free anti-rootkit suggestions - split from thread: Re: Panda Anti-Rootkit

Hi

Can you recommend a free anti-rootkit with better detection that is easy to use (scan and remove, not analysis)?

When I run it on my computer it detects nothing, so I'm guessing the FP rate isn't too high.

Thanks

 

Re: Panda Anti-Rootkit

I suppose the av company arks fall into scan and remove, not analysis, but seriously I find it hard to recommend any of them at the moment. Here is a list in no particular order :

AVG Anti-Rootkit free - AVG. perhaps try this one
Blacklight/fsbl.exe - F Secure.
Rootkit_Detective - McAfee.
Rootkit Buster - Trend.
Avira Rootkit Detection - Avira.
Avast aswar.exe - Avast.
Sophos.
Rootkit Uncover - Bit Defender.
RootAlyzer - Safer Networking maker of antispyware Spybot.
of course Panda pavark.

but I would recommend the arks : RkU, rktrap, RootRepeal, IceSword, gmer plus a few more...

here is something really easy and reliable for rootkit files.

 

Re: Panda Anti-Rootkit

Hi

Thanks for the list.

I know Rku, Gmer, Icesword, Darkspy, etc are really good, but I have no idea what is malware and what isn't, so it is useless to me.

I downloaded RootKitty from http://ezpcfix.net/dload/RootKitty.exe. Is this the right link? Because my AntiVir free said it was TR/Dropper.Gen.

Thanks

 

Re: Panda Anti-Rootkit

How about getting to know the programs treating it as a learning curve you'll probably learn quite alot - I've already given you the link to using IceSword.

I quickly opened an antivirus virtual machine and your right avira flags it. Probably f/p - that is the correct link. I recently built an up to date UBCD4Win CD and included Rootkitty.

edit: Ikarus, Webwasher, GData and Avast flag it also.

 

Re: Panda Anti-Rootkit

I ran RootkitRevealer on a clean WinXPproSP2 (nothing else), which has never been online, not even for activation (done by phone) and it found 3 rootkits :

HKLM\SECURITY\Policy\Secrets\SAC* 0 bytes Keyname contains embedded nulls
HKLM\SECURITY\Policy\Secrets\SAI* 0 bytes Keyname contains embedded nulls
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 80 bytes Data mismatch between Windows API and raw hive data

Talking about false positives. Pffft.

Than I ran it on my off-line image, which I use to create my off-line snapshot.
No security softwares, no internet software installed because it has no internet connection.
It found 4 rootkits :

HKLM\SECURITY\Policy\Secrets\SAC* 0 bytes Keyname contains embedded nulls
HKLM\SECURITY\Policy\Secrets\SAI* 0 bytes Keyname contains embedded nulls
HKLM\SOFTWARE\Microsoft\Windows\CurrentVerion\Installer\UserData\S-1-5-18\Products\
7775F2120911FED4E8D4B6F213B3547E\Usage\PerfectDisk
4 bytes Data mismatch between Windows API and raw hive data
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg 0 bytes Access denied

Where is the 3th rootkit of my first scan ? Suddenly another Windows ?
The last one sptd\Cfg is related to Alcohol120 (ISO burner) confirmed in this thread :
https://www.wilderssecurity.com/showthread.php?t=145763

If I would spend more time on this, only God knows what I would discover more.

 

Re: Panda Anti-Rootkit

This one is new and was mentioned before by Meriadoc.
It is a newer tool that is very useful. You can run a report scan if you would like some one to help you out or use the kill process feature to terminate threats.

http://rootrepeal.googlepages.com/home

 

Re: Panda Anti-Rootkit

I ran it, a long report, that didn't make me any wiser.

 

Re: Panda Anti-Rootkit

I ran Rootkit Detective of McAfee. Didn't make me any wiser. You have to be a detective yourself to read that report.

 

Re: Panda Anti-Rootkit

Well it didn't really, did it Erik? It could very well save a lot of time...

 

Re: Panda Anti-Rootkit

Remember the organized internet mafia (e.g. ruDJ and his "spider murphy gang") scans against all known arks,
so for targeted attacks antirootkit tools are not reliable. The same is valid for AVs and wellknown Firewalls in worst case they only enforce pseudo-security feeling.
Related to Panda, look at my test results... it is far below average.

 

Re: Panda Anti-Rootkit

It's logical that RR didn't detect any rootkits on a fresh installed WinXPproSP2. I don't need to be an expert to know this.
To average users, rootkit scanners like that, are useless, they are only good for knowledgeable users (the minority).
I need a rootkit scanner that detects real rootkits and that's what every average user wants.
As always the security industry doesn't know what average users need.

 

Re: Panda Anti-Rootkit

SJ, Scandle in the restricted area, I told you...you have to keep taking the pills

Agree.

 

Re: Panda Anti-Rootkit

First of all I have to drink the coffee with Mrkvonic .

 

The paper Anti-Stealth Fighters: Testing for Rootkit Detection and Removal has tests using 30 rootkit samples and also 30 samples of malware hidden by rootkits. Products tested include 14 anti-rootkit programs, as well as some other security programs.

 

Hi

Well in that test F-Secure Anti-Virus 2008, Norton Antivirus 2008 and Panda Security Antivirus 2008 seemed very good in Vista.