Hi all, I'm new to the forums. I'm glad to be here and I look forward to learning a lot. I'll start my first post with a poll.

I use GMER and F-Secure Blacklight.

Which anti-rootkit(s) do you use?

I will vote for other, since I dont use any specific. See my sig. :P

Windows up-to-date ark list (http://www.ntinternals.org/anti_rootkits.php) with alive, dead and download.

TrendMicro RootkitBuster :P

-{ Quote: "Windows up-to-date ark list (http://www.ntinternals.org/anti_rootkits.php) with alive, dead and download." }-

Thank you for this interesting list, unfortunately many of them are incompatible with Win 7 :-\

On units that I'm servicing, I use RKU, gmer, and others. On my own, none. Rootkit removers aren't necessary when a default-deny security policy won't allow them install in the first place.

Radix.

http://www.usec.at/rootkit.html

Radix is outdated.

WinDbg

Meriadoc, why use a debugging tool when you can use an actual antirootkit that finds rootkits themselves?

Of course it is one of the best tools for this.

By using, knowing how to use WinDbg you may not limit yourself to the power of an ark while applying the same sort of approaches as antirootkit tools use.

[expanded post]

-{ Quote: "On units that I'm servicing, I use RKU, gmer, and others. On my own, none. Rootkit removers aren't necessary when a default-deny security policy won't allow them install in the first place." }-

I forgot about RKU. Is it still being developed? Where can I download the latest version?

expanded last post

In fact it was updated yesterday. Here : RkU3.8.382.584 (http://www.rootkit.com/blog.php?newsid=981)

runs on 7 ance

-{ Quote: "On units that I'm servicing, I use RKU, gmer, and others. On my own, none. Rootkit removers aren't necessary when a default-deny security policy won't allow them install in the first place." }-

Likewise for me(although I'm not good enough to service computers!). I used F-Secure Blacklight in the past and Avira lately but I doubt I will ever find anything as nothing will execute without my approval and in a virtual environment.

Here's a nice tool, Kernel Detective by GamingMaster, supports 7.

-{ Quote: "Of course it is one of the best tools for this.

By using, knowing how to use WinDbg you may not limit yourself to the power of an ark while applying the same sort of approaches as antirootkit tools use.

[expanded post]" }-

True, but that is only of any use to people with a higher than intermediate knowledge of Kernel debugging. This will rule out about 95% of the people here.

Also, reformats are caused by these things than anything else!


-{ Quote: "expanded last post

In fact it was updated yesterday. Here : RkU3.8.382.584 (http://www.rootkit.com/blog.php?newsid=981) " }-

Thanks for the link, but that version is unstable. -{ Quote: "This release could be buggy and can fly to Blue screens country" }- What is the most stable version?

I use Prevx 3 and does a good dam job! :thumb:

TH

But arks need knowledge, the useful tools that generate the same information as WinDbg, are also advanced tools.

Actually some of the learning curve of WinDbg isn't so steep.

For example, using a good antirootkit tool such as Rku, RootRepeal or Kernel Detective we can look up hooked entries in the SSDT, System Service Table and IDT, interrupt dispatch table - some tools highlight these in red.

In WinDbg we can also do this by dumping said table using the command "!idt -a".

You could look for patched functions with - "!chkimg -d nt".

What you need to do is interpret the output, for example...

List processes in WinDbg "!process 0 0" - then compare with the list in a process explorer say Sysinternal's tool, Task Manager or Process Hacker. A discrepancy would point to a rootkit.

Ark's simplify some of this by showing you what is hidden, some of the information needs the user to investigate further.



I've never had to reformat due to using WinDbg.

-{ Quote: "



Thanks for the link, but that version is unstable. What is the most stable version?" }-
Stable here so far.

Previous RkU release blog entry RkU3.8.380.580 (http://www.rootkit.com/blog.php?newsid=965&user=DiabloNova) Or Windows 2000 fix RkU3.8.380.581

-{ Quote: "Radix is outdated." }-

How is that?

GMER and Rootkit Repeal.

tester, I say that simply becuase it isn't the latest antirootkit out there. It hasn't been updated since Jan 2008. Also, it's only compatible with Windows 2000 and Windows XP.

-{ Quote: "tester, I say that simply becuase it isn't the latest antirootkit out there. It hasn't been updated since Jan 2008. Also, it's only compatible with Windows 2000 and Windows XP." }-


I see.
I thought it was updated about 3 months ago.
Can't find confirmation, so I may be wrong about that.

-{ Quote: "I thought it was updated about 3 months ago.
Can't find confirmation, so I may be wrong about that." }-
the Tester, is this usec.at Radix 1.0.0.9 released (http://forum.usec.at/comments.php?DiscussionID=8&page=1#Item_0) forum post of August 20th, 2009, what you were thinking about?

