Rootkit Detection and Removal Tools
Rootkits are becoming more prevalent and more difficult to find. Technicians need to be aware of the best software tools that will detect and remove this elusive software. Here is a list of rootkit removal tools that will work on the major operating systems.
Windows Based
Rootkit Revealer
Rootkit Revealer is part of the sysinternals suite and is a free portable rootkit scanner. This tool was featured as a repair tool of the week.
Download
Sophos Rootkit Scanner
Sophos offers a suite of security software but most notably they have a free rootkit detector and removal tool available here:
Download
GMER
GMER is a powerful rootkit scanner and usually my first “go-to” rootkit scanner when I suspect suspicious activity above and beyond typical malware. It’s quite small and portable.
Download
TDSSKiller
A great free tool from Kaspersky. It’s portable and easy to use with a simple GUI. This tool recently helped me find a rootkit that was causing multiple browser hijacks. I could not find the rootkit with any malware scanner, HijackThis, Process Explorer, or a couple other rootkit scanners. I ran this tool and it found it almost instantly (this particular rootkit was part of the rootkit.win32.TDSS family). TDSSKiller will search for the win32.TDSS family of rootkits as well as bootkits (MBR rootkits/malware) and other suspicious services.
Download
Microsoft Standalone System Sweeper Beta
This is a fairly new application (still in beta!) that you can boot from a cd or flash drive. It is meant for situations where you can’t boot into a pc due to malicious software/activity. The program detects and removes rootkits and other malware.
Check it out here: Download
(NOTE: This is an excerpt from the Microsoft website regarding licensing for the System Sweeper Tool. Please read the license agreement at the bottom of the page or contact Microsoft for more information.
“INSTALLATION AND USE RIGHTS.
a. Home Use. If you are a home user, then you may install and use any number of copies of the software on your personal devices for use by people who reside in your household to test how it runs with your programs. As a home user, you may not use the software in any commercial, non-profit, or revenue generating business activities.
b. Small Business. If you operate a small business, then you may install and use the software on up to ten (10) devices in your business to test how it runs with your programs.
c. Restrictions.
d. Separation of Components. The components of the software are licensed as a single unit. You may not separate the components and install them on different devices.
e. Included Microsoft Programs. The software may contain other Microsoft programs. The license terms with those programs apply to your use of them.”)
AVG Rootkit Scanner
This is the rootkit scanner that comes bundled with AVG anti-virus. It was only available in the paid version up until AVG 2010 was released; now it comes bundled with the free anti-virus download. In my experience it works pretty well and has detected some rootkits that went otherwise unnoticed. Most well known anti-virus suites do come with a rootkit scanner.
Download
Prevx
Prevx offers a suite of paid security tools; however they do offer a free trial version that includes a rootkit scanner.
Download
RootRepeal
RootRepeal is a rootkit detector that seems to be in a perpetual beta, so use it at your own risk and take precautions. It has an advanced rootkit detector for Windows XP and Vista. This was also featured in a Repair Tool of the Week Article
Download
Linux and Apple Mac OSX Based
Let’s not forget our Unix based systems! It’s fairly slim pickings for rootkit scanners on these operating systems, but there are two that I know of that work well. As the popularity of these systems continue to grow I believe we will be seeing more security concerns, hence more tools.
chkrootkit
A rootkit detector that searches system binaries for modifications.
Download
rkhunter
This is a free tool that will search for backdoors and exploits by comparing MD5 hashes and strange file activity.
Download
Mobile Platform
Lookout Mobile Security
Lookout is a security application for Android, Windows phone7, and Blackberry mobile devices. It isn’t necessarily a rootkit tool but I wanted to include a security tool for the ever increasing mobile platforms. The more a platform grows in popularity the more it will be attacked.
Download
Do you have any other rootkit detectors you would like to share? Please let us know!
Session expired
Please log in again. The login page will open in a new tab. After logging in you can close it and return to this page.
Not so much “detection” than it is a repair tool, but I’d like to add Partition Wizard Business/Home Edition. It has a “Rebuild MBR” function that will obliterate any rootkit hiding out in the MBR. You can get it and use it any any fashion–Installed on the machine, running their LiveCD, or using it from the program menu in Hirens’ BootCD’s Mini XP.
TDSSKiller has saved my butt a few times. Do we consider Combofix in this category or not?
Don’t forget about F-Secure
LiamTek
there is also System Virginity Verifier via http://invisiblethings.org/code.html
and UnHackMe via http://greatis.com/unhackme/
When if comes to virus removal, ComboFix and SUPERAntiSpyware Portable are my favorites.
I agree, tdsskiller and combofix, are my favorites for rootkit detection and removal.
I also find aswMBR from Avast very useful too – not just for MBR infection but covers rootkits too.
You guys need to checkout a tool called OTL by one of the guys at the GeeksToGo forum.
OTL
It finds all HJT entries and waaaaaaayyy much more it wil correct incorrect/corrupt file extension assoc’s caused by viruses.but be forewarned,read the manual at:
OTL Manual
because although it find all the same HJT entries it is way different than HJT and the developer is always updating it,something i dont think HJT has been in a while! I hope everyone finds this helpful!
Enjoy!
D. Web Cureit is a malware scanner and not specifically a rootkit tool, and frankly it is not a particularly good malware scanner. However, it does have an uncanny ability to find rootkits when all else has failed. Well worth having handy, it has got me out of trouble on a few occasions.
Vba32 ARK is another top option for rootkit detection and removal
http://www.anti-virus.by/en/vba32arkit.shtml
Here’s a comparison site worth checking out
http://www.anti-malware-test.com/?q=node/184
GMER and root repeal round out the top 3.
TDSS killer is the only automated RK scanner that’s worth a damn IMO although i haven’t tried the new MS sweeper. I’ve never had any luck with sophos, AVG, Panda or Prevx RK scanners. The new RK’s are just to slick.
The other thing worth mentioning is bootkits. Lately if i have an severely infected machine and its not a multi boot I will FIXmbr as a matter of course.
I have also used unhackme. Seemed pretty good on detection.
Unhackme all the way
Using RKill to first stop malware in their tracks, then Malwarebytes/SuperAntiSpyware/SpybotSD, and if still needed ComboFix. That has removed practically every Rootkit situation I’ve come across. I am willing to test the new MS tool cuz you never know and it’s best to be up on something before coming down on it!!!
I recently used TDSSKiller to find a rootkit that trend micro, malwarebytes and combofix had all missed. TDSSKiller only took ~3 mins to run as well. Great article, thanks for the info!
Actually I found that norton’s FixTdss to be more thorough then Tdsskiller. Had an infection that I couldn’t get rid of, tdsskiller found nothing…but Fixtdss did. And not meaning to hawk norton but I’ve also been using power eraser with some success as well.