything else. The slow but reliable way is using the repair option from the windows installer CD (aka recovery console) http://helpdeskgeek.com/how-to/fix-mbr-xp-vista/

A faster way is to use the MBRfix command line app
http://www.sysint.no/products/Download/tabid/536/ItemID/2/language/en-US/Default.aspx
http://www.sysint.no/nedlasting/mbrfix.htm

Dr.web ican find some root kits but its REALLY slow.

Hitman Pro http://www.surfright.nl/en
is also decent but there is no 30 day free trial anymore so the best it can do is alert you to some rootkits without cleaning them.

A squared http://www.emsisoft.com/en/software/antimalware/is another option for automated rootkit detection but again it is slow and its the detection rates are poor compared to using a manual tool like GMER.

Sophos is a joke
F-secure is useless IMO
Prevx scanning engine is part of hitman pro so its redundant

by Kyle Davidson on 30. July 2011 - 20:03  (76561)

Thank you for the links. I will test all of these and make some updates. TDSSKiller is my favorite so far.

F-secure is incompatible with windows 7 (Or at least I get a incompatible message every time I run it)

Sophos I have yet to try but it seems out of date.

I use Prevx daily with SOL. I like it because it protects against key loggers and my MBR. Prevx SOL has a pretty good scan time too, but I wouldn't recommend it for a rootkit scanner.

by Anupam on 30. July 2011 - 19:24  (76556)

Thanks. Quite a helpful comment with links.

by Becker (not verified) on 11. July 2011 - 21:59  (75250)

I would like to use GMER to check my pc for a rootkit infection...However I do not feel as if I would be able to correctly interpret the results. Any ideas on where/how I could obtain an accurate interpretation?

by Kyle Davidson on 26. July 2011 - 1:31  (76235)

You may want to check out Avast! anti-root kit tool http://public.avast.com/~gmerek/aswMBR.htm it is based on gmer (avast now own GMER) and may be easier to use. I will add a review of it tomorrow.

by Tipper (not verified) on 26. July 2011 - 3:34  (76238)

Would this be the same as is already in Avast! AV? If so would not the AV be adequate for detecting rootkits?

by Kyle Davidson on 26. July 2011 - 3:45  (76239)

Yes it is built into avast! AV. However this is a good option if you do not want avast! or simply want a dedicated rootkit scanner to use. I use it along side avast. I like the fact I can run a dedicated scan and see the results. I also mentioned it because this page is for rootkit scanners and not full AV's. I hope I cleared that up and Thanks for the reply :)

by GeofferyPancake (not verified) on 12. July 2011 - 4:09  (75278)

Submit your scan results to either Bleeping Computer....

http://www.bleepingcomputer.com/

or Geeks to Go....

http://www.geekstogo.com/forum/

One of the volunteers on either of these forums will help you.

by Theodore (not verified) on 7. July 2011 - 21:43  (74980)

Is Prevx free meant to be used with an existing antivirus such as Avast!? I am also using WinPatrol,SAS, Malwarebytes and a antilogger of which the name I will not mention but it is not SpyShelter. I am not sure if all these would be compatible.Thank You

by Av_Crazy on 5. June 2011 - 22:17  (73318)

I thnk u should add kaspersky tdsskiller to the list coz the alureon rootkit is the most prevalant rootkit right now and tdsskiller is the best one to do the job now

by Kyle Davidson on 22. July 2011 - 1:36  (76002)

Hi there I am the new editor of this page, and I will keep that in mind. I am going to fix up the page, get used to the editing and do some testing first but I will be sure to include TDSS Killer in the next update to the page in the next few weeks.

by phoenix-abhi (not verified) on 3. May 2011 - 6:30  (71324)

I have gone through a few article here. Congrats for the well made reviews and good layout of your site. I would like to see answers for my questions.
1. Do anti virus or anti malware have the protection for root-kits, Trojan etc...?
2. What are the possible ways of rootkits coming to a PC?
3. Except reducing the bandwidth, are they affect the performance of the machine?

I have a few remarks for the other topics also.

