Best Free Rootkit Scanner and Remover

 
Introduction

My co-worker John C from our east coast office came across a page on Malwarebytes' forums and thought I would share since we are putting together our tools for threat removal. The use of italics is my clumsy way of differentiating what I'm writing to Gizmo's readers and what I published to colleagues. Here is the page Malware Removal Guides and Self Help Guides.

If you read the first post it refers to Chameleon. This is a tool within Malwarebytes that can find and stop running processes form malware and is very useful on fake alert threats. Chameleon is in a sub folder within the Malwarebytes' main folder.

Below are my testing results that I published to my colleagues with some edits in order to present this to you in an easier to understand language. We are all IT folk so I tend to write to them differently than I would write to Gizmo's readers. Below I speak about System Check which is a rather nasty fake alert. In my next upcoming post I am going to present some methods for removal of these threats along with reviews of Rootkit Scanners. It has been very busy at work and I perform testing in my spare time, of which there has been very little. But I wanted to share this with you so you can add Chameleon to your USB stick.

Below, MBAM is short for Malwarebytes' Anti-Malware. And Rkill is another tool for stopping processes which I will comment on later. The next two paragraphs are from my letter to co-workers:

I tested Chameleon on System Check which is worse than most of the fake alerts in that it hides, everything. I stepped through the instructions listed in the first post of the link provided. I clicked the first box and it opened a small DOS window and then proceeds to kill processes and then update and run MBAM. All of this worked great, and had an unexpected side effect. When it killed the process I think it also killed the ability of this ‘New and Improved’ System Check from deactivating your partitions. I rebooted and came right back into Windows albeit with a black desktop and everything hidden, but it booted!! (But keep in mind, I ran this right after infection, your user will have rebooted probably. More on this below.) I didn’t clean it when MBAM ran this first time because John found that you can run Chameleon as a standalone from your USB stick, and I wanted to test. Sure enough, I copied the whole Chameleon folder over and ran the file from there. Chameleon worked just as it did before, perfect.

So this will be a permanent addition to my USB stick. This will give us the ability to stop the processes fake alerts are running right from your USB and then be able to install and run MBAM without it being compromised. Rkill works much the same way, but is a bit dicey when it runs. In order to shutdown what’s running it will actually rename files. This can be bad however because now MBAM or whatever is being used may not find the renamed file. I would always note the path from Rkill and rename it back to original so MBAM could find it.

I have other news I wanted to share with you about a tool I'm building that will reverse the damage done by the these fake alerts like System Check I refer to above, when they hide all of your menus and folders. I had posted it here but it was too lengthy. I will post a link to it so that you can read it at your leisure. Until than please check out Chameleon as it will be a good addition to any USB stick.

  Read this article in Spanish (Español)

 
In a Hurry?

Go to details...  Go straight to the Quick Selection Guide

 
Discussion

There are a lot of anti-rootkit programs available, a lot of this software is very advanced and requires an experienced and technical minded user who is familiar with computers and operating systems. However, there are a couple of options that do not require much technical ability and are also very effective.

Kaspersky TDSSKillerThe new Top pick is Kaspersky TDSSKiller. It has an easy to use GUI, fast scan times, great detection rate and is user friendly.

TDSS Killer managed to detect and remove all modern rootkits tested (TDSS, Zeus, TDLV4, etc). The only down side is TDSS Killer seems to have a narrow range of the rootkits it detects but hopefully more types will be added over time. If more strains are added this may become the definitive tool for removal of rootkits.

In my testing what it’s designed to scan for it finds every time and removes it easily and positively. The positives far outweigh the negatives on this one. TDSS Killer also includes 64 bit functionality which is a huge plus.

 

GMERRootRepealI have two top choices for all the experienced and technical users GMER and RootRepeal. These are very popular applications, but it takes someone pretty knowledgeable about computer systems to be able to interpret the results. You can find a lot of documentation on both programs but if you are the type of person (like me) who likes to click the scan button and simply wait for the results, you would be better served with TDSS Killer.

