Get our latest top picks
Subscribe to our Top Picks RSS Feed or enter your email address below to get the feed delivered to you by email:
|
Follow Gizmo |
 |
 |
 |
Register/Login
Top Rated
Gizmo's Freeware is Recruiting
We are looking for people with skills or interest in the following:
- Mobile Platform Reviews
- Rootkit Scanner and Remover
- Streaming Media Recorder
- Email Client
- Archive Manager Interested? Click here
Best Free Rootkit Scanner and Remover
|
Other Language?
|
 Read this article in Spanish |
|
In a Hurry?
|
 Go straight to the Quick Selection Guide |
|
Introduction
|
|
Hello Gizmo’s readers! My co-worker John C from our east coast office came across a page on Malwarebytes' forums and thought I would share since we are putting together our tools for threat removal. The use of italics is my clumsy way of differentiating what I'm writing to Gizmo's readers and what I published to colleagues. Here is the page Malware Removal Guides and Self Help Guides. If you read the first post it refers to Chameleon. This is a tool within Malwarebytes that can find and stop running processes form malware and is very useful on fake alert threats. Chameleon is in a sub folder within the Malwarebytes' main folder. Below are my testing results that I published to my colleagues with some edits in order to present this to you in an easier to understand language. We are all IT folk so I tend to write to them differently than I would write to Gizmo's readers. Below I speak about System Check which is a rather nasty fake alert. In my next upcoming post I am going to present some methods for removal of these threats along with reviews of Rootkit Scanners. It has been very busy at work and I perform testing in my spare time, of which there has been very little. But I wanted to share this with you so you can add Chameleon to your USB stick. Below, MBAM is short for Malwarebytes' Anti-Malware. And Rkill is another tool for stopping processes which I will comment on later. The next two paragraphs are from my letter to co-workers: I tested Chameleon on System Check which is worse than most of the fake alerts in that it hides, everything. I stepped through the instructions listed in the first post of the link provided. I clicked the first box and it opened a small DOS window and then proceeds to kill processes and then update and run MBAM. All of this worked great, and had an unexpected side effect. When it killed the process I think it also killed the ability of this ‘New and Improved’ System Check from deactivating your partitions. I rebooted and came right back into Windows albeit with a black desktop and everything hidden, but it booted!! (But keep in mind, I ran this right after infection, your user will have rebooted probably. More on this below.) I didn’t clean it when MBAM ran this first time because John found that you can run Chameleon as a standalone from your USB stick, and I wanted to test. Sure enough, I copied the whole Chameleon folder over and ran the file from there. Chameleon worked just as it did before, perfect. So this will be a permanent addition to my USB stick. This will give us the ability to stop the processes fake alerts are running right from your USB and then be able to install and run MBAM without it being compromised. Rkill works much the same way, but is a bit dicey when it runs. In order to shutdown what’s running it will actually rename files. This can be bad however because now MBAM or whatever is being used may not find the renamed file. I would always note the path from Rkill and rename it back to original so MBAM could find it. I have other news I wanted to share with you about a tool I'm building that will reverse the damage done by the these fake alerts like System Check I refer to above, when they hide all of your menus and folders. I had posted it here but it was too lengthy. I will post a link to it so that you can read it at your leisure. Until than please check out Chameleon as it will be a good addition to any USB stick.
|
|
Discussion
|
|
There are a lot of anti-rootkit programs available, a lot of this software is very advanced and requires an experienced and technical minded user who is familiar with computers and operating systems. However, there are a couple of options that do not require much technical ability and are also very effective. |
|
|
|
|
|
For the average user I cannot recommend either of these as without comprehensive computer knowledge the results would be very hard to interpret. I even have a hard time understanding the data. In my work I usually have no time to refer to the documentation and must move quickly to restore a computer to working condition. However, if a particularly difficult infection is present these tools are invaluable because of the wealth of information. I prefer GMER as I find the initial scanning process easier to use and it had a better detection rate han RootRepeal. |
|
|
|
Other Rootkit Scanners and Removers
|
|
|
|
Still works well for older rootkits but gives "Incompatible" error if ran on Windows 7. Blacklight is also unable to detect most modern rootkits and therefore, I recommend one of the other tools for now. |
|
Additionally, Prevx Free can run customized scans from the context menu and also gives you the ability to schedule scans. Another plus is that it scans quickly. The free version also offers protection of stored cookies as well as protection for all of your saved credentials. There is also a browser protection component in the free version but it only offers custom protection on only one web site of your choice. It does however, give the full Prevx Safe Online protection, which includes anti-phishing, protection against hijacks, keyloggers, and cookie stealers for a number of popular websites such as PayPal, or Amazon and of course the one website of your choice. I have included the previous editor’s information above but would note that given the limited functionality of Prevx Free, I mainly use it for detection. Often I need to not only detect but to remove in one scan using one tool. As I mentioned above I will leave links to the applications mentioned here as they might work for you and be your favorites. I don’t want to discourage the use of any of them but the ones I haven’t had much success with are in the Other Scanners section; so I cannot recommend them. If they work for you that’s great and I would love to hear of your successes in the comments section. Along with my goal to provide help is also to give you only what I have found that works. I am always open however to learning of new methods and tools. I love tools and am a firm believer that you cannot have too many. In the ever changing world of threat removal we need many tools to detect and remove. |
|
Editor
|
|
This software category is maintained by volunteer editor dslfreak. Registered members can contact the editor with any comments or questions they might have by clicking here. |
|
Tags
|
|
anti-rootkit, rootkit scanner, rootkit remover, free rootkit scanner, free rootkit remover, freeware, rootkit eliminator, rootkit detection |
Back to the top of the article
- Article type:
- Login or register to post comments
Printer-friendly version
Comments
Is Avast's integration with GMER just as good as GMER by itself?
