Gizmos Needs You

Gizmo's Freeware is Recruiting

 We are looking for people with skills or interest in the following areas:
 -  Mobile Platform App Reviews for Android and iOS
 -  Windows, Mac and Linux software reviews       Interested? Click here

                  

 

Best Free Rootkit Scanner and Remover

 
Introduction

My co-worker John C from our east coast office came across a page on Malwarebytes' forums and thought I would share since we are putting together our tools for threat removal. The use of italics is my clumsy way of differentiating what I'm writing to Gizmo's readers and what I published to colleagues. Here is the page Malware Removal Guides and Self Help Guides.

If you read the first post it refers to Chameleon. This is a tool within Malwarebytes that can find and stop running processes form malware and is very useful on fake alert threats. Chameleon is in a sub folder within the Malwarebytes' main folder.

Below are my testing results that I published to my colleagues with some edits in order to present this to you in an easier to understand language. We are all IT folk so I tend to write to them differently than I would write to Gizmo's readers. Below I speak about System Check which is a rather nasty fake alert. In my next upcoming post I am going to present some methods for removal of these threats along with reviews of Rootkit Scanners. It has been very busy at work and I perform testing in my spare time, of which there has been very little. But I wanted to share this with you so you can add Chameleon to your USB stick.

Below, MBAM is short for Malwarebytes' Anti-Malware. And Rkill is another tool for stopping processes which I will comment on later. The next two paragraphs are from my letter to co-workers:

I tested Chameleon on System Check which is worse than most of the fake alerts in that it hides, everything. I stepped through the instructions listed in the first post of the link provided. I clicked the first box and it opened a small DOS window and then proceeds to kill processes and then update and run MBAM. All of this worked great, and had an unexpected side effect. When it killed the process I think it also killed the ability of this ‘New and Improved’ System Check from deactivating your partitions. I rebooted and came right back into Windows albeit with a black desktop and everything hidden, but it booted!! (But keep in mind, I ran this right after infection, your user will have rebooted probably. More on this below.) I didn’t clean it when MBAM ran this first time because John found that you can run Chameleon as a standalone from your USB stick, and I wanted to test. Sure enough, I copied the whole Chameleon folder over and ran the file from there. Chameleon worked just as it did before, perfect.

So this will be a permanent addition to my USB stick. This will give us the ability to stop the processes fake alerts are running right from your USB and then be able to install and run MBAM without it being compromised. Rkill works much the same way, but is a bit dicey when it runs. In order to shutdown what’s running it will actually rename files. This can be bad however because now MBAM or whatever is being used may not find the renamed file. I would always note the path from Rkill and rename it back to original so MBAM could find it.

I have other news I wanted to share with you about a tool I'm building that will reverse the damage done by the these fake alerts like System Check I refer to above, when they hide all of your menus and folders. I had posted it here but it was too lengthy. I will post a link to it so that you can read it at your leisure. Until than please check out Chameleon as it will be a good addition to any USB stick.

  Read this article in Spanish (Español)

 
In a Hurry?

Go to details...  Go straight to the Quick Selection Guide

 
Discussion

There are a lot of anti-rootkit programs available, a lot of this software is very advanced and requires an experienced and technical minded user who is familiar with computers and operating systems. However, there are a couple of options that do not require much technical ability and are also very effective.

Kaspersky TDSSKillerThe new Top pick is Kaspersky TDSSKiller. It has an easy to use GUI, fast scan times, great detection rate and is user friendly.

TDSS Killer managed to detect and remove all modern rootkits tested (TDSS, Zeus, TDLV4, etc). The only down side is TDSS Killer seems to have a narrow range of the rootkits it detects but hopefully more types will be added over time. If more strains are added this may become the definitive tool for removal of rootkits.

In my testing what it’s designed to scan for it finds every time and removes it easily and positively. The positives far outweigh the negatives on this one. TDSS Killer also includes 64 bit functionality which is a huge plus.

 

GMERRootRepealI have two top choices for all the experienced and technical users GMER and RootRepeal. These are very popular applications, but it takes someone pretty knowledgeable about computer systems to be able to interpret the results. You can find a lot of documentation on both programs but if you are the type of person (like me) who likes to click the scan button and simply wait for the results, you would be better served with TDSS Killer.

For the average user I cannot recommend either of these as without comprehensive computer knowledge the results would be very hard to interpret. I even have a hard time understanding the data. In my work I usually have no time to refer to the documentation and must move quickly to restore a computer to working condition. However, if a particularly difficult infection is present these tools are invaluable because of the wealth of information. I prefer GMER as I find the initial scanning process easier to use and it had a better detection rate han RootRepeal.