For the average user I cannot recommend either of these as without comprehensive computer knowledge the results would be very hard to interpret. I even have a hard time understanding the data. In my work I usually have no time to refer to the documentation and must move quickly to restore a computer to working condition. However, if a particularly difficult infection is present these tools are invaluable because of the wealth of information. I prefer GMER as I find the initial scanning process easier to use and it had a better detection rate han RootRepeal.

 

Avast Anti-Rootkit Avast Anti-Rootkit resembles a command prompt window but is fairly easy to use. It lets you scan your computer and MBR for rootkits and even fixes any issues. Understanding the output from Avast Anti-rootkit may be a little hard for some users but it does the job well. I tested it against TDSS and several other modern rootkits and it found all of them. Removal on the other hand was not as good as some of the other tools. But what it does have is a very useful tool that I personally would not be without; the ability to perform FixMBR right from within Windows. Normally one would have to boot to a Windows XP disc or Windows 7 recovery disc to perform this command but Avast Anti-Rootkit has a built in ‘FixMBR’ button that with one click will write a new Master Boot Record which is often necessary in the removal of rootkits. This is very useful as you may not always have a Windows disc on hand in the field. I keep this on my USB drive at all times.

 

Dr.Web CureIt!The next product that I looked at is one that I always keep in my toolkit. Dr.Web CureIt! is not a standalone anti-rootkit tool like the other tools I recommended, rather it is a free malware scanner and removal tool that happens to be pretty effective at removing some rootkits but doesn’t detect the modern threats in my testing. It is always a good idea to have more than one tool capable of removal, so Dr. Web's freeware scanner is a great addition to anybody's arsenal. What I have found useful is the sandbox environment it creates when it’s run. This is good as it stops all processes  that some malware may try to run. It is also able to deep scan your drive and you can reboot back into this environment for further scanning and removal.

 
Other Rootkit Scanners and Removers

Sophos Anti-Rootkit Sophos Anti-Rootkit has a small but easy to use interface with no options other than choosing where you want to scan. As it scans it opens up to a slightly larger interface where it lists the results of the scan and gives you information about each result as well as a recommendation for them. Additionally, a small help file is available that explains the program in a little more detail and gives directions on how to use the command line anti-rootkit tool which is also included. This would be a great tool if it was kept up-to-date but in my testing it failed to find or remove any of the modern threats I tested.

 

F-Secure BlacklightF-Secure Blacklight is another great tool for rootkit removal. Unfortunately, support for it ended a couple of years ago. However, you can still download it on the F-Secure web site and it is compatible with Windows Vista and XP.

Still works well for older rootkits but gives "Incompatible" error if ran on Windows 7. Blacklight is also unable to detect most modern rootkits and therefore, I recommend one of the other tools for now.

 

Prevx FreePrevx Free, the free version of Prevx, offers the same class leading real time detection of the full version but unfortunately it doesn't offer much more than this. Prevx Free is only capable of cleaning select infections, such as Adware, the ZEUS banking trojan, and MBR rootkits. When dealing with rootkits detection is definitely very important, so even if you can't clean all infections you might at least be alerted, enabling you to take further action and manually remove the rootkit or seek help in doing so. As hard as it is to detect the newer, ever evolving rootkits and viruses, Prevx can be a very powerful and informative addition to your regular anti-virus software.

Additionally, Prevx Free can run customized scans from the context menu and also gives you the ability to schedule scans. Another plus is that it scans quickly. The free version also offers protection of stored cookies as well as protection for all of your saved credentials. There is also a browser protection component in the free version but it only offers custom protection on only one web site of your choice. It does however, give the full Prevx Safe Online protection, which includes anti-phishing, protection against hijacks, keyloggers, and cookie stealers for a number of popular websites such as PayPal, or Amazon and of course the one website of your choice.

I have included the previous editor’s information above but would note that given the limited functionality of Prevx Free, I mainly use it for detection. Often I need to not only detect but to remove in one scan using one tool.

