Best Free Rootkit Scanner and Remover

 
Introduction

My co-worker John C from our east coast office came across a page on Malwarebytes' forums and thought I would share since we are putting together our tools for threat removal. The use of italics is my clumsy way of differentiating what I'm writing to Gizmo's readers and what I published to colleagues. Here is the page Malware Removal Guides and Self Help Guides.

If you read the first post it refers to Chameleon. This is a tool within Malwarebytes that can find and stop running processes form malware and is very useful on fake alert threats. Chameleon is in a sub folder within the Malwarebytes' main folder.

Below are my testing results that I published to my colleagues with some edits in order to present this to you in an easier to understand language. We are all IT folk so I tend to write to them differently than I would write to Gizmo's readers. Below I speak about System Check which is a rather nasty fake alert. In my next upcoming post I am going to present some methods for removal of these threats along with reviews of Rootkit Scanners. It has been very busy at work and I perform testing in my spare time, of which there has been very little. But I wanted to share this with you so you can add Chameleon to your USB stick.

Below, MBAM is short for Malwarebytes' Anti-Malware. And Rkill is another tool for stopping processes which I will comment on later. The next two paragraphs are from my letter to co-workers:

I tested Chameleon on System Check which is worse than most of the fake alerts in that it hides, everything. I stepped through the instructions listed in the first post of the link provided. I clicked the first box and it opened a small DOS window and then proceeds to kill processes and then update and run MBAM. All of this worked great, and had an unexpected side effect. When it killed the process I think it also killed the ability of this ‘New and Improved’ System Check from deactivating your partitions. I rebooted and came right back into Windows albeit with a black desktop and everything hidden, but it booted!! (But keep in mind, I ran this right after infection, your user will have rebooted probably. More on this below.) I didn’t clean it when MBAM ran this first time because John found that you can run Chameleon as a standalone from your USB stick, and I wanted to test. Sure enough, I copied the whole Chameleon folder over and ran the file from there. Chameleon worked just as it did before, perfect.

So this will be a permanent addition to my USB stick. This will give us the ability to stop the processes fake alerts are running right from your USB and then be able to install and run MBAM without it being compromised. Rkill works much the same way, but is a bit dicey when it runs. In order to shutdown what’s running it will actually rename files. This can be bad however because now MBAM or whatever is being used may not find the renamed file. I would always note the path from Rkill and rename it back to original so MBAM could find it.

I have other news I wanted to share with you about a tool I'm building that will reverse the damage done by the these fake alerts like System Check I refer to above, when they hide all of your menus and folders. I had posted it here but it was too lengthy. I will post a link to it so that you can read it at your leisure. Until than please check out Chameleon as it will be a good addition to any USB stick.

  Read this article in Spanish (Español)

 
In a Hurry?

Go to details...  Go straight to the Quick Selection Guide

 
Discussion

There are a lot of anti-rootkit programs available, a lot of this software is very advanced and requires an experienced and technical minded user who is familiar with computers and operating systems. However, there are a couple of options that do not require much technical ability and are also very effective.

Kaspersky TDSSKillerThe new Top pick is Kaspersky TDSSKiller. It has an easy to use GUI, fast scan times, great detection rate and is user friendly.

TDSS Killer managed to detect and remove all modern rootkits tested (TDSS, Zeus, TDLV4, etc). The only down side is TDSS Killer seems to have a narrow range of the rootkits it detects but hopefully more types will be added over time. If more strains are added this may become the definitive tool for removal of rootkits.

In my testing what it’s designed to scan for it finds every time and removes it easily and positively. The positives far outweigh the negatives on this one. TDSS Killer also includes 64 bit functionality which is a huge plus.

 

GMERRootRepealI have two top choices for all the experienced and technical users GMER and RootRepeal. These are very popular applications, but it takes someone pretty knowledgeable about computer systems to be able to interpret the results. You can find a lot of documentation on both programs but if you are the type of person (like me) who likes to click the scan button and simply wait for the results, you would be better served with TDSS Killer.