 

Avast Anti-Rootkit Avast Anti-Rootkit resembles a command prompt window but is fairly easy to use. It lets you scan your computer and MBR for rootkits and even fixes any issues. Understanding the output from Avast Anti-rootkit may be a little hard for some users but it does the job well. I tested it against TDSS and several other modern rootkits and it found all of them. Removal on the other hand was not as good as some of the other tools. But what it does have is a very useful tool that I personally would not be without; the ability to perform FixMBR right from within Windows. Normally one would have to boot to a Windows XP disc or Windows 7 recovery disc to perform this command but Avast Anti-Rootkit has a built in ‘FixMBR’ button that with one click will write a new Master Boot Record which is often necessary in the removal of rootkits. This is very useful as you may not always have a Windows disc on hand in the field. I keep this on my USB drive at all times.

 

Dr.Web CureIt!The next product that I looked at is one that I always keep in my toolkit. Dr.Web CureIt! is not a standalone anti-rootkit tool like the other tools I recommended, rather it is a free malware scanner and removal tool that happens to be pretty effective at removing some rootkits but doesn’t detect the modern threats in my testing. It is always a good idea to have more than one tool capable of removal, so Dr. Web's freeware scanner is a great addition to anybody's arsenal. What I have found useful is the sandbox environment it creates when it’s run. This is good as it stops all processes  that some malware may try to run. It is also able to deep scan your drive and you can reboot back into this environment for further scanning and removal.

 
Other Rootkit Scanners and Removers

Sophos Anti-Rootkit Sophos Anti-Rootkit has a small but easy to use interface with no options other than choosing where you want to scan. As it scans it opens up to a slightly larger interface where it lists the results of the scan and gives you information about each result as well as a recommendation for them. Additionally, a small help file is available that explains the program in a little more detail and gives directions on how to use the command line anti-rootkit tool which is also included. This would be a great tool if it was kept up-to-date but in my testing it failed to find or remove any of the modern threats I tested.

 

F-Secure BlacklightF-Secure Blacklight is another great tool for rootkit removal. Unfortunately, support for it ended a couple of years ago. However, you can still download it on the F-Secure web site and it is compatible with Windows Vista and XP.

Still works well for older rootkits but gives "Incompatible" error if ran on Windows 7. Blacklight is also unable to detect most modern rootkits and therefore, I recommend one of the other tools for now.

 

Prevx FreePrevx Free, the free version of Prevx, offers the same class leading real time detection of the full version but unfortunately it doesn't offer much more than this. Prevx Free is only capable of cleaning select infections, such as Adware, the ZEUS banking trojan, and MBR rootkits. When dealing with rootkits detection is definitely very important, so even if you can't clean all infections you might at least be alerted, enabling you to take further action and manually remove the rootkit or seek help in doing so. As hard as it is to detect the newer, ever evolving rootkits and viruses, Prevx can be a very powerful and informative addition to your regular anti-virus software.

Additionally, Prevx Free can run customized scans from the context menu and also gives you the ability to schedule scans. Another plus is that it scans quickly. The free version also offers protection of stored cookies as well as protection for all of your saved credentials. There is also a browser protection component in the free version but it only offers custom protection on only one web site of your choice. It does however, give the full Prevx Safe Online protection, which includes anti-phishing, protection against hijacks, keyloggers, and cookie stealers for a number of popular websites such as PayPal, or Amazon and of course the one website of your choice.

I have included the previous editor’s information above but would note that given the limited functionality of Prevx Free, I mainly use it for detection. Often I need to not only detect but to remove in one scan using one tool.

As I mentioned above I will leave links to the applications mentioned here as they might work for you and be your favorites. I don’t want to discourage the use of any of them but the ones I haven’t had much success with are in the Other Scanners section; so I cannot recommend them. If they work for you that’s great and I would love to hear of your successes in the comments section.

Along with my goal to provide help is also to give you only what I have found that works. I am always open however to learning of new methods and tools. I love tools and am a firm believer that you cannot have too many. In the ever changing world of threat removal we need many tools to detect and remove.

 
Related Products and Links

You might want to check out these articles too:

 
Quick Selection Guide

Kaspersky TDSSKiller
5
 
Gizmo's Freeware award as the best product in its class!