As I mentioned above I will leave links to the applications mentioned here as they might work for you and be your favorites. I don’t want to discourage the use of any of them but the ones I haven’t had much success with are in the Other Scanners section; so I cannot recommend them. If they work for you that’s great and I would love to hear of your successes in the comments section.

Along with my goal to provide help is also to give you only what I have found that works. I am always open however to learning of new methods and tools. I love tools and am a firm believer that you cannot have too many. In the ever changing world of threat removal we need many tools to detect and remove.

 
Related Products and Links

You might want to check out these articles too:

 
Quick Selection Guide

Kaspersky TDSSKiller
5
 
Gizmo's Freeware award as the best product in its class!

Runs as a stand-alone program on a user's computer
Easy to use GUI, high detection rate, removed all infected files in tests and is 64 bit compatible.
Limited scope and range of types of rootkits detected.
3.0.0.14
1870 KB
32 bit but 64 bit compatible
Unrestricted freeware
Windows
GMER
4
 
Runs as a stand-alone program on a user's computer
Considered class-leading technology.
No help file, but information online. Not suitable for average users.
http://www.gmer.net/
http://www.gmer.net/
2.1.19163
369 KB ZIP
Unrestricted freeware
A portable version of this product is available from the developer.
Windows 2000 to 8
Avast Anti-Rootkit
4
 
Runs as a stand-alone program on a user's computer
Works well. Detects most rootkits, easy to use. ‘FixMBR’ function within Windows is invaluable; a must have on any USB flash drive.
Results sometimes hard to interpret and removal failed on some rootkits.
http://www.avast.com/
0.9.9
1870 KB
Unrestricted freeware
There is no portable version of this product available.
Tested on Windows 7
Dr.Web CureIt!
3
 
Runs as a stand-alone program on a user's computer
Sandbox environment useful for halting processes and scanning MBR.
Unable to detect some of the modern rootkits.
6.00.4
115 MB
32 bit but 64 bit compatible
Unrestricted freeware
This product is portable.
All Windows Platforms

 
Editor

This software category is in need of an editor. If you would like to give something back to the freeware community by taking it over, check out this page for more details. You can then contact us from that page or by clicking here

anti-rootkit, rootkit scanner, rootkit remover, free rootkit scanner, free rootkit remover, freeware, rootkit eliminator, rootkit detection

Back to the top of the article.

 

Share this
4.204725
Average: 4.2 (127 votes)
Your rating: None

Comments

by Anonymous on 17. January 2010 - 10:47  (41290)

I would like to ask the editor why is rootkit unhooker removed? Does that mean it is not effective?

Reagards
max

by DLC50 on 17. January 2010 - 15:17  (41307)

No not at all. RkU (Rootkit Unhooker) is a great program, but it has just been bought by Microsoft I heard, and there is only one place I have found to download it from and you have to be a registered member to get permission to download it. It just seemed better that we remove it for the time being. I assure you it is one of the very best in this category

by Anonymous on 19. January 2010 - 20:12  (41561)

You can download it from here - no registration needed: http[COLON]/www[DOT]rootkit[DOT]com/blog.php?newsid=993.

Moderators comment:
This link is borderline according to our WOT site ratings policy.
It is however acceptable in it's current state. Visitors should double check this for themselves before downloading in case this rating changes.

by Anthony on 31. January 2010 - 14:10  (42470)

FWIW , I have just (31/01/2010) checked this link/site with LinkExtend toolbar in Firefox 3.6. ; it has 7 site advisors , including WOT , and it shows one green , two orange (incl. WOT) and two red (incl. Norton) and is calling High Risk .

Anthony

by DLC50 on 31. January 2010 - 17:00  (42475)

Yes this is the reason that I took it out of the review. This is a legitimate and good website, but they provide some nasty stuff to members for educational purposes. However, Microsoft has bought RkU so I am hoping that soon their will be a link available to download from Microsoft.

by DLC50 on 19. January 2010 - 22:36  (41568)

Yes. It also says that you have to be registered to access the downloads vault, but I suppose that must be for different items.

by Anonymous on 18. January 2010 - 5:46  (41382)

Thanks for the reply.

