Last week I had a few articles that mentioned about rootkit and it is made to be totally hidden unless you use some special tool that detects them. Most of the time rootkits are used to gain administrative level on the computer without being detected. If you use any normal Task Manager software such as Anvir, Process Explorer or any other similar software, they cannot see the rootkit process. It also has the ability to hide the folder and file of the rootkit from showing in Windows Explorer even if you have show hidden files and show protected operating system files enabled.
Many advanced remote administrative tool trojan has the option to create a server file with rootkit capability but fortunately it is seldom being used because this feature is very sensitive and if the programmer is not very good, the rootkit feature can cause the Windows system to be unstable and probably lose the infected machine control when the user decides to reformat the hard drive and reinstall Windows. I have been wanting to create a list of working antirootkits which is able to detect and easily clean any rootkits found on the computer.
As a test, I installed a keylogger that uses rootkit method to hide itself and then use the antirootkits to check on the system if it can detect and remove the rootkit keylogger. I will not reveal what keylogger that I am using for the test because this test results will surely help the programmer of the keylogger to improve the evasion of antirootkit detection.
1. McAfee Rootkit Detective 1.1
- Last Updated: October 2007
- Support Windows 7: No
- Detected: Yes (XP)
- Removal: Yes (XP) by renaming the files2. Trend Micro RootkitBuster 2.8
- Last Updated : November 2009
- Support Windows 7: Yes
- Detected: Yes
- Removal: Failed on both XP and 7 (The selected hidden object(s) can’t be deleted)3. Sophos Anti-Rootkit 1.5
- Last Updated: July 2009
- Support Windows 7: Yes
- Detection: Yes
- Removal: Successful4. F-Secure BackLight 2.2
- Last Updated: September 2008
- Support Windows 7: No
- Detection: Yes (XP)
- Removal: Successful (XP) by renaming the files5. Avira AntiRootkit Tool 1.1
- Last Updated: November 2009
- Support Windows 7: Yes
- Detection: Yes
- Removal: Yes (XP), No (7)
- Need to have at least 1 Avira product installed to run the AntiRootKit Tool6. RootkitRevealer 1.7
- Last Updated: November 2006
- Support Windows 7: No
- Detection: No
- Removal: No7. Tizer Rootkit Razor 2.0
- Last Updated: March 2010
- Support Windows 7: Yes
- Detection: Yes (Detected rootkits in Process Scan)
- Removal: Yes (Right click > Terminate Process and Delete File)8. SanityCheck 2.0
- Last Updated: November 2009
- Support Windows 7: Yes
- Detection: Yes
- Removal: No (Does not have removal feature)9. RemoveAny 2.8
- Last Updated: May 2010
- Support Windows 7: Yes
- Detection: No (Only 1 DLL file is detected and many false positives on expert mode while simple mode can’t find anything)
- Removal: No10. GMER 1.0
- Last Updated: December 2009
- Support Windows 7: Yes
- Detection: Yes
- Removal: Yes (Manually kill process using GMER and delete the rootkit)
On Windows 7, when running any antirootkits, you have to right click on the file and select Run as administrator because it requires to install a driver before the software can work. Or if you have User Account Control disabled, then you don’t need to run the antirootkit with administrator rights. Do note that this test is only made on 1 rootkit and it cannot be treated as the ultimate result for the best antirootkit. I just wanted to list down so I know where to download it if I needed it.
Related posts:
Limba romana asasinata aici de informaticieni lipsiti de o cultură minim elementară!
RUSINE
blog.alisa.sh/2009/06/09/tdss-rootkit-cleaner/
BEST!
had to deal with this 2 weeks ago =(
Raymond,
My name is Valery. I am the only one developer of RemoveAny.
Thank you very much that you included my anti-spyware tool into your testing. Being on the list of anti-rootkits is a great honor for me.
Yes, RemoveAny may not detect some (or most) rootkits, but it is difficult to single developer to compete with firms.
RemoveAny is not anti-rootkit like GMER (that is really powefull) or McAfee Rootkit Detective. RemoveAny is anti-spyware that may detect and delete rootkits using heuristics.
It will be appreciated if you send me some rootkit samples. It will help me to improve RemoveAny.