Re: Radix Anti-Rootkit (http://www.usec.at/rootkit.html)

-{ Quote: "the Tester, is this usec.at Radix 1.0.0.9 released (http://forum.usec.at/comments.php?DiscussionID=8&page=1#Item_0) forum post of August 20th, 2009, what you were thinking about?

Re: Radix Anti-Rootkit (http://www.usec.at/rootkit.html)" }-


Yes it is JRViejo.
So Radix was updated this past August.
Thanks for finding and linking that.:thumb:

My mistake. :-[ Thanks for the information jrviejo.

the Tester & geohac, you're both welcome! Take care.

JR

LiveCD

Enumerate Windows files then delete from outside Windows.


Also the MS Strider (http://research.microsoft.com/en-us/um/redmond/projects/strider/rootkit/) page describes :
-{ Quote: "# Run "dir /s /b /ah" and "dir /s /b /a-h" inside the potentially infected OS and save the results.
# Boot into a clean CD, run "dir /s /b /ah" and "dir /s /b /a-h" on the same drive, and save the results.
# Run a clean version of WinDiff from the CD on the two sets of results to detect file-hiding ghostware (i.e., invisible inside, but visible from outside). " }-

UBCD4Win>Rootkitty is a tool that apparently automates this process.

gmer has a userland detector, catchme (http://www2.gmer.net/catchme.htm) which can collect, delete and kill malicious files.

BreakPE (http://seconfig.sytes.net/breakpe/) is a nice little tool.
-{ Quote: "BreakPE takes different approach to stealth malware removal. This program makes malware unexecutable by overwriting disk sectors where it is stored. In more technical terms BreakPE damages PE header of specified file by overwriting it directly on the volume." }-

ESET SysInspector.

32 & 64 bit.

Having used many of those mentioned ... I'd say SysInspector is the most user friendly of the lot. Google is your best friend with these!

Has a feature that can "exclude private, personal information from being saved in logs", though I am not entirely sure what and how it hides the info ... I am guessing file user names, etc. Quite handy if you're sending a system log to be analyzed by a stranger.

http://www.eset.com/download/sysinspector.php

GMer , RootRepeal and Microsoft's Rootkit Revealer.

On Windows 7 - GMers sometimes gives me BSOD , RootRepeal can't start at all and RootkitReleveal has problems displaying the messages.

On Vista and XP - no problems .

I am most pleased by GMer.

-{ Quote: "
On Windows 7 - GMers sometimes gives me BSOD." }-

I noticed this behaviour too :(

RootkitRevealer is not meant to be run on an OS above xp and 2003 (or on 64bit) it will not produce a coherent result - vista, 7 and 2008, and is also considered outdated.

7 has not been out long and some tools need to be worked on because of the differing structure of the OS. Also remember the ark will have to be run elevated - r/click run as administrator.

Some problems with RootRepeal maybe due to individual system incompatibility. If anyone has a problem try moving the slider in Options and uncheck 'Use lowest level for MBR check.'

-{ Quote: "I noticed this behaviour too :(" }-

It was a "big fun" for me the first time it happened because generally if this happens , it might be a sign of a rootkit . I didn't have time to see the name of the guilty file (the first blue screen I got) . Later I noticed it , checked it and ensured myself the system was clean :)

-{ Quote: "Thanks for the link, but that version is unstable. What is the most stable version?" }-
RkU was updated again version 3.8 LE build 383/585 Service Release 1 (http://rootkit.com/blog.php?user=DiabloNova)

New XueTr v3.0, works on 2000 to 2008 including 7 and comes with extra help in dealing with malware, check out settings...

NT Internals (http://www.ntinternals.org/anti_rootkits.php) is putting a list together with the tools that deal with TDSS/TDL.

TDL author/s have included some lines from Fight Club and Simpsons Movie into their rootkit;D see also here(tdl3_analysis_paper_ed.rar) (http://www.rootkit.com/newsread.php?newsid=979) They seem to be really busy with numerous builds...TDL4 soon?

Hidden Process Detection Test (http://www.ntinternals.org/process_detection_test.php) - by NT Internals.

Sysinternals (http://forum.sysinternals.com/forum_posts.asp?TID=20007&PID=112506#112506)
-{ Quote: "I've also created short video sample showing final results of process detection by the most advanced software." }-

RkU was updated again to 3.8 LE build 383/586 Service Release 1 (http://rootkit.com/blog.php?user=DiabloNova)

My vote for sophos AR never used frequently though.

-{ Quote: "My vote for sophos AR" }-

It seems to be compatible with Win 7 but I got several 'FP' ... ::)

Only just noticed the update.

Rootkit Unhooker LE 3.8.386.588 SR1 (http://www.rootkit.com/blog.php?newsid=993)

I like the ease of this tool, the management the way it operates and appearance. Strong and always been stable for me.

GMER and Sophos but also IceSword, Rootkit Unhooker, RootkitRevealer, RootRepeal, and SpyDLLRemover. They never find anything. My realtime apps are
Online Armor
Prevx
Sandboxie.

luckily for me since i started using vista i never had to use a rootkit for removing anything

ComboFix and GMer

-{ Quote: "luckily for me since i started using vista i never had to use a rootkit for removing anything" }-
64bit?

