What program do you all consider to be the best anti-rootkit?

[CReal]

Quote:

Originally Posted by EP_X0FF

They are sleeping very well with real rootkits, friend

I don't doubt it.But i think rootkit detection isn't yet a "must",so companies haven't been investing too much time on them.If rootkits start becoming common threat,AV companies will have to respond.And they will either end up with something like RKU or something more simple.The average user can't possibly understand what Icesword or RKU is showing him.So either the av companies will come up with something simple or it will be the doom for many many people ,that will be happily running rootkits in their PCs all the time.

[Zorra]

Blacklight is the best AV company rootkit scanner IMHO - and it can remove safely, but then it has been available for a long time. FSecure was ahead of all the others, and they saw the need.

The thing is with Vista, many of the current ARKS are unnecessary and incompatible. I don't believe there is a Vista rootkit yet..... Once people migrate to Vista (very gradually), then what will we use? You know sooner or later a Vista rootkit will appear.

Well from what i seen posted so far i suppose i can chalk gmer up to not capable to function properly on ServicePack 1 because most of you with SP 2 report gmer runs fine.

@gmer

It would i think be of common practice before any your releases to add a resource to your program? Such as a real icon.

I see some will have to wait untill another day/release when gmer is compiled with another language or otherwise offered by different builds because it clearly does not offer any detections for me if it cannot respond as expected.

[gmer]

@EASTER
Thanks. I will try to find what the problem is. Sorry that it takes so much time . ( BTW: I also works on XP SP1 )

Quote:

Originally Posted by Antarctica

Nice review. Guess who is the winner?

http://www.informationweek.com/news/...leID=196901062

Really good article. Nice to see so much independent ARKs.

Quote:

Originally Posted by Zorra

The independent developer ARKs definitely surpass the AV vendor ARKs by a longshot.

Yes Zorra, but only big companies have enough power to protect the people.
And now they have a lot of proof of concept and real samples and I believe that they will improve their products.

Look what happened last year:

2005:
F-Secure Blacklight

2006:
Kaspersky 6.0
NOD 2.7
McAfee Rootkit Detective
Sophos AntiRootkit
TrendMicro RootkitBuster
BitDefender Rootkit Uncover
Panda AntiRootkit
Avira AntiRootkit

It will be only harder to hide in the future.

BTW. In old DOS times we had "stealth" technique and now the same is called by a new name

Quote:

Originally Posted by Huwge

So, is there a definative answer to the original post

I would follow Mark Russinovich's thouth - run as much ARKs as you can.

and I would add:

Do not trust only one !

Regards
-Gmer

[Zorra]

Quote:

Originally Posted by Gmer

I would follow Mark Russinovich's thouth - run as much ARKs as you can.

and I would add:

Do not trust only one !

Precisely my philosophy!

[trjam]

What program do you all consider to be the best anti-rootkit?

none, yet.

[trjam]

but Avira has one close to being ready, and it is very good. But that shouldnt surprise anyone considering how good their AV is.

Quote:

Originally Posted by Gmer
I would follow Mark Russinovich's thouth - run as much ARKs as you can.

and I would add:

Do not trust only one !

Well, if you have only "1" that you have proven that you can trust which does an incredible lot to uncover hiddens, in-line hooks, drivers, processes and what have ya, what other choice is there?

Find a rootkit maker out there someplace and then combine it with the latest RAT maker/tools and put something together that "melts" it's loader AFTER its unloaded the payload and then go off in search of those "hidden" files/drivers/processes that you personally named ON YOUR OWN TEST SYSTEM (of course), with all the ARK's you can pull off the net, i think the number of ACCURATE finds you'll come up with them are VERY LIMITED at best indeed, at least for now, and drastically reduces your choices to only a couple? few? one?

This is why i have made a quality choice with RKUnhooker. To date, it as reliable as i been able to acquire of any ARK and is Extremely Stable! which for any system, especially if RootKitted, legit or not, is very important.

[EP_X0FF]

What about AV antirootkits, I see only BlackLight, all others (including Avira, what a joke, not ARK) will die, as it happened with BitDefender Rootkit Uncover.

Instead of following doubtful suggestions I can say that it is only one strong method of detection - bootable CD (for NTFS) or diskette (for FAT32).

[Zorra]

I tried RKUnhooker and am very impressed with its functions and features:
Clean GUI, SFX, inline hook detection (great), tie-in to Windows properties dialog, file wipe, etc, etc.

However, I had a problem doing the hidden/blocked files scan which I assume is similar to Rootkit Revealer's high to low-level disk comparison. Anyway, the scan went along fine. When it was finished, I could not create the report because I got the following error - and RKU closed as soon as I clicked OK. Maybe you are familar with this occurence and have an easy solution or workaround:

http://i4.photobucket.com/albums/y12...miss-error.jpg

[gmer]

Quote:

Originally Posted by EASTER.2010

Well from what i seen posted so far i suppose i can chalk gmer up to not capable to function properly on ServicePack 1 because most of you with SP 2 report gmer runs fine.

@EASTER
I'm still looking the reason ...

http://www.google.com/search?hl=en&q...ootkit+scan%22

[EP_X0FF]

Quote:

Originally Posted by Zorra

I tried RKUnhooker and am very impressed with its functions and features:
Clean GUI, SFX, inline hook detection (great), tie-in to Windows properties dialog, file wipe, etc, etc.