To dl50,
Thanks for such a good website!
I was just wondering why you didn't include Hijack This.
HiJackThis is not a scanner, or a remover. It simply shows the registry and files settings on the computer. It does not show whether they are good or bad. It just shows them. Therefore, it has not been included here.
Can anyone explain why when I try to update Prevx Safeonline it states it is already up to date when I have version 3.0.5 179? Does this apply only to the definitions? How do I obtain the newest version 3.0.5 182? Thanks
You can download the program from its site. The links are given in the article itself.
In the end, we decided to award eight of the ten licenses donated by Immunet for our "how to stay safe online" competition winners here:
http://www.techsupportalert.com/freeware-forum/security/4430-win-license...
The remaining two plus three more will be given away to the first five members to send me what I think are the funniest one sentence reasons why they should get one! Humorous personal abuse is acceptable so long as it's only directed at me :D
Entries by PM only please. Keep them clean as we need to publish the results!
What about Panda Antirootkit. Is it any good?
Panda Anti Rootkit was one of the top and one of my favorites for a long time. If it had been kept updated I would probably have it near the top now but as it is, without updates it is not a good choice.
According to this, no, but please appreciate that this is just one opinion.
http://www.anti-malware-test.com/
As I understand it though, the more simple and popular scanners are much easier for malware developers to write workarounds for which may explain why they are not so effective.
Thanks for the feedback. It's interesting to read how this 'Anti-malware-test' site rates Avira 9. (It's a fail!)
Win a License for Immunet Protect Plus!
Followers of Immunet Protect cloud based antivirus will be aware that the 2.0 version has just been released.
www.immunet.com/free/index.html
I have to say that I’ve been quite impressed with how Alfred Huger and the rest of his team have conducted this exercise. Their dedication and commitment to customer generated improvements is a sure fire lesson some other vendors would do well to copy. The net result is an effective antimalware solution which will continue to improve as development moves forward. A bonus is that the program will run alongside many of the traditional solutions. The official and unofficially supported programs are listed here:
http://support.immunet.com/tiki-read_article.php?articleId=4
In recognition of the feedback received from TSA members, Immunet have graciously made available 10 free licenses for the “Plus” version of Immunet Protect. In order to give everyone a fair shot at these we’ve decided to run a competition. All you need do to enter is to write a short piece about the steps you take to stay safe online, including the *programs you use and why you think these are the best solutions.
*Any entries containing references to commercial products will be disqualified.
Entries should be submitted to myself by using the “Contact Info” button which is accessible by clicking my user name (MidnightCowboy) in the forum.
If you are not already registered for the site please use the "register" button at the top of the forum page.
The ten winners will each receive a free license for the “Plus” version of Immunet Protect and their entries will be published in a special “Security” section forum thread.
Closing date for receipt of entries is Monday 28th June, 2010.
The judges decision will be final and no correspondence will be entered into concerning entries.
what about Rootkit Revealer? how is it compared?
Rootkit Revealer was a great and useful software when it was first developed but it is mostly useless with a lot of todays threats. Malware creators have progressed at a very alarming rate as far as complexities of these infections and now I see a lot of new antirootkit tools coming out that are being updated every week and sometimes more often just to keep up. So no I am afraid that Rootkit Revealer needs to be retired.
