Which Rootkit Removal Tool do you use?

[JRViejo]

the Tester & geohac, you're both welcome! Take care.

JR

[Meriadoc]

LiveCD

Enumerate Windows files then delete from outside Windows.


Also the MS Strider page describes :

Quote:

# Run "dir /s /b /ah" and "dir /s /b /a-h" inside the potentially infected OS and save the results.
# Boot into a clean CD, run "dir /s /b /ah" and "dir /s /b /a-h" on the same drive, and save the results.
# Run a clean version of WinDiff from the CD on the two sets of results to detect file-hiding ghostware (i.e., invisible inside, but visible from outside).

UBCD4Win>Rootkitty is a tool that apparently automates this process.

[Meriadoc]

gmer has a userland detector, catchme which can collect, delete and kill malicious files.

BreakPE is a nice little tool.

Quote:

BreakPE takes different approach to stealth malware removal. This program makes malware unexecutable by overwriting disk sectors where it is stored. In more technical terms BreakPE damages PE header of specified file by overwriting it directly on the volume.

[Keyboard_Commando]

ESET SysInspector.

32 & 64 bit.

Having used many of those mentioned ... I'd say SysInspector is the most user friendly of the lot. Google is your best friend with these!

Has a feature that can "exclude private, personal information from being saved in logs", though I am not entirely sure what and how it hides the info ... I am guessing file user names, etc. Quite handy if you're sending a system log to be analyzed by a stranger.

http://www.eset.com/download/sysinspector.php

GMer , RootRepeal and Microsoft's Rootkit Revealer.

On Windows 7 - GMers sometimes gives me BSOD , RootRepeal can't start at all and RootkitReleveal has problems displaying the messages.

On Vista and XP - no problems .

I am most pleased by GMer.

Quote:

Originally Posted by ASpace

On Windows 7 - GMers sometimes gives me BSOD.

I noticed this behaviour too

[Meriadoc]

RootkitRevealer is not meant to be run on an OS above xp and 2003 (or on 64bit) it will not produce a coherent result - vista, 7 and 2008, and is also considered outdated.

7 has not been out long and some tools need to be worked on because of the differing structure of the OS. Also remember the ark will have to be run elevated - r/click run as administrator.

Some problems with RootRepeal maybe due to individual system incompatibility. If anyone has a problem try moving the slider in Options and uncheck 'Use lowest level for MBR check.'

Quote:

Originally Posted by ance

I noticed this behaviour too

It was a "big fun" for me the first time it happened because generally if this happens , it might be a sign of a rootkit . I didn't have time to see the name of the guilty file (the first blue screen I got) . Later I noticed it , checked it and ensured myself the system was clean

[Meriadoc]

Quote:

Originally Posted by geohac

Thanks for the link, but that version is unstable. What is the most stable version?

RkU was updated again version 3.8 LE build 383/585 Service Release 1

[Meriadoc]

New XueTr v3.0, works on 2000 to 2008 including 7 and comes with extra help in dealing with malware, check out settings...

[Meriadoc]

NT Internals is putting a list together with the tools that deal with TDSS/TDL.

TDL author/s have included some lines from Fight Club and Simpsons Movie into their rootkit see also here(tdl3_analysis_paper_ed.rar) They seem to be really busy with numerous builds...TDL4 soon?

[Meriadoc]

Hidden Process Detection Test - by NT Internals.

Sysinternals

Quote:

I've also created short video sample showing final results of process detection by the most advanced software.

[Meriadoc]

RkU was updated again to 3.8 LE build 383/586 Service Release 1

[icr]

My vote for sophos AR never used frequently though.

Quote:

Originally Posted by icr

My vote for sophos AR

It seems to be compatible with Win 7 but I got several 'FP' ...

[Meriadoc]

Only just noticed the update.

Rootkit Unhooker LE 3.8.386.588 SR1

I like the ease of this tool, the management the way it operates and appearance. Strong and always been stable for me.

[Saint Satin Stain]

GMER and Sophos but also IceSword, Rootkit Unhooker, RootkitRevealer, RootRepeal, and SpyDLLRemover. They never find anything. My realtime apps are
Online Armor
Prevx
Sandboxie.

[ameyap]

luckily for me since i started using vista i never had to use a rootkit for removing anything

[3GUSER]

ComboFix and GMer

Quote:

Originally Posted by ameyap

luckily for me since i started using vista i never had to use a rootkit for removing anything

64bit?

I don't use any of these tools. My current AV, Microsoft Security Essentials, already includes anti-rootkit features.

[leofelix]

I generally do not use rootkit scanners for myself since I use on different computers ESET NOd32, GData antivirus or Avira as antivirus and a MalwareBytes' AntiMalware, Moosoft The Cleaner and A-Squared as antimalware which have rootkit removal ability.
Windows is always up to date and so Sun Java JRE, Adobe Reader and Flash Player and my main browser.
I practice a safe surfing and I always download and install software only from trusted sources.

However if I have to clean infected systems I generally trust Gmer, MBAM and Trend Micro RootkitBuster (Well, it depends on what kind of Rootkit I have to clean: the most difficult to remove are MBR rookit in my opinion)

Do anyone ever heard of Tizer™ Rootkit Razor?
It is free, only free registration is needed.

I'd like to know your opinion if possible,

Thank you

[Meriadoc]

Razor is mentioned in this thread and although it cannot see some of the modern rootkits they are working on it.

Quote:

...the most difficult to remove are MBR rookit in my opinion

Hmmm MBR rootkit imo is one of the 'easiest' to remove.

Quote:

...trust Gmer, MBAM and Trend Micro RootkitBuster

MBAM has some v.good people that keep on top of the latest infections. RootkitBuster is worked on by old Darkspy antirootkit author.
Its been said before but there isn't a best ark only up to date ones, and I can mention a few :

Rootkit Unhooker
Kernel Detective
Root Repeal

List of arks.

I really must stay away from my machine on holiday

[Meriadoc]

Quote:

Originally Posted by guest

I don't use any of these tools. My current AV, Microsoft Security Essentials, already includes anti-rootkit features.

Think about TDL rootkit as an example, of course talking about an active rootkit, avs are not removing it - although its gotta get on in the first place. These anti-rootkit features aren't antirootkit.

[leofelix]

Thank you Meriadoc...

MBR Rootkit the easiest to remove?:-)
I'm pretty sure your help would greatly appreciated in several italian security forums I know, since it seems that you cannot get rid of a MBR rootkit simply formatting your HD (both high level and low level format) and there are some (Italian) users who are driving crazy
Someone solved with zero-filling techique as far as I know.

Generally I first try with Stealth MBR rootkit/Mebroot/Sinowal detector by Gmer and other similar tools.
Well I'm not a security expert nor an hardware technician, I'm only interested in security stuffs, so I cannot tell more

thank you again I'm going to have a look at the thread you linked

Cheers

[EDIT to add]

I have just read your reply

Quote:

Originally Posted by Meriadoc

example of hot samples that razor didn't detect.

TDSS
TDL
Rustock
4DW4R3

OMG, once again thank you (for the link provided too)