Which Rootkit Removal Tool do you use?

Hi all, I'm new to the forums. I'm glad to be here and I look forward to learning a lot. I'll start my first post with a poll.

I use GMER and F-Secure Blacklight.

Which anti-rootkit(s) do you use?

[subhrobhandari]

I will vote for other, since I dont use any specific. See my sig.

[Meriadoc]

Windows up-to-date ark list with alive, dead and download.

TrendMicro RootkitBuster

Quote:

Originally Posted by Meriadoc

Windows up-to-date ark list with alive, dead and download.

Thank you for this interesting list, unfortunately many of them are incompatible with Win 7

[noone_particular]

On units that I'm servicing, I use RKU, gmer, and others. On my own, none. Rootkit removers aren't necessary when a default-deny security policy won't allow them install in the first place.

[the Tester]

Radix.

http://www.usec.at/rootkit.html

Radix is outdated.

[Meriadoc]

WinDbg

Meriadoc, why use a debugging tool when you can use an actual antirootkit that finds rootkits themselves?

[Meriadoc]

Of course it is one of the best tools for this.

By using, knowing how to use WinDbg you may not limit yourself to the power of an ark while applying the same sort of approaches as antirootkit tools use.

[expanded post]

Quote:

Originally Posted by noone_particular

On units that I'm servicing, I use RKU, gmer, and others. On my own, none. Rootkit removers aren't necessary when a default-deny security policy won't allow them install in the first place.

I forgot about RKU. Is it still being developed? Where can I download the latest version?

[Meriadoc]

expanded last post

In fact it was updated yesterday. Here : RkU3.8.382.584

runs on 7 ance

[Osaban]

Quote:

Originally Posted by noone_particular

On units that I'm servicing, I use RKU, gmer, and others. On my own, none. Rootkit removers aren't necessary when a default-deny security policy won't allow them install in the first place.

Likewise for me(although I'm not good enough to service computers!). I used F-Secure Blacklight in the past and Avira lately but I doubt I will ever find anything as nothing will execute without my approval and in a virtual environment.

[Meriadoc]

Here's a nice tool, Kernel Detective by GamingMaster, supports 7.

Quote:

Originally Posted by Meriadoc

Of course it is one of the best tools for this.

By using, knowing how to use WinDbg you may not limit yourself to the power of an ark while applying the same sort of approaches as antirootkit tools use.

[expanded post]

True, but that is only of any use to people with a higher than intermediate knowledge of Kernel debugging. This will rule out about 95% of the people here.

Also, reformats are caused by these things than anything else!

Quote:

Originally Posted by Meriadoc

expanded last post

In fact it was updated yesterday. Here : RkU3.8.382.584

Thanks for the link, but that version is unstable.

Quote:

This release could be buggy and can fly to Blue screens country

What is the most stable version?

[Triple Helix]

I use Prevx 3 and does a good dam job!

TH

[Meriadoc]

But arks need knowledge, the useful tools that generate the same information as WinDbg, are also advanced tools.

Actually some of the learning curve of WinDbg isn't so steep.

For example, using a good antirootkit tool such as Rku, RootRepeal or Kernel Detective we can look up hooked entries in the SSDT, System Service Table and IDT, interrupt dispatch table - some tools highlight these in red.

In WinDbg we can also do this by dumping said table using the command "!idt -a".

You could look for patched functions with - "!chkimg -d nt".

What you need to do is interpret the output, for example...

List processes in WinDbg "!process 0 0" - then compare with the list in a process explorer say Sysinternal's tool, Task Manager or Process Hacker. A discrepancy would point to a rootkit.

Ark's simplify some of this by showing you what is hidden, some of the information needs the user to investigate further.



I've never had to reformat due to using WinDbg.

[Meriadoc]

Quote:

Originally Posted by geohac

Thanks for the link, but that version is unstable. What is the most stable version?

Stable here so far.

Previous RkU release blog entry RkU3.8.380.580 Or Windows 2000 fix RkU3.8.380.581

[the Tester]

Quote:

Originally Posted by geohac

Radix is outdated.

How is that?

[blacknight]

GMER and Rootkit Repeal.

tester, I say that simply becuase it isn't the latest antirootkit out there. It hasn't been updated since Jan 2008. Also, it's only compatible with Windows 2000 and Windows XP.

[the Tester]

Quote:

Originally Posted by geohac

tester, I say that simply becuase it isn't the latest antirootkit out there. It hasn't been updated since Jan 2008. Also, it's only compatible with Windows 2000 and Windows XP.

I see.
I thought it was updated about 3 months ago.
Can't find confirmation, so I may be wrong about that.

[JRViejo]

Quote:

Originally Posted by the Tester

I thought it was updated about 3 months ago.
Can't find confirmation, so I may be wrong about that.

the Tester, is this usec.at Radix 1.0.0.9 released forum post of August 20th, 2009, what you were thinking about?

Re: Radix Anti-Rootkit

[the Tester]

Quote:

Originally Posted by JRViejo

the Tester, is this usec.at Radix 1.0.0.9 released forum post of August 20th, 2009, what you were thinking about?

Re: Radix Anti-Rootkit

Yes it is JRViejo.
So Radix was updated this past August.
Thanks for finding and linking that.

My mistake. Thanks for the information jrviejo.