By the way everyon I have been super busy lately with all of this stupid search engine malware being caught up by FF and Chrome and I haven't had time to update this review. I am sorry but it will be a little while but I have compiled a list of some newer ARK's and some old and those on the review already, and I am going to test them before I update the review. I have a collection of wicked rootkits that I have acquired and it should be interesting. Thanks
Regards,
DLC50
http://www.techsupportalert.com/freeware-forum/security/3895-infected-xp...
further info
http://www.theregister.co.uk/2010/04/16/ms_kernel_patch_bypasses_pwned_pcs/
Is the Prevx in HitManPro the same as the standalone Prevx?Or at least is the scanning ability as advanced/efficient? I am wondering if I need both programs...
probably not. personally, wouldn't go with either!
Why not?
don't favour cloud at the moment. zero day baddies would be just as detectable by a decent firewall with a strong hips compared to that of a cloud that also uses heuristics!
Yes Prevs is in Hitman Pro but I agree with the comment above. Maybe I am old fashioned and I do love Prevx but I just can not trust cloud technology yet. The way I use prevx is to carry it around in a UFD and when a client calls it is the first thing I scan with because even if it can not do the cleaning it scans fast and gives me a great idea of what I am dealing with and what my next step is. It is indispensable to me in this role but I doubt I will ever spend a dime on it.
Considering that I am using Vista firewall which has no HIPS...In THIS case would Prevx whether standalone or in Hitman Pro be beneficial? I am somewhat of a newbie and still learning my way!
Well I would say that yes I am sure it would be useful to you even if you only used it once a month but I would not rely on it and it alone. Prevx is great and they are quickly changing the 'HIPS' category to a truly automated response HIPS that does not rely on the user for much at all. So yesh it would help you out. I only use Avast Free with just the file system shield installed and set to scan only on execution, but I also use MBAM, to scan on demand every couple of weeks and I can not even remember the last time I got an infection. My view of security is, the simpler the better.
I disagree with you about Avast. Recently I had Avast for several months and it was updated frequently and all. But one day without my knowledge I got infected with Relevant Knowledge Spyware-Adware which managed to disable it and killed my Windows. I had to boot from XP after resetting my PC. So Avast is ZERO!
I have regretted not to have installed Avira instead as on my other computer it had been able to fight every attack successfully.
Regards,
AntiSpywaregirl!
I don't think much of Sophos Anti-Rootkit. I was doing a Root kit scan of my hard drive.
I am a programmer. It kept saying that executables that I had programed was unknown hidden files.
For one, I can see them in the directory. So how is that hidden ?
Two they are files I programmed myself.
I am also disappointed in Avira. It is also trying to claim that a executable of mine is TR/Downloader.Gen. Too many false positives !
Avira is slipping down the slope and facing a swift fall to the bottom if they do not shape up. I love avira and I hear they are having tuff times financially as everyone else so you might expect to see them a little weaker than usual right now. I expect them to be back on top pretty soon though.
Now I have heard people say that Sophos will detect unindexed files as hidden but this sounds ridiculous to me and I haven't tried to check it out. Sophos is my top pick for several reasons. It is regularly updated, almost anyone can interpret the results, and it is decent for what it does. Stand alone Anti Rootkits are almost history so one that is regularly updated is important. Now Sophos is touchy about anything unknown to it, just like your files, but I fail to see anything wrong with that. Most security programs are built to flag other programs and scripts that it does not recognize. You know what the files are, so there is no problem. Any way scan with Prevx if you think you are infected and find out.
imo, detecting your diy progs as a possible 'enemy' is a good thing! for obvious reasons.
Please excuse my ignorance, but Prevx Free is only for Rootkit detction? I noticed you added this product only in the Rootkit Section of this website.
I am not sure I understand your question exactly but I will give it a shot. Prevx Free will detect viruses, spyware, adware, rootkits, worms and pretty much all other malware there is. However, the free version only has limited removal capabilities. It is only able to remove MBR Rootkits, Zeus Trojans, and adware. I have added it to this review because it happens to be one of the best at detecting rootkits.
Got it, and thanks DLC50...You answered perfectly.
I've been using Gmer for a long time. While doing a scan today, I was also running ccleaner (maybe this was a mistake!). Suddenly, my system crashed and a purple screen came up:(....I seriously thought there was a rootkit.
Anyways, I rebooted, went to safe mode, and restored last known settings that worked. Thankfully everything was alright again.
Then I did another scan...nothing turned up!
I use Windows XP SP3
Yes you should definitely shut down all other running programs, AV's, firewalls, and anything that is running before you run a scan with any Anti-Rootkit tool. It is very rare that CCleaner is incompatible with anything yet. Also, GMER is not always going to to alert you and say "You Have a Rootkit", you have to be able to interpret the results, so if you cannot then you might download something like Prevx to let you know if you are infected.