-{ Quote: "While many security suites have a basic level of detection, these standalone tools will do a search-and-destroy on the rootkits that may be hiding in your system." }-Review (http://www.informationweek.com/story/showArticle.jhtml?articleID=196901062)

Final conclusions

-{ Quote: "Ironically enough, it was one of the independent tools — Rootkit Unhooker — that turned out to be the best. I'm not sure that means the big vendors will see them as competition, though, since the indie-written tools clearly are meant for self-appointed pros. " }-

About time this info got more coverage:thumb:
I've used most of the more *popular *
ARK's and then found RKU RC2 onwards.
Absolutely no competition for overall functionability and coverage of most known malware RK's.

GMER ranks #2 IMO located in effectiveness midway between RKU and the rest;)

I agree what was said about RkU.
-{ Quote: "most comprehensive and powerful" }-
stable, nice ARK, good work guys

Thanks for the link ronjor.:)

Nice article.

tnx for the info :thumb:

One thing not mentioned in the article about independent creators is the fact, they came form places like root kit com and actualy know how to create as well as find rootkits. That is all they did for years. At least people have become aware that sigs are no longer the ticket and even hips don't always help.
I dodn't see much mention about Rustock C mentioned here other then XP_XOFF confirms it is in the wild now.


controler

-{ Quote: "...I dodn't see much mention about Rustock C mentioned here other then XP_XOFF confirms it is in the wild now." }-

It may be. Then again: eating is the proof of the pudding - looking forward to a (zipped and password protected) copy...;)

regards,

paul

Recently the highly respected German computer magazine c't published a test of various anti-rootkit tools, too.

The following tools were included:
AVG Antirootkit v. 1.0.0.13 beta
Avira Rootkit Detection 2.0. beta
Bitdefender Rootkit Uncover 1.0 beta 2
Darkspy 1.0.5 Test
F-Secure Blacklight 2.2.1050 beta
Gmer 1.0.12.12011
Helios 1.1a
IceSword 1.20
Rootkit Revealer 1.7.1
Rootkit Unhooker 3.0.86.338 RC3
SEEM 4.0
Spohos Antirootkit 1.2
UnHackMe 3.1c't recommends for users not intensely familiar with OS internals AVG Antirootkit and F-Secure Blacklight as the best one-click solutions. For advanced users and forensics c't recommends GMER and Rootkit Unhooker. The latter removes all hooks of a rootkit, so a subsequent scan by a anti virus scanner might detect that rootkit.

Note, however, that each of these recommended tools found the hidden files of the demo rootkit Winrootkit but not the rootkit itself. That one (but not the associated autostart entry) was only recognized by IceSword and SEEM.

c't recommends to use a clean boot CD with an up-to-date anti-virus scanner for a thorough scan of your PC since a well programmed rootkit might give the slip to all tested tools on a running system.

-{ Quote: "It may be. Then again: eating is the proof of the pudding - looking forward to a (zipped and password protected) copy...;)

regards,

paul" }-

http://forum.sysinternals.com/forum_posts.asp?TID=9385&PN=2&TPN=1

9th or 10th post is the author of A/B making statement that C is undetectable as to whether it is in the wild has not been confirmed;)

Nothing is completely undetectable it just depends on the tool /method of looking;D

If i bag it ,you will get your copy:)

-{ Quote: "Note, however, that each of these recommended tools found the hidden files of the demo rootkit Winrootkit but not the rootkit itself. That one (but not the associated autostart entry) was only recognized by IceSword and SEEM." }-

Because it doesn't hide itself. It hides only files.

Its kind of scary to look at that list (article)
and realize I use half of those programs

Kudos to EP_XOFF and MP_ART et al, world champions. :thumb:
Dont let it go to your head EP-XOFF ;)
How are the hit counts going ?? :D

-{ Quote: "The coherency of the help file leaves something to be desired," }-LOL, just write them in bad French instead.

No Gmer ?? :(

Write the word G_m_e_R or post a link and get DDOSed out of existence >:(

-{ Quote: "Recently the highly respected German computer magazine c't published a test of various anti-rootkit tools, too." }-

Yes I saw that too.

-{ Quote: "Because it doesn't hide itself. It hides only files." }-

Good to know.