For the average user I cannot recommend either of these as without comprehensive computer knowledge the results would be very hard to interpret. I even have a hard time understanding the data. In my work I usually have no time to refer to the documentation and must move quickly to restore a computer to working condition. However, if a particularly difficult infection is present these tools are invaluable because of the wealth of information. I prefer GMER as I find the initial scanning process easier to use and it had a better detection rate han RootRepeal.

 

Avast Anti-Rootkit Avast Anti-Rootkit resembles a command prompt window but is fairly easy to use. It lets you scan your computer and MBR for rootkits and even fixes any issues. Understanding the output from Avast Anti-rootkit may be a little hard for some users but it does the job well. I tested it against TDSS and several other modern rootkits and it found all of them. Removal on the other hand was not as good as some of the other tools. But what it does have is a very useful tool that I personally would not be without; the ability to perform FixMBR right from within Windows. Normally one would have to boot to a Windows XP disc or Windows 7 recovery disc to perform this command but Avast Anti-Rootkit has a built in ‘FixMBR’ button that with one click will write a new Master Boot Record which is often necessary in the removal of rootkits. This is very useful as you may not always have a Windows disc on hand in the field. I keep this on my USB drive at all times.

 

Dr.Web CureIt!The next product that I looked at is one that I always keep in my toolkit. Dr.Web CureIt! is not a standalone anti-rootkit tool like the other tools I recommended, rather it is a free malware scanner and removal tool that happens to be pretty effective at removing some rootkits but doesn’t detect the modern threats in my testing. It is always a good idea to have more than one tool capable of removal, so Dr. Web's freeware scanner is a great addition to anybody's arsenal. What I have found useful is the sandbox environment it creates when it’s run. This is good as it stops all processes  that some malware may try to run. It is also able to deep scan your drive and you can reboot back into this environment for further scanning and removal.

 
Other Rootkit Scanners and Removers

Sophos Anti-Rootkit Sophos Anti-Rootkit has a small but easy to use interface with no options other than choosing where you want to scan. As it scans it opens up to a slightly larger interface where it lists the results of the scan and gives you information about each result as well as a recommendation for them. Additionally, a small help file is available that explains the program in a little more detail and gives directions on how to use the command line anti-rootkit tool which is also included. This would be a great tool if it was kept up-to-date but in my testing it failed to find or remove any of the modern threats I tested.

 

F-Secure BlacklightF-Secure Blacklight is another great tool for rootkit removal. Unfortunately, support for it ended a couple of years ago. However, you can still download it on the F-Secure web site and it is compatible with Windows Vista and XP.

Still works well for older rootkits but gives "Incompatible" error if ran on Windows 7. Blacklight is also unable to detect most modern rootkits and therefore, I recommend one of the other tools for now.

 

Prevx FreePrevx Free, the free version of Prevx, offers the same class leading real time detection of the full version but unfortunately it doesn't offer much more than this. Prevx Free is only capable of cleaning select infections, such as Adware, the ZEUS banking trojan, and MBR rootkits. When dealing with rootkits detection is definitely very important, so even if you can't clean all infections you might at least be alerted, enabling you to take further action and manually remove the rootkit or seek help in doing so. As hard as it is to detect the newer, ever evolving rootkits and viruses, Prevx can be a very powerful and informative addition to your regular anti-virus software.

Additionally, Prevx Free can run customized scans from the context menu and also gives you the ability to schedule scans. Another plus is that it scans quickly. The free version also offers protection of stored cookies as well as protection for all of your saved credentials. There is also a browser protection component in the free version but it only offers custom protection on only one web site of your choice. It does however, give the full Prevx Safe Online protection, which includes anti-phishing, protection against hijacks, keyloggers, and cookie stealers for a number of popular websites such as PayPal, or Amazon and of course the one website of your choice.

I have included the previous editor’s information above but would note that given the limited functionality of Prevx Free, I mainly use it for detection. Often I need to not only detect but to remove in one scan using one tool.