Thanks,
Valery.
GMER outstanding tool
Useful test Ray, very useful.
Thanks a bunch Ray!!!
A very useful posting Raymond – Thank you.
In view of other member’s postings here – please will you similarly yest their suggested programs ?
Thank you.
It would be interesting to know if that keylogger would have been detected/blocked by Zemana and/or SpyShelter. Would you happen to know, Raymond? Thanks!
btw
Prevx is just a MD5 scanner and complete garbage – if you want to remove a serious infection you have to contact support.
UnHackMe is complete garbage
Raymond you’ve left out all the real anti rootkits instead of lame and outdated tools…rootrepeal, rootkitunhooker, XueTr, vba etc are the tools that are up to date.
here have a look at this I’ve found online : ntinternals.org/driver_detection_test.php
Appreciate this article. Thanks!
ran root kit and came up with two( gsnmwq.exe
hvlhsz.exe ) i donot know these two sophos stop them but didnot remove
Hello.
Why you didn’t use UnHackMe in your test? I remember you made a post about it some time ago.
It is clear that you have to be advanced user to handle rootkit.Try SysProt AntiRootkit – Hidden process detection and removal, Hidden drivers detection, SSDT Hooks detection and remvoal, Kernel Inline hooks detection and removal, Sysenter Hook detection, TCP/UDP Ports Info, File System browser, Hidden Services Registry keys detection and removal.
majorgeeks.com/SysProt_AntiRootkit_d5708.html
Radix – Detects and removes Rootkits using sophisticated methodologies. Detects and repairs drivers that have been modified by Rootkits. Detects and repairs computer processes modified by Rootkits. Detects and reveals hidden processes and files, including Alternate Data Streams (ADS). Allows the removal of “locked” or “unremovable” processes and files. Provides to dump memory areas from processes. Shows the Global Descriptor Table (GDT) for advanced Rootkit Detection capabilities. Shows the Import Address Table (IAT) for advanced Rootkit Detection capabilities. Shows the Interrupt Descriptor Table (IDT) for advanced Rootkit Detection capabilities. Shows hidden Registry Keys. Operates in both command line mode for power users, or as a graphical tool for regular users.
usec.at/radix.html
You miss out Panda Anti Rootkit and IceSword
download.cnet.com/Panda-Anti-Rootkit/3000-8022_4-10717196.html?tag=mncol
antirootkit.com/software/IceSword.htm
Mine if I made a suggestion?
Change all the link to the homepage of the antirootkit as if it is updated in the future, users can have the updated version.
Now dats a really good post Ray….!
i love d post in which u test a software for us…!
i guess in November u tested all d AV to find out d best…and u said Avira is d best free AV..so i switched to dat…!
Now Ray most of d Av introduced der new AV ( for EX Avast..which came wit good Behavior detection)
d New Avira 10….is much more sluggish…fails to detect much Virus..as it use to do….So wats ur Call…?
Stay wit Avira Or Switch to sum other free Av….!
thanx…..
@acr: I have tested PrevX free and it manage to detect one of the rootkit exe file as Medium Risk Malware but I can’t test the cleaning feature as it requires license. As for RootRepeal, I can’t get to run the scan because I am getting the error DeviceIoControl Error.
@chris: You may want to consult forums that help with malware on the 35 hidden rootkit detected by McAfee. Anyway McAfee antirootkit is very old, you might want to try Sophos or Trend.
@Sujay: Thanks. I only know of one rootkit so I only get to test these antirootkit with one.
As usual great test from Ray. Do, you any with to repeat it with other rootkit?
thanks raymond
good info
A quick scan using McAfee shows that i have 35 hidden rootkits. How do i know which one to delete?
Any non-adept user should not try and run antirootkit tools, nor be recommended to do so.
It can be a fast way to an unbootable computer.
Go get help of an expert at a tech forum.
nice test, thanks
Any chance you could try your rootkit against Prevx? The free version is supposed to be able to detect and remove MBR rootkits.
Another stand alone rootkit detector is rootrepeal-
sites.google.com/site/rootrepeal/
Nice article, thanks for giving us links for many Antirootkits, it will be good for us, to keep at least one of these products in our computer and USB. Thanks,,,,,,,,