Thank you Longboard and others. I think Gmer site soon will return to life. Ops, I write "Gmer", I must to write gm3r, lol. Bad joke, I know.

Well as soon if you think that your machine is infected with a rootkit I would advise to reformat. And I have to admit that I´m a bit wary to use anti rootkit tools that are a not coming from the big companies. ::)

Perspectives. There are big companies and big companies. Others would see it the other way around.
Would you try Sony's anti-rootkit if it hit the market?:o

-{ Quote: "Well as soon if you think that your machine is infected with a rootkit I would advise to reformat. And I have to admit that I´m a bit wary to use anti rootkit tools that are a not coming from the big companies. ::)" }-

I was a little wary when I first used Ice Sword (in its Chinese version before there was an English one) but researching the matter I decided to trust better heads than mine when I was incapable of determining the facts for myself.

I relied on my understanding of human nature for the decision
Why would someone code an ap superior to the current benchmark of the time?
(Holy Father was on a roll at the time and had beat Mark's latest RootkitRevealer)
I felt pride in creation and ego were a stronger motivation within this little known field (coincidentally littered with some of the best security programmers) than the off chance it was a subversion attempt motivated by greed. Where was the return on investment? Especially considering it was likely being reversed engineered from almost the day it was released.

-{ Quote: "Well as soon if you think that your machine is infected with a rootkit I would advise to reformat. And I have to admit that I´m a bit wary to use anti rootkit tools that are a not coming from the big companies. ::)" }-

Rootkit scanners that comes from big AV companies can't deal with rootkits. AV rkdetectors - unprofessional work. I do not believe them and I will never say something good about them.

I have GMER logging on, in settings, and i was just about to turn it off, ran GMER and it displayed a warning when starting:

-{ Quote: "Warning!!!

GMER has found system modification, which might have been caused by ROOTKIT activity.

Do you want to fully scan your computer?" }-

It's SandboxIE, which i just installed:) (f. great program if you ask me)

I think i'll let GMER log some more. It seems to do the job.
Does RkU have that feature? Or something similar?

We can detect malware-like "parasites" inside our program during it startup. FYI this warning message only because GMER do a fast scan of SSDT/Processes and drivers.

What do you mean by parasites inside your program? I'm sorry if it turns out to be a basic question, but now i'm curious.:)

And congrats on the review. It seems that your ahead of the competition.:thumb:

Thanks. More information about "parasites" and other issues can be found here http://forum.sysinternals.com/forum_posts.asp?TID=9535&PN=1

-{ Quote: " AV rkdetectors - unprofessional work. " }-

In most cases that is probably reality.

-{ Quote: "Thanks. More information about "parasites" and other issues can be found here http://forum.sysinternals.com/forum_posts.asp?TID=9535&PN=1" }-

Thank you, your link explains it well:thumb: Or is it that you explained it very well on the Sysinternals forum:)

-{ Quote: "Rootkit scanners that comes from big AV companies can't deal with rootkits. AV rkdetectors - unprofessional work. I do not believe them and I will never say something good about them." }-

I experience the exact same results.

AV companies specialize in one field and one field only, viruses. They have slowly evolved enough over time to also include some malware detections thru heuristics. But as far as RootKits, they are way out of their league in that field AFAIK.

The problem with AV's, they try to manufacture and monopolize on the whole order of possibilities, they now even offer their own version of firewalls in some of their suites.

RootKit detectors are better left to those who know how best to code programs that can reveal their presence/traces.

That's my take on it.

Not anyone can use Gmer or RKU, i only try them out of curiosity, because unless it's obvious, there could be a rootkit in the scan results, and i wouldn't know.
An AV company can't issue an AR, or AR capabilities in the AV, without making it rather straight forward to use. One button, scan, results, clean. Sure FPs can arise still, but no ntoskrnl.exe 0001Cwhatever. I can't read that, it's vodoo for me;)

Btw, what do you all think about Seem, is it on of the better tools or what? ::)

http://www.antirootkit.com/software/seem.htm

-{ Quote: "Btw, what do you all think about Seem, is it on of the better tools or what? ::)

http://www.antirootkit.com/software/seem.htm" }-

I like what it reviews along with the GUI and all but wish they would upgrade it again soon. It has pulled a stubborn driver out for me once where some other tools failed but it's still fairly new to me and mostly untested otherwise.