Runs as a stand-alone program on a user's computer
Easy to use GUI, high detection rate, removed all infected files in tests and is 64 bit compatible.
Limited scope and range of types of rootkits detected.
3.0.0.14
1870 KB
32 bit but 64 bit compatible
Unrestricted freeware
Windows
GMER
4
 
Runs as a stand-alone program on a user's computer
Considered class-leading technology.
No help file, but information online. Not suitable for average users.
http://www.gmer.net/
http://www.gmer.net/
2.1.19163
369 KB ZIP
Unrestricted freeware
A portable version of this product is available from the developer.
Windows 2000 to 8
Avast Anti-Rootkit
4
 
Runs as a stand-alone program on a user's computer
Works well. Detects most rootkits, easy to use. ‘FixMBR’ function within Windows is invaluable; a must have on any USB flash drive.
Results sometimes hard to interpret and removal failed on some rootkits.
http://www.avast.com/
0.9.9
1870 KB
Unrestricted freeware
There is no portable version of this product available.
Tested on Windows 7
Dr.Web CureIt!
3
 
Runs as a stand-alone program on a user's computer
Sandbox environment useful for halting processes and scanning MBR.
Unable to detect some of the modern rootkits.
6.00.4
115 MB
32 bit but 64 bit compatible
Unrestricted freeware
This product is portable.
All Windows Platforms

 
Editor

This software category is in need of an editor. If you would like to give something back to the freeware community by taking it over, check out this page for more details. You can then contact us from that page or by clicking here

anti-rootkit, rootkit scanner, rootkit remover, free rootkit scanner, free rootkit remover, freeware, rootkit eliminator, rootkit detection

Back to the top of the article.

 

Share this
4.217055
Average: 4.2 (129 votes)
Your rating: None

Comments

by Anonymous on 20. February 2010 - 14:12  (44038)

I've been using Gmer for a long time. While doing a scan today, I was also running ccleaner (maybe this was a mistake!). Suddenly, my system crashed and a purple screen came up:(....I seriously thought there was a rootkit.

Anyways, I rebooted, went to safe mode, and restored last known settings that worked. Thankfully everything was alright again.

Then I did another scan...nothing turned up!

I use Windows XP SP3

by Anonymous on 20. February 2010 - 16:15  (44047)

Yes you should definitely shut down all other running programs, AV's, firewalls, and anything that is running before you run a scan with any Anti-Rootkit tool. It is very rare that CCleaner is incompatible with anything yet. Also, GMER is not always going to to alert you and say "You Have a Rootkit", you have to be able to interpret the results, so if you cannot then you might download something like Prevx to let you know if you are infected.

by Anupam on 8. February 2010 - 11:35  (43108)

Combofix is also an effective tool against malware. How much is it effective for rootkit removal?

by Anonymous on 11. February 2010 - 23:43  (43411)
by DLC50 on 12. February 2010 - 3:19  (43420)

Yes i can definitely agree that his words are true. If you didn't read my post below then check it out. I had a bad experience with Combofix yesterday, so the whole program is just not of the same quality as it once used to be. Maybe the dev's will update it soon but I wouldn't get my hopes up because even in the past updates have been few and far between.

by Anonymous on 13. February 2010 - 0:43  (43470)

Ditto, DLC50...It's too bad, because a user use to be able to count on Combofix as a fairly successful last resort...

by Anonymous on 8. February 2010 - 21:15  (43127)

I have seen it recommended for rootkit removal on a few quality PC-Help Websites...

by DLC50 on 9. February 2010 - 1:13  (43134)

There are several reasons why I didn't include combofix. The main reason being that it has a lot of stability issues and bugs. Another reason is that it is very powerful and should mainly only be used when guided by tech support at one of these forums. Combofix is normally available on Bleeping Computer forums all the time but even they will not offer it for download now because of all the problems. Once it gets updated and all the bugs fixed, I might include it and write a tutorial on how to properly use it.

by Anonymous on 14. May 2010 - 20:20  (49802)

I've had problems on my PC for sometime now Anti-virus 2010 programme Panda and Prevx closing down. Tech guys at Panda have been remoted onto PC a number of times. Nothing was wrong/found. Yesterday same thing happened, so I decide not to fix this time and turn back on. Contacted tech guys remoted onto PC. They used Combofix, found deep hidden rootkit, which must have been there all the time. Asked to reboot, combofix updated as it rescan. I have had other people use GMER and it hasn't found anthing, in fact it did more harm to PC than good. Prevx used it before I got in contact with Panda and the PC just froze. I thought the tech guy at Prevx was doing something. And being new to all this, I sat and waited for 3 hours then decided to reboot PC. I contacted Prevx again to see what had happened, I was informed GMER had booted him off. I was reading an old PC plus mag today, it was talking about Sophos Anti-rookit so I tried this evening 3 times. Ist time it told me there were 8 hidden files at the end of the scan. I closed it down and re scanned with it this time it said 2 hidden files. The 3rd time it was 1 hidden file. How can this be because they weren't removed? I only use windows xp firewall and have been told by all security vendors I've spoken too, that this is enough. Even the guys who built the computer say this, they are also security guys. I see there is some comment about firewall and HIPs. What is this? I look forward to your training manual on combofix on how to use it. I haven't got a clue what the Panda guy did. However, I suppose from my experience and what I've witnessed combofix is pretty decentit found the rootkit. Pandas own award winning anti-rootkit didn't stop it or find it. It is very good for Spyware. I supose I should have registered. Dave

by Anupam on 9. February 2010 - 4:19  (43138)