Regards
max

by Anonymous on 9. January 2010 - 6:09  (40677)

Is it necessary to use the standalone antirootkit program from Avast since this tech is said to be in the regular antivirus program? Are both based on GMER technology and equally effective as the other?

by DLC50 on 13. January 2010 - 3:34  (40927)

Yes both are based on the GMER anti rootkit but hardly any program will detect every rootkit so it is useful have a couple of these tools available just in case your AV misses one.

by Anonymous on 13. January 2010 - 4:16  (40930)

But isn't it the same program, just "separated?"

by DLC50 on 13. January 2010 - 19:18  (40974)

Yes they are the same. Avast uses GMER technology to detect rootkits. The only difference in the two would be how they display results. GMER displays all hidden objects and gives a warning if it has found rootkit activity, but leaves it up too you to decide if it is a malicious rootkit or not. Avast scans all these hidden objects and decides what is malicious or not for you.

by Anonymous on 8. January 2010 - 2:32  (40539)

It seems that Panda Anti-Rootkit doesn't work on Vista, along with Threatfire, Panda Cloud AV, AVG, AdAware, and a whole bunch of other free programs. Thank you, Microsoft!

by Anonymous on 6. January 2010 - 18:33  (40413)

Threatfire scans for both trojans and rootkits. Is it better at finding trojans than rootkits?

by MidnightCowboy on 6. January 2010 - 18:56  (40418)

There actually could be little difference between the two, or a lot depending on the nature of the malware. Sometimes for instance rootkits are used as a means of concealing trojan activity. In truth, the dividing lines between all types of malware are not so easy to define as they were a few years ago.

Threatfire remains an excellent choice for non signature based detections. In fact it uses behavioral technology to analyze the actions of software on your computer and then advises you if it believes any of these to be typical of malware activity. Unless your knowledge of Windows is high you would need to leave the program at its default install settings and not attempt to increase it's sensitivity level or add custom rules. Even so, you still run the risk that a legitimate program component or Windows system file may be flagged as dangerous (false positive) so you should also be prepared to do some external research to confirm any findings before deleting the results.

by Anonymous on 22. December 2009 - 19:10  (39172)

Just a heads up. Lately I've had several rootkit infections to deal with. I found panda-anti-rootkit to be completely useless. Gmer and the others are incomprehensible to me and I'm an IT Pro. Do these apps do anything besides list streams of data? Also What good is rootkit detection without REMOVAL!!!

What DID work was kaspersky's TDSSkiller tool. TDSS is apparently a very common and VERY problematic rootkit that is a BITCH to remove. Dr. web Cure IT and malwarebytes identified the infection but failed to remove it. TDSSkiller killed the rootkit in about 1 sec - literally 1 sec.

-J

by Anonymous on 8. January 2010 - 0:56  (40531)

The best for Rootkits or other nasties is Disk Image Backups! Cannot be beat...

by Anonymous on 26. December 2009 - 1:05  (39476)

You might try using Avira free, Avira Recuse System--Linux based, and A-squared free. These are the first options I would use for rootkits. I have also read of some pc-geeks simply wiping-reformatting and reinstalling windows and a few toss out the HD and buy a new one...

by Anonymous on 28. November 2009 - 19:30  (37479)

Can you please update this article to include programs that will work with Vista and 7 for people who aren't computer experts? Can you also address how the rootkit scanner now built into Avast does? Thanks.

by Anonymous on 17. November 2009 - 2:12  (36743)