I don't use any of these tools. My current AV, Microsoft Security Essentials, already includes anti-rootkit features.

I generally do not use rootkit scanners for myself since I use on different computers ESET NOd32, GData antivirus or Avira as antivirus and a MalwareBytes' AntiMalware, Moosoft The Cleaner and A-Squared as antimalware which have rootkit removal ability.
Windows is always up to date and so Sun Java JRE, Adobe Reader and Flash Player and my main browser.
I practice a safe surfing and I always download and install software only from trusted sources.

However if I have to clean infected systems I generally trust Gmer, MBAM and Trend Micro RootkitBuster (Well, it depends on what kind of Rootkit I have to clean: the most difficult to remove are MBR rookit in my opinion)

Do anyone ever heard of Tizer™ Rootkit Razor (http://www.tizersecure.com/free-razor-tools.php)?
It is free, only free registration is needed.

I'd like to know your opinion if possible,

Thank you

Razor is mentioned in this thread (http://www.wilderssecurity.com/showthread.php?p=1627033#post1627033) and although it cannot see some of the modern rootkits they are working on it.

-{ Quote: "...the most difficult to remove are MBR rookit in my opinion" }-
Hmmm MBR rootkit imo is one of the 'easiest' to remove.

-{ Quote: "...trust Gmer, MBAM and Trend Micro RootkitBuster" }-
MBAM has some v.good people that keep on top of the latest infections. RootkitBuster is worked on by old Darkspy antirootkit author.
Its been said before but there isn't a best ark only up to date ones, and I can mention a few :

Rootkit Unhooker
Kernel Detective
Root Repeal

List of arks (http://www.ntinternals.org/anti_rootkits.php).

I really must stay away from my machine on holiday;D

-{ Quote: "I don't use any of these tools. My current AV, Microsoft Security Essentials, already includes anti-rootkit features." }-
Think about TDL rootkit as an example, of course talking about an active rootkit, avs are not removing it - although its gotta get on in the first place. These anti-rootkit features aren't antirootkit.

Thank you Meriadoc...

MBR Rootkit the easiest to remove?:-)
I'm pretty sure your help would greatly appreciated in several italian security forums I know, since it seems that you cannot get rid of a MBR rootkit simply formatting your HD (both high level and low level format) and there are some (Italian) users who are driving crazy:D
Someone solved with zero-filling techique as far as I know.

Generally I first try with Stealth MBR rootkit/Mebroot/Sinowal detector by Gmer and other similar tools.
Well I'm not a security expert nor an hardware technician, I'm only interested in security stuffs, so I cannot tell more

thank you again I'm going to have a look at the thread you linked

Cheers

[EDIT to add]

I have just read your reply

-{ Quote: "

example of hot samples that razor didn't detect.

TDSS
TDL
Rustock
4DW4R3" }-

OMG, once again thank you (for the link provided too)

Sophos and GMER.

Sophos Anti-Rootkit, only one that works in Windows 7 64-bit.

I started with F-Secure Blacklight,then Sysinternals RootKitRevealer,Ice Sword,GMER and lastly RootRepeal. Also, some others I have since forgotten. ::)

@J_L

-{ Quote: "Sophos Anti-Rootkit, only one that works in Windows 7 64-bit." }-

You should check this out :thumb:

SanityCheck

-{ Quote: "Supported Operating Systems

SanityCheck runs on the following operating systems:

# Windows 7
# Windows 7 x64 editions
# Windows 2008 Server
# Windows 2008 Server x64 editions
# Windows Vista
# Windows Vista x64 editions
# Windows XP (Service Pack 2 or greater)
# Windows XP x64 edition (all service packs)
# Windows Server 2003 (all service packs)
# Windows Server 2003 x64 editions (all service packs)
# Windows Server 2000 (with Update Rollup 1 and Service Pack 4)" }-

http://www.resplendence.com/sanity_os.htm

Anybody else interested in W7 ARK's, check these out

AntiRootkits - ARK's for W7 http://www.wilderssecurity.com/showthread.php?t=273050

-{ Quote: "@J_L



You should check this out :thumb:

SanityCheck



http://www.resplendence.com/sanity_os.htm

Anybody else interested in W7 ARK's, check these out

AntiRootkits - ARK's for W7 http://www.wilderssecurity.com/showthread.php?t=273050" }-
Very interesting, thanks. Seems to work fine, except with a little lag scrolling on the drivers section.

I use lots of tools, just to make sure, anyways they are very light ;D

UnHackMe and Sophos.

GMER seems to work with Win 7 as well but RootRepeal doesn't :'(

The link in my first post of this thread or the similar list at kernelmodedotinfo is the most up to date list of antirootkit tools I know.

kernelmodedotinfo is also the home of rootrepeal with other ark authors as mods and members.