As I mentioned above I will leave links to the applications mentioned here as they might work for you and be your favorites. I don’t want to discourage the use of any of them but the ones I haven’t had much success with are in the Other Scanners section; so I cannot recommend them. If they work for you that’s great and I would love to hear of your successes in the comments section.

Along with my goal to provide help is also to give you only what I have found that works. I am always open however to learning of new methods and tools. I love tools and am a firm believer that you cannot have too many. In the ever changing world of threat removal we need many tools to detect and remove.

 
Related Products and Links

You might want to check out these articles too:

 
Quick Selection Guide

Kaspersky TDSSKiller
5
 
Gizmo's Freeware award as the best product in its class!

Runs as a stand-alone program on a user's computer
Easy to use GUI, high detection rate, removed all infected files in tests and is 64 bit compatible.
Limited scope and range of types of rootkits detected.
3.0.0.14
1870 KB
32 bit but 64 bit compatible
Unrestricted freeware
Windows
GMER
4
 
Runs as a stand-alone program on a user's computer
Considered class-leading technology.
No help file, but information online. Not suitable for average users.
http://www.gmer.net/
http://www.gmer.net/
2.1.19163
369 KB ZIP
Unrestricted freeware
A portable version of this product is available from the developer.
Windows 2000 to 8
Avast Anti-Rootkit
4
 
Runs as a stand-alone program on a user's computer
Works well. Detects most rootkits, easy to use. ‘FixMBR’ function within Windows is invaluable; a must have on any USB flash drive.
Results sometimes hard to interpret and removal failed on some rootkits.
http://www.avast.com/
0.9.9
1870 KB
Unrestricted freeware
There is no portable version of this product available.
Tested on Windows 7
Dr.Web CureIt!
3
 
Runs as a stand-alone program on a user's computer
Sandbox environment useful for halting processes and scanning MBR.
Unable to detect some of the modern rootkits.
6.00.4
115 MB
32 bit but 64 bit compatible
Unrestricted freeware
This product is portable.
All Windows Platforms

 
Editor

This software category is in need of an editor. If you would like to give something back to the freeware community by taking it over, check out this page for more details. You can then contact us from that page or by clicking here

anti-rootkit, rootkit scanner, rootkit remover, free rootkit scanner, free rootkit remover, freeware, rootkit eliminator, rootkit detection

Back to the top of the article.

 

Share this
4.198415
Average: 4.2 (126 votes)
Your rating: None

Comments

by SonarB on 6. February 2010 - 5:56  (42928)

Hi DLC50,
I have signed up and sent you my tech issue thru the contact link. Hope it is not a rootkit infection but something much easier to fix.
Thanks, SonarB

by DLC50 on 5. February 2010 - 16:08  (42890)

No as far as I know TDSSkiller is not in the suite. You can get it on their web site, along with several other free virus removal tools. I am confused with the rest of your comment though, you say you reinstalled but then you say something about an immage that might be infected. Pleas clarify.
I can tell you this, if you have other backup images other than that one, then delete it.

by Anonymous on 5. February 2010 - 10:46  (42862)