I have limited exposure to rootkits (as far as I know). I have been fighting an issue with my cousin's computer for a couple of years each time I go visit him in another state. I never stay long enough to backup, format, and reinstall, so I just scan with various anti spyware programs and hope I find something. This last trip I gave up on AVG free and installed the new Microsoft Security Essentials. Not a minute later, a trojan named LinkOptimizer showed up. MSE couldn't remove it, but it gave me a filename and a location. I couldn't find it in Windows Explorer so I figured it was a rootkit.
I booted into my Puppy Linux CD and mounted the hard drive and removed the file. The file date was May of 2007!
I ran F-Prot from the CD. I don't know how good the program is, but it didn't find anything. My cousin has had no problems since. I also removed the 3 references to the file com4.vpq in the registry.

by Anonymous on 19. November 2009 - 2:39  (36879)

In my experience, rootkit or not, ComboFix alone, will knock out most stubborn malware, that most other scanners either do not detect or cannot get rid of. ComboFix is a last resort, but it works.

by Anonymous on 8. November 2009 - 9:47  (36217)

I'm with you Man, #24 So What, it's like "What did Chicken Little Have For Dinner".

by Anonymous on 4. November 2009 - 22:11  (35844)

This is a promising article on rootkits. http://www.sciencedaily.com/releases/2009/11/091103102246.htm

by Anonymous on 27. September 2009 - 19:12  (33424)

Some Rootkits hide so well, that nothing you use will get rid of it. Sometimes re-installing Windows will not even get rid of it. The best thing to do is to make regular image backups, and if you get infected, wipe and restore the last uninfected image. A better option than cleanly wiping and re-installing.

by Danaj on 20. August 2009 - 2:12  (31200)

I have to add my recommendation for Sophos Anti Rootkit. It found and removed hidden objects that Panda didn't even find. I'm not saying that it is a silver bullet, and it can't remove everything it finds, but it did find things that Panda didn't.
BUT there is still an infection that even this couldn't deal with on one of our pc's at work.

I have tried UnHackme, and it DID get rid of the root kit, but the system was so borked by that time that we had to do a reinstall of windows.

So try Sophos anyway, who knows, it may work for you.

by ianjrichards (not verified) on 10. August 2009 - 2:27  (26718)

I received this note via the site contact form:

Hello,

Sophos has recently released an updated version of their free anti-rootkit tool.

Along with increased detection Sophos has added support for the following operating systems;

Windows Vista
Windows Server 2008
Windows 7
Windows 64-bit platforms

I believe Sophos Anti-Rootkit is the first tool to support Windows 7 and 64-bit versions of Windows.

James Coulter

by Anonymous on 14. August 2009 - 17:22  (27097)

Sophos site requires registration to download, but it can also be downloaded from majorgeeks without registration. Unzip and run the exe.

http://majorgeeks.com/Sophos_Anti-Rootkit_d5238.html

by Anonymous on 23. August 2009 - 2:15  (31354)

Another quarrel, MajorGeeks states this works only with NT/2K/XP/2003.

by Anonymous on 23. August 2009 - 13:08  (31374)

It can also be downloaded from softpedia.com
http://www.softpedia.com/get/Antivirus/Sophos-Anti-Rootkit.shtml

by MidnightCowboy on 23. August 2009 - 10:45  (31369)

Why would you not check out the vendor's own site for system compatibility information?

http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

* Windows 2000
* Windows XP
* Windows Vista
* Windows 7
* Windows Server 2003
* Windows Server 2008
* 64-bit platforms

Sophos Anti-Rootkit requires a minimum of 128 Mb RAM.

by Anonymous on 4. June 2009 - 15:18  (23053)

I would recommend a combination of Prevx3.0 and GMER to remove the hardest and hardest of the Rootkits. Prevx3.0 is free for detection of malware, even though its not free for full version with removal facility. Use Prevx to scan the system and find out the malwares. Then it can be removed using the GMER. This combination helped me from a worst situation recently.

Gizmos Needs You

Gizmo's Freeware is Recruiting

 We are looking for people with skills or interest in the following areas:
 -  Mobile Platform App Reviews for Android and iOS
 -  Windows, Mac and Linux software reviews       Interested? Click here