Which Rootkit Removal Tool do you use?

Discussion in 'polls' started by Brian_12, Nov 21, 2009.

?

Which Rootkit Removal Tool do you use?

  1. Panda Anti-Rootkit

    7 vote(s)
    8.3%
  2. TrendMicro RootkitBuster

    6 vote(s)
    7.1%
  3. GMER

    31 vote(s)
    36.9%
  4. F-Secure Blacklight

    7 vote(s)
    8.3%
  5. Sophos Anti-Rootkit

    12 vote(s)
    14.3%
  6. McAfee Rootkit Detective

    4 vote(s)
    4.8%
  7. SysProt AntiRootkit

    1 vote(s)
    1.2%
  8. UnHackMe

    3 vote(s)
    3.6%
  9. RootRepeal

    10 vote(s)
    11.9%
  10. Other

    38 vote(s)
    45.2%
Multiple votes are allowed.
  1. Brian_12

    Brian_12 Guest

    Hi all, I'm new to the forums. I'm glad to be here and I look forward to learning a lot. I'll start my first post with a poll.

    I use GMER and F-Secure Blacklight.

    Which anti-rootkit(s) do you use?
     
  2. subhrobhandari

    subhrobhandari Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    708
    I will vote for other, since I dont use any specific. See my sig. :p
     
  3. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
  4. progress

    progress Guest

    TrendMicro RootkitBuster :p

    Thank you for this interesting list, unfortunately many of them are incompatible with Win 7 :doubt:
     
  5. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    On units that I'm servicing, I use RKU, gmer, and others. On my own, none. Rootkit removers aren't necessary when a default-deny security policy won't allow them install in the first place.
     
  6. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
  7. Brian_12

    Brian_12 Guest

    Radix is outdated.
     
  8. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    WinDbg
     
  9. Brian_12

    Brian_12 Guest

    Meriadoc, why use a debugging tool when you can use an actual antirootkit that finds rootkits themselves?
     
  10. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Of course it is one of the best tools for this.

    By using, knowing how to use WinDbg you may not limit yourself to the power of an ark while applying the same sort of approaches as antirootkit tools use.

    [expanded post]
     
    Last edited: Nov 22, 2009
  11. Brian_12

    Brian_12 Guest

    I forgot about RKU. Is it still being developed? Where can I download the latest version?
     
  12. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    expanded last post

    In fact it was updated yesterday. Here : RkU3.8.382.584

    runs on 7 ance
     
    Last edited: Nov 22, 2009
  13. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    Likewise for me(although I'm not good enough to service computers!). I used F-Secure Blacklight in the past and Avira lately but I doubt I will ever find anything as nothing will execute without my approval and in a virtual environment.
     
  14. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Here's a nice tool, Kernel Detective by GamingMaster, supports 7.
     

    Attached Files:

  15. Brian_12

    Brian_12 Guest

    True, but that is only of any use to people with a higher than intermediate knowledge of Kernel debugging. This will rule out about 95% of the people here.

    Also, reformats are caused by these things than anything else!


    Thanks for the link, but that version is unstable.
    What is the most stable version?
     
  16. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,014
    Location:
    Ontario, Canada
    I use Prevx 3 and does a good dam job! :thumb:

    TH
     
  17. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    But arks need knowledge, the useful tools that generate the same information as WinDbg, are also advanced tools.

    Actually some of the learning curve of WinDbg isn't so steep.

    For example, using a good antirootkit tool such as Rku, RootRepeal or Kernel Detective we can look up hooked entries in the SSDT, System Service Table and IDT, interrupt dispatch table - some tools highlight these in red.

    In WinDbg we can also do this by dumping said table using the command "!idt -a".

    You could look for patched functions with - "!chkimg -d nt".

    What you need to do is interpret the output, for example...

    List processes in WinDbg "!process 0 0" - then compare with the list in a process explorer say Sysinternal's tool, Task Manager or Process Hacker. A discrepancy would point to a rootkit.

    Ark's simplify some of this by showing you what is hidden, some of the information needs the user to investigate further.



    I've never had to reformat due to using WinDbg.
     
    Last edited: Nov 23, 2009
  18. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Stable here so far.

    Previous RkU release blog entry RkU3.8.380.580 Or Windows 2000 fix RkU3.8.380.581
     
    Last edited: Nov 23, 2009
  19. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
    How is that?
     
  20. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,434
    Location:
    Europe
    GMER and Rootkit Repeal.
     
  21. Brian_12

    Brian_12 Guest

    tester, I say that simply becuase it isn't the latest antirootkit out there. It hasn't been updated since Jan 2008. Also, it's only compatible with Windows 2000 and Windows XP.
     
  22. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.

    I see.
    I thought it was updated about 3 months ago.
    Can't find confirmation, so I may be wrong about that.
     
  23. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,980
    Location:
    U.S.A.
    the Tester, is this usec.at Radix 1.0.0.9 released forum post of August 20th, 2009, what you were thinking about?

    Re: Radix Anti-Rootkit
     
  24. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.

    Yes it is JRViejo.
    So Radix was updated this past August.
    Thanks for finding and linking that.:thumb:
     
  25. Brian_12

    Brian_12 Guest

    My mistake. :oops: Thanks for the information jrviejo.
     
Loading...