Hi DLC50 and forum users here,
I bought (about Oct 2009) a used but fairly new DELL Studio 1537 (T6400 core2duo Vista 64-bit home prem) from ebay (factory warranty expired 1/20/2010). The laptop looked like it was restored to factor install when I received it and I did not activate the included TrendMicro, since I planned on replacing later with Zone Alarm ISS or Kaspersky's ISS. When I started to regularly use the laptop (Jan 2010), it began having reboot problems with windows attempting to repair but failed. I backed up the 3 original factory partitions (1st one -86mb size, 2nd one -10.gb recovery, and 3rd one -287gb) with Acronis TI Home 2010 and used WinPE cd (created from WinAIK with help from Wilders Security forum) to recover original factory install (it seemed previous f8 at bootup time will not open the factory restore option). However, after successfully reinstalling the original factory installation (Vista 64 Home Prem) and after it rebooted up to two times (drivers loading etc.), it started giving me a blue screen error message "IRQ9L .... not equal or less ... etc". I tried restoring all 3 partitions using the Acronis backup and still it comes up to the same blue screen error. I had also replaced with a new similar sized (320gb) HD, restored all 3 partitions (thru Acronis) and still encounter the same blue screen error. Could this be a rootkit infection? I guessed this is one frustrating reason why the previous owner wanted to sell this laptop sooner (less than 1 year owned). I pulled out each HD (the original and the 2nd new one), hooked up as an external USB HD and ran chkdsk (using another laptop w/ win XP) with option /r. On the first pass (on each HD), chkdsk notified it corrected some files and next reruns came out OK. By the way, are rootkits infection transferrable to other PCs, even while running tests on the infected HD hooked up as an external USB? I would appreciate any helpful response here. I am also interested in using sophos and at least another software tool (Dr. WebCureIt, Avast, Threatfire, TDSSkiller, Combofix or Unhackme) - which please recommend. Thank you for sharing your tech notes at this forum site. God bless your work. SonarB

by DLC50 on 5. February 2010 - 16:59  (42896)

I am creating a new thread in the forum to help with your problem, I am sorry if you did not want to register but the forum is more suited for this. I think you have hardware problems and I think I can help you, IRQ9L is ACPI controller and my guess is thats conflicting with PCI so register( it is fast and easy) and come and post in the forum here I have created a thread.
http://www.techsupportalert.com/freeware-forum/general-computer-support/...
I have already created some steps for you to follow, so do this and let me know, Good Luck.

by Anupam on 5. February 2010 - 17:30  (42897)

I have disapproved the above mentioned thread. Reasons being, the thread does not say anything at all about the original problem, nor does it refers to this comment here. People can't just give help, if they don't know what is the thread referring to.

Second, if a user has a problem, which will be difficult to track here, they have to register on the forum. If they do not want to register, it will be quite difficult for us to provide help in an organized, and effective manner. We will not post queries on behalf of the users on the forum. They themselves have to do that, unless they have a genuine problem registering on the forum. Many of the users register on the forum, and then post their queries, and others should do the same.

by MidnightCowboy on 5. February 2010 - 13:55  (42885)

The proper place to make requests for assistance of this nature is here in the forum:
http://www.techsupportalert.com/freeware-forum/general-computer-support/

by MidnightCowboy on 4. February 2010 - 16:10  (42799)

Please be aware that we are having some difficulty tying down just exactly which features are included in the free version of Prevx linked to above. We are attempting to clarify this now with the vendor and will amend the article if necessary after we receive their reply.

by Anonymous on 3. February 2010 - 19:35  (42715)

From a posting at Wilders Security...I agree

"If all you need is on-demand, I'd personally go with Hitman Pro. Fast, multi-engined and better on-demand detection and removal of advanced stuff both MBAM and SAS misses, like the latest TDL3.3 rootkit. Obviously, keep something for on-demand".

by DLC50 on 4. February 2010 - 1:19  (42732)

Well a lot of people from Surfright have said that this is true. The first TDL3 rootkit was more advanced, or maybe successful is a better word. Any way I will be sure to include Hitman in the testing and I am in the process of updating this and writing an article on rootkit detection and removal. I did not like the earlier versions of Hitman but have not tried the new one. Has it improved a lot?

by Anonymous on 4. February 2010 - 4:23  (42745)

Hi DLC50, from reading Wilders Security forum, yeah Hitman Pro has matured into a very reliable scanner.

by Anonymous on 3. February 2010 - 11:52  (42697)

Hi,

I cant find the portable version of Root Repeal.
Can somebody give me a hint

Thx

Andi

by MidnightCowboy on 3. February 2010 - 15:11  (42706)

The link above is it

by Anonymous on 4. February 2010 - 13:40  (42771)

Thanks alot !

by Anonymous on 2. February 2010 - 14:42  (42612)

Hi DLC50, thanks for answering our questions, I am quite new to this rootkit infection as I though anti virus scanner can identify a rootkit and remove it from the system, but apparently even anti virus can't remove it.

