ANTI-ROOTKITS: Good, Safe and Easy Antirootkit Softwares and their Functions

Discussion in 'other anti-malware software' started by PROROOTECT, Aug 18, 2009.

Thread Status:
Not open for further replies.
  1. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    Some Anti-rootkits detectors which I have; all these tools come from independent developers, and all are updated. All verified by me: Safe, Easy , Best of all!
    All FREE, with the best of all detection capabilities, the latest versions (with tabs) here (permanent links, always with the latest version):

    * GMER (by Mr Gmerek).Today: version v1.0.15.15077: http://www.gmer.net/#files

    From the start you see only two tabs: Rootkit/Malware, and >>>. Very easy.

    Click on >>> tab, you have also:

    Processes
    Modules
    Services
    Files
    Registry
    Rootkit/Malware (this same tab)
    Autostart
    CMD

    *kX-Ray (v1.0.0.96 XP) by Brock: http://bugczech.fu8.com/

    Options; View; Additional (Compare 2 Files);

    Kernel Modules
    Active Processes
    Registry Start-Up
    BHOs
    Process Creations
    Process Terminate
    SSDT
    Data Streams
    Message Hooks
    SPI
    IDT
    Host File
    Applnit_DLLs
    Shadow SDT
    Ring3 API Hooks
    Kernel Export Hooks
    SysEnter Hooks
    File System
    Logging

    *RootRepeal by AD (v1.3.5): http://rootrepeal.googlepages.com/

    File; Settings; Tools;

    Drivers
    Files
    Processes
    SSDT
    Stealth Objects
    Hidden Services
    Shadow SSDT
    Report
    About

    * Suspicious Process Behavior Analysis Tool (spbat.exe ; also by Brock): http://bugczech.fu8.com/

    * USEC Radix [noparse](v1.0.0.:cool:[/noparse]: http://www.usec.at/rootkit.html

    1-click check
    Modules
    SDT
    IDT
    GDT
    IRP
    SYSENTER
    IAT
    Filesystem
    MBR
    Processes
    Registry
    Tools
    About

    * SysProt AntiRootkit (v1.0.1.0) by swatkat: http://sites.google.com/site/sysprotantirootkit/ Look also 'Swatkat's rants' blog: http://swatrant.blogspot.com/

    SysProt
    Process
    Kernel Modules
    SSDT
    Kernel Hooks
    IRP Hooks
    Ports
    File System
    Log

    * Thank you all very much, antirootkit developers!


    """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
    """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""

    * I use also ESET SysInspector - it's not antirootkit; but VERY useful tool which find easily rootkits also: http://www.eset.com/download/sysinspector.php

    File; Tree; List; Help;

    Running Processes
    Network Connections
    Important Registry Entries
    Services
    Drivers
    Critical Files
    System Information
    File Details
    About


    ...And your tips, please?..


    PROROOTECT:thumb:
     
  2. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    ... and this thing for you, my task manager:

    Process Hacker v1.3.9.0 (by wj32): http://processhacker.sourceforge.net/ and Features Page: http://processhacker.sourceforge.net/features.php

    - Process Hacker detects processes hidden by simple rootkits such as Hacker Defender and FU; it find hidden processes and terminate them.

    Hacker; View; Tools; Users; Window; Help;
    Refresh; Options; Shutdown; Find Handles or DLLs; System Information - very cute!..:)

    Processes
    Services
    Network

    When I surfed the Internet, I've Process Hacker open for any mention me, now!

    P.:thumb:
     
  3. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    565
    Hi PROROOTECT,

    How about sophos anti-rootkit?
     
  4. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    Hello,

    Sophos Anti-Rootkit: I consider it a toy for children, toy NOT too safe ... I have tried it on 2008 for few days. It is easy, but it has several false positives; look this thread on our forum: https://www.wilderssecurity.com/showthread.php?t=248299

    We are real men - we support no big Companies that have large financial resources, but the real men: the independent developers.
    And their professional software: beautiful, safe and easy, with many useful functions to develop our best knowledge.

    Please donate for these independent developers ...


    PROROOTECT:thumb:
     
  5. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    Yes, I forgot MBR Rootkit Detector mbr.exe, by Mr Gmerek, also here: http://www2.gmer.net/mbr/ Very easy.

    Yes, this seems very fair - to help independent developers rather, who do not have the same financial resources that the big antivirus companies. Is not it?
    And often are better able to take decisions on the fly, for exemple more often get the new version of their software if the need arises. Is not it, Mr G. and others?;) The freedom to make decisions.

    Then drop our heads before them (is it my Oxford English here?:cautious: ), and help them as we can.

    Is not it?