However, I had a problem doing the hidden/blocked files scan which I assume is similar to Rootkit Revealer's high to low-level disk comparison. Anyway, the scan went along fine. When it was finished, I could not create the report because I got the following error - and RKU closed as soon as I clicked OK. Maybe you are familar with this occurence and have an easy solution or workaround:

http://i4.photobucket.com/albums/y12...miss-error.jpg

Put WINSTA.DLL in the main program folder, then reboot your system. It is known bug, but it is unknown why this happens.

[Zorra]

Quote:

Put WINSTA.DLL in the main program folder, then reboot your system.

Thanks - I'll try that.

[Zorra]

I copied winsta.dll to C:\RkUnhooker, rebooted and rescanned for hidden items. This time the GUI closed automatically at the end of the scan. I didn't get the error window but all I saw was the desktop.

Are any other fixes known for this? The scan proceeds fine - the problem occurs right when the scan is complete.

[JerryM]

Quote:

Originally Posted by controler

For Power users you do not need an AV, FW or AT
Power users now days use an restore program and do it daily.
This however might not be usable for buisness but it is sure usable for home users today.

Most power useers will have some sort of backup program. Such as ATI, Ghost, ect. But the real hard cors will reformat from scratch every week.
They will have all the nessary files needed so it is not a long process.


controler

Hi Controler,
How long does it take you to restore and be ready to operate each day?
Thanks,
Jerry

Quote:

Originally Posted by gmer

@EASTER
I'm still looking the reason ...

http://www.google.com/search?hl=en&q...ootkit+scan%22

Well then looks like i will have to wait yet again for some next or alternate release and then if or when you can get around to this again by all means drop a hint right here to this thread/topic that it's available when ready.

I normally would dismiss entirely, any program that exhibits such chaotics behavior but have read enough posts where others say it performs fine for their PC systems, well good for them i say but something just is not functional right from my vantage point with this app.

[Pedro]

Gmer is pointing out that it runs on XP fine. If SSM conflicts with RKU, why not with Gmer, on your machine at least, somehow... If not SSM, maybe other, or something specific in your system. Without further information, he can't do much.

I already offered security programs running when clicking gmer.exe and so theres nothing more to offer; no info, data, or otherwise. System Info listed also.


I point out specifically that "ALL" other ARK's start up and run fine, stable without flickering, jumping, or slow to no responding tabs. Those are issues i see each and every release. WHY? Who Knows?

but Riddle Me This Batman.

Think fast: There's an electric train traveling south. The wind is from the north-west. In which direction would the smoke from the train be blowing?

[gmer]

Quote:

Originally Posted by EASTER.2010

I already offered security programs running when clicking gmer.exe and so theres nothing more to offer; no info, data, or otherwise. System Info listed also.

@EASTER

There is also another way you can go. It can be a little difficult for you but it's possible .

1) try to turn off your security programs one after one ( the best options is the Start key related with service|driver )

Code:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\driver|service]
"Start"=dword:00000003

2) reboot
3) start GMER.
4) goto (1)

After that we should see where the conflict is .

Thanks.

BTW.
To turn off Kaspersky you have to restore SSDT first.

[EP_X0FF]

@Someone

SSM do not conflict with RKU since RC3.

It the case of buggy GMER flickering can be related to Shadow SDT Hooks that are installed by SSM and Kaspersky AV.

[EP_X0FF]

Quote:

Originally Posted by Zorra

I copied winsta.dll to C:\RkUnhooker, rebooted and rescanned for hidden items. This time the GUI closed automatically at the end of the scan. I didn't get the error window but all I saw was the desktop.

Are any other fixes known for this? The scan proceeds fine - the problem occurs right when the scan is complete.

Please tell, you mean Hidden Files Scan ? Does scan performs well individually on each page? RKU version?

Thanks

Quote:

It the case of buggy GMER flickering can be related to Shadow SDT Hooks that are installed by SSM and Kaspersky AV.

Thank You! EP_X0FF

Since RKUnhooker is never exhibited such behavior then that must surely be responsible for the conflict.

@gmer

Can you adjust code to gmer to fascilitate cooperation with SDT (hookers)drivers of some other security programs? Gmer is only program that suffers this static and should be a simple matter to fix compatibility to say a klif.sys and safemon.sys.

[gmer]

Quote:

Originally Posted by EASTER.2010

Can you adjust code to gmer to fascilitate cooperation with SDT (hookers)drivers of some other security programs? Gmer is only program that suffers this static and should be a simple matter to fix compatibility to say a klif.sys and safemon.sys.

Please try to follow my first suggestion and I will prepare box similar to yours.

Quote:

Originally Posted by EASTER.2010

procguard.sys=ProcGuard
safemon.sys=SSM
guard.sys=AVG 7.5
klif.sys=KIS6

BTW: This is really "huge" protection against malware. You do not have to worry about rootkits .

[Bubba]

To all,

Let's keep our posts directed toward anti-rootkit programs and not individuals. As such certain posts were removed.

Bubba

Quote:

Originally Posted by WilliamP

What program do you all consider to be the best anti-rootkit? I have gmer on my computer but I have read good things about IceSword. I feel that it may be easier to get support for gmer.

I prefer and recommend Microsoft Rootkit Revealer when it comes to easiness.
Then comes GMer .
I mean separated anti-rootkit tools