So I've been using the scanners listed above sophos anti rootkit, Dr web, and (was going to use F secure blacklight but I read above is out of date so I didn't bother to use it) and they all came up clean. I had use gmer and it was a pain to use cos every time it scan and I save the text log onto notepad my PC crashes and then it restart itself every time. I one time manage to save it to notepad once before it restart my PC and the results looked clean I think as it did not display hidden items, but gmer was not very user friendly in displaying the results.

So my question is sophos anti rootkit scanner does not have an update database like an antivirus, so how can it detect newer release rootkits. Also how would you rate Avira antivirus rootkit scanner to scan for rootkits, is it as good as the list above.

Thanks

by DLC50 on 2. February 2010 - 16:21  (42618)

Well neither GMER nor RootRepeal are very user friendly, they are advanced tools. A lot of the ARK tools do not have an update database because they do not scan using signatures. Since rootkits hide so well from user and OS signatures are almost pointless within a On-Line Operating System, if you are in a recovery environment such as Win PE, signatures have a better chance. Sophos and some of the other tools scan for hidden files, processes, registry keys, and some search the Windows API. The point is that they all work differently.

by Anonymous on 1. February 2010 - 3:52  (42517)

I just read this on a Wilders Security posting. I didn't know getting a rootkit infection was so easy. A little scary...

"rootkits can be introduce not only from trojans but now from rouges and fake antivirus also and some of them are not detected by antivirus companies."

by DLC50 on 1. February 2010 - 15:44  (42553)

Yeah getting a rootkit can be very dangerous, and yes it is very serious. Fortunately there are several forums that can help you out if you need it. The scary thing about a rootkit is that you probably will never even know you have one installed. They can intercept request for a list of file or processes and only show you what it wants you to see. So there will be nothing suspicious in task manager. They even have the ability to detect when an AV starts a scan, and they can suspend their activity and hide so the AV doesn't notice any suspicious activity in the file system and all is clean. The first rootkit infection I ever removed from a computer taught me a lesson. Sometimes the only thing you will notice is a couple of files missing in explorer. Two things to remember, there is no such thing as a perfect rootkit, and there is definitely no such thing as a perfect anti rootkit.

by Anonymous on 29. January 2010 - 0:43  (42299)

Just ran Sophos and it came up with a couple of hundred "hidden" files that (1) were not hidden, and (2) as far as I can see are legitimate files. What's the point of that? Next up - uninstall Sophos.

by DLC50 on 29. January 2010 - 3:33  (42307)

Well there is a lot of software that use rootkit techniques for various reasons, such as a security app does. A lot of anti rootkit tools will detect these as well malicious ones. Sophos also gives recommendations on all of those files that it listed as suspicious.

by MidnightCowboy on 28. January 2010 - 20:13  (42286)

DLC50 has asked me to inform visitors to his categories that he will be away for a while but will respond to any comments as soon as he is able to.

by Anonymous on 28. January 2010 - 18:31  (42283)

I'm a long-time Gizmo 'fan', and an old-timer with PC's, but I seem to recall the rootkit 'scare' from years back, when we used PREV? or an AVG rootkit scanner/remover {or was it from Lavasoft?}. Even back then, I scanned like hell but never found a rootkit.
So I thought, just for fun, I'd run all the recommended software listed above, as I'm long overdue to scan and remove any!, and here's my comments:
1. SOPHOS: took awhile {45 mins elapsed for 30 gb of data}. Seems thorough. It found 3 'unknown and hidden' files {4 from grandson's gaming software from 2+ years back}.
2. Root Repeal: Lots of options to run makes it confusing, but overall, it was faster than SOPHOS by 15 minutes. Found 16 ‘SSTD’ files, and an MPG video file that were ‘suspect’. Problem was that there was little documentation as to what these really are, so didn’t take any action!
3. GMER: this one took off like a bat outa' hell. I have no idea what it did, but for the first time in YEARS, literally, it hung my PC and I had to reboot. A 2nd try did the SAME THING! I was NOT impressed. I’d leave this one alone!
4. F-SECURE Blacklight: ran quickly, found nothing. And since it's no longer supported, it probably doesn't have all the guts to find any newer rootkits?
5. Dr. Web Cure It: I always shrug when I run web-based stuff, wondering what it's really doing, if anything. This was a great example. I have no idea what it did after 'registering' from the pretty green splash-screen. To me, useless.