Ah yes, BleepingComputer had removed the download, because of some bug. I remember now. That has not been solved yet? :O.. wow.. its been a lot of time.
Anyways, yes, its a powerful tool, and not suitable for average users. Nevertheless, I just wanted to know if it is effective in removing rootkits.
Thanks for the reply, and information :).

by DLC50 on 9. February 2010 - 6:24  (43143)

As a matter of fact it is very effective or was. I haven't used it in a fairly long time. It is one of those programs that is very touchy, but when it gets working again or if they plan to update it and fix the problems, it will definitely be included but I will also have to include a tutorial. Also, their are a lot of copies of Combofix floating around the net right now and I have seen on the old combofix website and bleeping computer that the only safe place to download the app was at Bleeping Computer forums. So I searched for Combofix and their were several variations of the Combofix home page, I found combofix[DOT]org, .net, plus some like combofix3.com so be very careful and only download this at Bleeping Computer

by Anupam on 9. February 2010 - 6:38  (43144)

Yes, there are several sites offering the downloads. The sites you mentioned.. combofix[DOT]org, and .net have unsatisfactory WOT ratings. BleepingComputer mentions only two sites to download ComboFix from, one of the sites being their own.

BTW, I looked up the Twitter of BleepingComputer, and the tweet of 24th Jan says the bug had been fixed and the download was available. I also checked up the download links offered on the guide here :
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
and the download links seem to be working.

by DLC50 on 9. February 2010 - 17:50  (43177)

Thanks Anupam, I will check it out and see how stable it is. The last two or three times I have tried to use it something has gone wrong, so hopefully that is what they got fixed with the update in January. I will post back here and let you know how it goes.

by Anupam on 9. February 2010 - 17:56  (43180)

Thanks for the reply :).

by DLC50 on 10. February 2010 - 0:36  (43220)

Hey Anupam, I just got through trying Combofix again and honestly I cannot believe that they have it available for download. Setup went ok, other than a small disagreement with OA, but about 2 minutes into a scan I got a "Critical Kernel Event Error" BSOD. I then got 3 more blue screens when trying to boot up the next three times. So I got it booted into my Win7RescuePE and ran the System File Checker and discovered was surprised to see that it found and repaired 4 damaged system files, and it also discovered 3 system files had been deleted. After I replaced the files from a backup copy I booted into windows just fine, leading me to believe Combofix is to blame.

When testing an app that is in beta or that I do not trust I always setup DebugView to capture Win32 and log kernel and verbose kernel output, and I am going through the logs right now to make sure it wasn't a conflict with OA or another program. I am running a new Beta of Online Armor but it is stable. Anyway I will check the logs and the kernel crash dump to see if it might have been a conflict somewhere. So my advice is this, if you find it absolutely necessary to use Combofix, then create a full system backup as well as your data and personal stuff, and make a full backup of the registry.

by Anupam on 10. February 2010 - 5:42  (43236)

Thanks for the feedback on this DLC, and sorry that you had to go through a BSOD. Well, it was you, who recovered the system. Other users, including myself, would not have :D.
ComboFix is indeed a very powerful tool, and should not be used by just everyone. Conflict might be a cause, because ComboFix gives the warning at the start itself, to shut down any antivirus or other security software, that may be active.
I was asking about ComboFix, because my cousin's PC has got a rootkit from a pen drive. Avast detected it, but cannot find or remove it, in the scans. So, I might have to try some of the antirootkits mentioned here, and if not, I will use ComboFix as the last resort.

by Anonymous on 7. February 2010 - 4:03  (43021)

I found this post over at Wilders Security. Hope it helps...

"It's not possible to get an entire rootkit into a bios, but you could fit a jump or starter code in the bios, which means a persistence somewhere else along with the bios. That means a Hidden Partition Area on the HDD or modification of the nic firmware, which would be a PXE boot situation.

If there is this type of infection it would most likely be Bios/HPA-HDD.
1. Average wiping doesn't remove the HPA from the HDD.
2. If you fix only one, the infection can return.