    PROROOTECT:thumb:
     
  6. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    New USEC Radix Anti-Rootkit on the wild! Version1.0.0.9. Link on my Signature, please.Added support for Vista; many Bugfixes, many feats. Major version, VERY quickly.
    Thanks, leecher.

    My MBR seems to be OK.


    P.
     
  7. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Hi there,

    Thanx for all the updates etc.

    So your MBR is ok, good thing it doesn't mean Mother Board Rooted lol
     
  8. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    Hi Stevie,

    My MBR seems to be OK.

    This is leecher, which suggests to me this ...

    It is very nice: I made a sacred gift with his Radix! NEW version work very quickly - perhaps too quickly.

    But if I make Selftest (Performing check: 'Selftest': Doing a short selftest ...)- all are patched ! - but 'No suspicious items were found' says Radix.

    ... and SDT/Check Shadow. I have 666 and 0. Do not forget. 'Nothing hooked, nothing patched'. (?).

    ... and click Settings/Enable skin. Aaaaa ... a very successful design!

    Do not forget ur Radix! Link on my Signature, please.

    Good Night for all,


    P.
     
  9. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875
    "Radix Anti-Rootkit SDTHLPR.sys IOCTL Handling Privilege Escalation"

    "A vulnerability has been reported in Radix Anti-Rootkit, which can be exploited by malicious, local users to gain escalated privileges."

    "The vulnerability is reported in versions prior to 1.0.0.9"

    See - http://secunia.com/advisories/36367/
     
  10. garrettwilkin

    garrettwilkin Registered Member

    Joined:
    Aug 22, 2009
    Posts:
    3
    I'm going to try process hacker listed above. I have a hidden process that was found by GMER but I dont know what to do with it. Delete the files myself?
     
  11. Ashanta

    Ashanta Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    659
    Location:
    Europe

    Are you sure that Radix is now working on Vista ?? o_O This will be a good news !! ;)
     
  12. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
    A new Radix PROROOTECT?

    Nice. Thanks for the reminder.;)
     
  13. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    YES Tester, YES Ashanta, and all others wilderssecurity members: this Radix from usec.at is really Unique Security Software, Austrian Security Software.

    I have also Nemesis Anti-Spyware, and System Shield above all.

    Thank you very very much, Ludwig Ertl, leecher!

    If you want to donate and keep alive this softwares ...

    """"""""""""""""" WAIT, don't close jet.

    Kareldjag says:

    'The easiest way to mitigate risks of rootkit infection is to run under a limited account.

    Under an administrator account, locking the service database can be helpful to block any new created service from running, but does NOT prevent the service to being created.
    More reliable and effective is the integration of an HIPS in the line defense: most of them restricts administrator rights and privileges.'

    System Shield usec.at restricts:
    Registry access, Autorun, Services, BHO Keys, IE Settings, Host file access ... and create White List for programs that you have approved.
    His warning window ask: 'Confirm Change?'
    Link on my Signature, please.

    P.




    Post seems to be OK.
     
  14. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    To remember:

    LUA (Limited User Account) with interchangeable relations between you and computer security agents or evenements provides a HIPS (like for example System Shield usec.at ). Aaaa ... seems to be OK.

    """"""""""""""""""""""""

    Easy Antirootkit Tips (find on Technibble.com):

    * 'If I find anything suspicious in C:\Windows (and sub dir's), i rename the file extension et voila! rootkit disabled.'

    * 'I found a workaround I re-named GMER: explorer.exe, and it worked lol, I was able to remove the rootkit.'


    P.
     
  15. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    * ... or open notepad and create a batch file that renamed your favorite security application you want to run.

    * or suspend/KILL! the wrong process in Process Hacker, Process Explorer.

    et voila et voila!


    P.


    Good, Process Hacker.
     
  16. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    Download the best TEST for yours ANTIROOTKITS: HideProc !

    It's the simplest solution, very easy and safe.

    HideProc v1.0 from iterati solutions: http://www.iterati.org/Developers/HideProc/Default.aspx

    Approximately 178 KB in My Documents (= portable ...):

    You have:
    * Eula.txt
    * HideProc.exe
    * HideProc.dll
    * HideProcDrv.sys

    I hidden my preferred StartupMonitor.exe ... is safe for some minutes, OK? (or some hours ...).


    Some results of my little test:

    I see two rising stars on the horizon (among my antirootkits: my ALL anti-rootkits find easily my hidden process!):

    * SpyDllRemover - look here on wilderssecurity: https://www.wilderssecurity.com/showthread.php?t=241775
    - and result: in Red:
    Name: unknown
    Threat Info: Hidden Rootkit Process.
    File Path: C:\Windows\my hidden process here ...
    You have the possibility to click on 'Kill Process' button! Very good. Perfect.

    * SPBAT.exe (by Brock):
    Discerned Object tab: Hidden Process.
    You have right click / Terminate Process. Perfect.