by DLC50 on 29. January 2010 - 3:24  (42305)

I am currently in the process of upgrading the review, but a lot of the same programs will still be included. All of these apps look for rootkits in different ways, that is why one scans a long time and the others can scan fast. Dr. Web Cure It is not web based, I do not know if you went to the hame page I provided their is a web based scanner but Dr Web Cure It is a downloaded exe application and is no way web based, it does not even connect to the internet unless you choose to buy the commercial version. You are correct about F-Secure, it is not too good at removing newer rootkits as others. The most effective at removing sophisticated rootkits are GMER and RootRepeal,DSE, Kernel Detective, but these are very advanced like you said. You can however save the report from the rootrepeal scan that you did and upload it to a forum for help, there are several such forums areound the net. A lot of the anti rootkit tools that were around a couple of years ago are not supported now so it is more difficult to find tools that are capable of removing the latest threats, and are also easy enough for everyone to use and understand. I will be publishing an article sometime soon to give tips on how to recognize when your infected as well as some tips on removal and prevention.

by Anonymous on 29. January 2010 - 3:39  (42308)

Can you provide the names of some of the forums you mentioned where we can send the reports from our scans?

by DLC50 on 29. January 2010 - 18:27  (42371)

Here you go. Their are several such forums around the net but these are the ones I usually direct people to. Please read the TOS and suggestions before posting because if you do not post with all the information that they require, you will not get an answer. Also, a lot of these forums request you to submit a Hijack This Log first. Always post the HJT log and the info about your OS and hardware before posting logs from the rootkit tools. After you do this they will give you a chance to post the rootkit logs. The reason for this is that these logs contain a lot of information and if you post it first you will not get a reply. Good Luck and if none of these forums are right for you, contact me or run a search, but I will be glad to help out.

http://www.dslreports.com/forum/cleanup~filter=Rootkit
http://malwareremoval.com/forum/viewforum.php?f=11
http://www.spywareinfoforum.com/index.php?showforum=18

by Anonymous on 28. January 2010 - 16:42  (42279)

After formating and installing Windows several times in a machine that previously had XP SP1, I came to the conclusion the rootkit lived in the boot sector. I have also come across rootkits that hide programing in the pagefile.sys.

by Anonymous on 28. January 2010 - 16:35  (42278)

HitMan Pro used to be quite good - their version 3 is cloud-based - any recommendations?
http://www.surfright.nl/en

by Anonymous on 22. January 2010 - 20:49  (41764)

You have to fill out a registration form for Sophos. I like F-Secure; it scanned in only 6 minutes.

by Anonymous on 29. January 2010 - 19:48  (42378)

see posts below re download links for sophos, no reg required!

by DLC50 on 22. January 2010 - 21:37  (41767)

F-Secure is a great tool, the only problem is that sense it hasn't been updated in a while it can't detect more modern and advanced rootkits that are being developed today. For this you need Sophos, or RootRepeal to better detect the newer rootkits.

by Anonymous on 28. January 2010 - 14:32  (42267)

Is there a difference between the home and business versions of the Sophos product?

Gizmos Needs You

Gizmo's Freeware is Recruiting

 We are looking for people with skills or interest in the following areas:
 -  Mobile Platform App Reviews for Android and iOS
 -  Windows, Mac and Linux software reviews       Interested? Click here