1. Free Antivirus programs - Avira antivirus is excellent in detection and better than Avast in detection rate. But avast updates faster, much faster than Avira. Avira's demand scanner is choppy compared to Avast.
2. Free antimalware - SAS is definitely have the crown. Update is fast. Scanning is slow compared to MBAM. Updating MBAM is a headache. You have to update all the definitions from time to time. It is always a 7MB file.
Threat fire having a good GUI. But what it does is unknown or unnoticed. It is a drawback as a user always want to know how his product perform and want to compare them with other tools available. During scans, it detected a few root kits left untouched by SAS and MBAM.
3. Free firewalls - Comodo is the winner as a firewall, but CIS is a crap. I do not prefer PC tools Firewall as it is not more effective than windows firewall. A few pop-ups and a digital signature library is exceptional.
All the above are my own experience and nothing against any of the software vendor, their products or the users of those products. Even I am not a fan of windows.
Thanks to Chris for the outstanding articles.

by KARaa (not verified) on 5. July 2011 - 11:14  (74781)

Thanks for sharing, Phoenix-abhi.

Avira does to some extent search for rootkits and other non-virus malware.

Ways to infect a computer? I have installed PeerBlock - highly recommended! - to block incoming requests to my computer while browsing. It is shocking how many spy instances there are out there, trying to make their way into our computers.
Gone are the days when only those who visited dubious sites were infected. Spyware crawls in via all the third parties connected to the *normal* seemingly unsuspicious pages we're visiting.

I also recommend WOT, a browser addon that will warn against bad sites. Of course, only against known bad sites. No protection against all the many spy vendors that connect to your computer via a "good site". WOT can be installed for FF, Chrome and it's derivates, Opera, even IE.

by MidnightCowboy on 3. May 2011 - 6:38  (71325)

Detailed responses are not possible here in the comments. Also, this article currently has no editor. Please register and post your questions in our forum.

by 26Dolphins on 30. April 2011 - 16:22  (71174)

Hi,
I'm familiar with the first four ones and have noticed that, except for Gmer, the others don't update often - Sophos is about a year old and Root Repeal & F-Secure Blacklight Rootkit Eliminator are about two years old.
This may be a silly question, but I'm wondering, are they considered to still be very effective because rootkits' updates are slow as well?

Thanks in advance.

P.S. I don't count Dr. Web Cure It (which I use from time to time), because, as you already said, it's not a standalone anti-rootkit tool.

by Manjusri (not verified) on 30. April 2011 - 3:13  (71149)

GMER now works on Win-7

by Jojo Yee on 30. April 2011 - 5:08  (71150)

Thanks for pointing out. It's now updated.

by Dave Polikoff (not verified) on 29. March 2011 - 21:38  (68802)

CHris,

My computer shuts down before I can download any Rootkit remover. How else can obtain a product for this infected computer.

Best Buy charges $200 to bring my tower.

Any ideas.

Thanks!

by MidnightCowboy on 30. March 2011 - 6:46  (68813)

IMO if this truly is a rootkit infection, depending on the type it's often better to reformat rather than trying to remove it.

Please follow this guide as a first step:

http://www.techsupportalert.com/content/spyware-removal-guide.htm

If this is not successful, please register and post in our forum as we are unable to provide dedicated support here in the comments.

http://www.techsupportalert.com/freeware-forum/general-computer-support/

by John-Christopher (not verified) on 28. February 2011 - 22:33  (67206)

I couldn't read all the comments, so except for those the following applies. BTW I am an old tech support guy getting back up to speed to reenter the arena. There seems to be a dearth - that means nothing - about the best procedure to work on customer PC's for root kit cleanup. I'm thinking I need advice-tips on

* Using a USB link cable or wifi/bluetooth
AFA safety - probably not a starter because the subject computer is going to be defective, and beyond that because the subject computer is going to be running at all.

* Using a second computer (the tech's) to service just the drive attached by USB port. This I think would be the usual approach - I think the safety profile is good as long as nothing is run from the culprit drive, and I assume these packages will work against it even better, no? Should IMO.

* Safe Mode - I have no idea why the Sophos and RootRepeal sites don't even mention it. Will they run? Maybe won't work any better in the case of a root kit - but it cuts the noise level to minimum (maybe to 20%.)

I think that's it. Thanks - you got a lot of comments here.

Regards,
J-C

Gizmos Needs You

Gizmo's Freeware is Recruiting

 We are looking for people with skills or interest in the following areas:
 -  Mobile Platform App Reviews for Android and iOS
 -  Windows, Mac and Linux software reviews       Interested? Click here