    And then ...

    * ESET SysInspector / Running Processes / ROOTKIT (Red- brown): my hidden process. Status: 9, Risky (Red- brown) ... and Search Online possibility: perfect solution for me.

    * SREng start - and you have Red Warning! window: Sreng found 1 hidden process.I see Hidden Process: my little hidden process ...

    * Process Hacker / Tools / Hidden Processes / Scan: 1 Hidden; highlighted in Red. You have 'Terminate' button. Goood.
    But in Process list: NOT present our hidden process.

    * Process Explorer: NOT present our hidden process ...

    * Starter: ... nothing unusual ...

    *...Yes yes, new GMER = new window:

    'WARNING! GMER has found system modification, which might have been caused by ROOTKIT activity.':argh: Very explanatory, excellent.
    ...and my hidden process is on Red after start of GMER. With right click: KILL Process possibility. Perfect.


    Get HideProc.

    .. and at your tests!..

    P.
     
  17. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    * VBA32 AntiRootkit v3.12.3.3 (07/16/2009): http://virusinfo.info/showpost.php?p=464700&postcount=65

    Known and UNKNOWN rootkits INFORMATION tool, very interesting (on green: well-known by VBA32, on black: not known by VBA32 AR).
    With help on English.

    File, Edit, Tools, ArKit Driver

    Tools:

    Autorun
    Drivers and Services (from Registry)
    Kernel modules
    Process List
    Kernel-Mode Hooks
    Kernel-Mode Notificators
    Driver IO Handler's Hooks


    """"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""

    BreakPE v1.0 from our 'Seconfig XP' site: http://seconfig.sytes.net/breakpe/ Only 28 KB, portable. Safe, for WindowsXP, 2003 ...

    Stealth malware removal utility. Make UNEXECUTABLE (on your choice) protected PE files, ROOTKITS!
    You may select to break any malware file on your PC.

    aaaaa, any malware!



    P.
     
  18. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    * Welcome to Sergey Ulasen (VBA32 AntiRootkit), his thread on wilderssecurity forums here: https://www.wilderssecurity.com/showthread.php?t=253338

    * NEW version of ur GMER Today: v1.0.15.15086

    * NEW version of SPBAT v2 - modified September 6th, 2009; 473 KB (1.5 KB more than the previous version); Suspicious Process Behavior Analyzis Tool !

    This is a simple yet effective PoC (Proof of Concept) designed as a usermode (Ring3) process inspection tool.

    No code injection or hacking is used in this software. It does not use a traditional kernel driver, but it is POWERFUL. Word of Brock.


    Links - in my Signature, please.


    P.
     
  19. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    How I can see the sign of presence of Kernel mode ROOTKIT in the Windows Task Manager


    Look in your Task Manager ( like also Process Hacker, Process Explorer):
    NO rootkit in Kernel, if nonpaged Kernel Memory level is low usual after reboot of your PC.
    For example, in my case: I have nonpaged Usage 8.2 MB approximately, after restart of PC.

    The presence sign of a kernel rootkit - if I had over 1 to 2 MB of Non-Paged Use after reboot.
    For me: 8.2 MB = NO rootkit; 9 - 10 MB = rootkit!


    What do you think of this tip; have you other tip like this?..


    P.
     
  20. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    GMER Today: v1.0.15.15087.


    P.
     
  21. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Hello :)
    Not really with a kernel mode rootkit from within a live system. Why?..Because a kernel mode rootkit worth its salt can control system behaviour, intercepting native API and manipulating the structures in kernel mode and returning false information universally.

    Tip

    WinDbg
    Offline scanning
    Offline ( - online comparision)
     
    Last edited: Sep 16, 2009
  22. Anything on whether it reintegrates the HIPS functionality?
     
  23. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    Gullible Jones, I LIVE IN HOPE, like you ...:shifty:

    P.
     
  24. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    Hi Meriadoc, thank you; I know that rootkits can falsify information, but I do not think that with nonpaged also. And nonpaged in Safe Mode too, you think?..

    I'm in wrath against rootkits, worst dirty malwares.
    I lived once this horrible memory of this rootkit ... and his gift ... I noticed ad once: Action taken: the file was MOVED! Rootkit activity in the wild!
    And I clicked on one URL - and that was the beginning of the attack! Many fake error pages (40 - thanks AntiVir) - and in my PC the EXPLOSIONS as the firing of a gun! I drew power cable from the wall outlet.:gack:

    Yours terrified PROROOTECT:gack:
     
  25. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    New powerful - and light on resources - REAL-TIME defense against rootkits and other malware: is called PE GUARD , by Opaida ; you have the direct link in my Signature, please.


    PROROOTECT
     
Loading...
Thread Status:
Not open for further replies.