To fix you must wipe the HDD with a program capable of wiping all partitions including HPA/DCO. Then while the HDD is dorment and free of any code, flash the bios."

by Anonymous on 7. February 2010 - 4:33  (43025)

I think this is one of the articles I read on the newer bios rootkits...

http://www.tomshardware.com/news/bios-virus-rootkit-security-backdoor,74...

by DLC50 on 8. February 2010 - 3:35  (43088)

Well even now that have an education and am knowledgeable enough to get rid of a rootkit without help, they still make me nervous. But this type of rootkit that the article explains would be awful, but they just did a demonstration to show that it is possible not that in fact they cauhgt it "in the wild". In any case, the malware creators are always a step ahead so there is no telling what else they will come up with.

by Anonymous on 8. February 2010 - 20:08  (43125)

Who knows what else they will come up with indeed. The only real secure computer is one that has never been connected to the internet.

What if the malware infects printers and other peripheral devices, then moves back in after a wipe and reinstall ? Heck, even changing the computer would not help, you would have to change everything, all printers and peripheral devices.

I think one solution or at least a help, would be having two or three completely separate computers or systems in on box or tower. One computer strictly for business, another to deal with friends and family, another for general surfing and playing around. Not virtualization because that too can be compromised, but actual separate systems. Basically, it seems you need to dedicate a computer for a specific task, in order to stay on top of things.

John

by Anonymous on 7. February 2010 - 5:28  (43030)

The average user, including myself, would have to take PC into the shop to get something like this type of Rootkit cleaned out.

by Anonymous on 6. February 2010 - 18:05  (42988)

Once you detect a rootkit, do you need to wipe your hard drive with something like dban (I heard some kits can survive formatting) and reinstall windows, or can you scan with a few rootkit detectors and anti-malware programs and continue using the computer ?

I have even heard that some rootkits infect the bios and wiping the hard drive or even changing the hard drive will not get rid of them (good grief).

John

by DLC50 on 7. February 2010 - 4:14  (43024)

Yes flashing the BIOS will get rid of the rootkit if you do it at the right time. As for wiping, I always recommend wiping to people who are going to reinstall, not because it handles rootkits better, but because it will get rid of all left over file fragment and rid the HDD of any recoverable information

by Anonymous on 6. February 2010 - 20:13  (43002)

I have read of PC-Geek's who have bought a new Harddrive because of getting infected with a rootkit. That is the Only Sure way of "knowing" if the rootkit is gone...Prevention is the key and HIPPs and,or, Sandboxie will help there.

by Anonymous on 7. February 2010 - 0:06  (43011)

But if it is one of the new versions of rootkits that infect the bios, then it will return even if you change the hard drive. I guess you could flash the bios, but who knows, I guess if you get a rootkit you need to throw the computer in the trash and start over.

John

by DLC50 on 7. February 2010 - 4:10  (43023)

I wouldn't trash anything, and it would have to be something worse than anything I have ever seen to get me to replace the harddrive. The truth is rootkits are a pain in the back side, and some of them do an awful lot of destruction. But others do not harm the computer much. So it all depends on what variant it is and most of all, what other malware it is hiding.

by Anonymous on 7. February 2010 - 3:44  (43020)

It's about Prevention of Rootkits...That is or should be the top priority, and Common Sense tops that list, besides, HIPPs and Sanboxie and maybe even throw returnil into the mix.

by DLC50 on 7. February 2010 - 4:06  (43022)

I am writing an article that will give you a better understanding of rootkits I think. HIPS is without a doubt the best way to stop a rootkit, no scratch that running a 64 bit system with SRP and LUA is the best way to stop rootkits.

by Anonymous on 5. February 2010 - 10:56  (42863)

Hi DLC50,
Regarding my Dell Studio 1537 laptop, I have reinstalled on the new replacement HD, a fresh clean copy of Win 7 and so far it rebooted several tmes smoothly. Though I am a bit concerned that the image restore I had previously made on this same HD (using Acronis) may still have some rootkits hiding inside the HD? I have a copy of Kaspersky Internet Security Suite which I will install later. Is Kaspersky's TDSSkiller available in the Kaspersky Internet Security Suite version? Thank you for whatever help you can give here.
SonarB

by DLC50 on 5. February 2010 - 19:36  (42898)

TDSS killer can be found on the Kaspersky web site but not in their suite. It is available for free.

About the problem with your Dell PC. I believe that I can help you fix it, IRQ9 is your ACPI controller. I have dealt with a similar problem before so please contact me using this form and we will see if we can get it fixed for you. http://www.techsupportalert.com/user/13309/contact