15 AntiRootkits to Detect and Remove Malware that Uses Rootkit Technology

There are many different types of computer malware and the ones that use rootkit technologies are the worst because they are hardest to detect and remove. Rootkit technology is able to hide its presence from the most basic tools built into Windows such as Task Manager, to your most trusted firewall or antivirus software and you won’t even know that it’s there. This is achieved through installing and loading kernel-mode drivers which can allow the malware to run with higher privileges.

Although 64-bit Windows operating systems are generally safe from rootkit infection because by default the operating system only accepts signed driver files, there were previous cases where legitimate digital certificates were stolen by hackers and used to sign rootkit drivers to bypass security software and Windows defenses. Antivirus software was not much of a help either because the Stuxnet worm successfully stayed infected on the computers for years before it was discovered by VirusBlokAda, the developer of VBA32 antivirus software.

Since antivirus software are far from being perfect in catching rootkits, we’ve put 15 dedicated anti-rootkit tools to the test and see if they are able to detect the 3 different keyloggers (All In One Keylogger, Invisible KeyLogger Stealth, Elite Keylogger) that uses rootkit technology which we have installed on our test system. 1. avast! ANTIROOTKIT

Avast antirootkit

This free and portable anti rootkit tool by avast! is outdated and no longer being maintained since 2008 because it has been integrated into their antivirus program but can still be downloaded directly from their server. Using rootkit detection technology based on GMER, avast! ANTIROOTKIT only managed to detect All In One Keylogger while missing the other two driver-based rootkit keyloggers. Clicking the “Fix Now!” button successfully deleted the files after a restart.

Download avast! ANTIROOTKIT


2. AVG Anti-Rootkit

AVG Anti-rootkit

This free anti-rootkit tool by AVG suffers the same fate as avast! because it has been abandoned since 2006 due to the integration of this anti-rootkit into their antivirus software. The program requires installation, a reboot and either manually run as admin or disable UAC to run. The result of AVG Anti-Rootkit is also the same as avast! where only All In One Keylogger is detected while missing Elite Keylogger and Invisible KeyLogger Stealth. The “Remove selected items” button does not delete the infected files but replaces the last character of the file’s extension with an underscore, for example from .exe to .ex_

Download AVG Anti-Rootkit


3. Bitdefender Removal Tool / Rootkit Remover

Bitdefender Rootkit Remover

We weren’t able to determine the if Bitdefender’s antirootkit tool is called “Removal Tool” or “Rootkit Remover” because the program’s name and website says differently when they are the exact same application. Bitdefender Removal Tool is free, portable and up-to-date (last update on February 2013) but can only detect known rootkits through signatures and not the undetected ones. The scan takes merely a second to tell you if there are any rootkit threats detected. Both 32-bit and 64-bit versions available. Bitdefender Rootkit Remover fail to detect all 3 rootkit keyloggers.

Download Bitdefender Removal Tool / Rootkit Remover


4. HitmanPro

HitmanPro antirootkit

HitmanPro is a popular second opinion malware scanner that first uses behavioral analysis to determine if a file is a possible threat and then automatically uploads the file to have it scanned in the cloud with 5 different antiviruses for confirmation. Although HitmanPro is shareware, you can use it to scan your computer for free while removal is only available during the 30-days trial. All In One Keylogger was detected because Ikarus and G Data indicated that the file is malicious. HitmanPro found Elite Keylogger files to be suspicious but wasn’t flagged as a threat because none of the antiviruses detected it as malicious after the cloud scan. Invisible KeyLogger Stealth wasn’t detected at all.

Download HitmanPro


5. Kaspersky TDSSKiller

Kaspersky TDSSKiller

Kaspersky TDSSKiller started off as a removal tool to detect and clean up the Alureon/TDSS/TDL rootkit and has grown to recognize a few other rootkits including bootkits. Upon testing, Kaspersky TDSSKiller missed all 3 rootkit keyloggers and even wrongly detected 3 legitimate system (.SYS) files belonging to COMODO Time Machine as suspicious objects with medium risk.

Download Kaspersky TDSSKiller


6. Malwarebytes Anti-Rootkit

Malwarebytes Anti-Rootkit is the new kid on the block for detecting and removing rootkits that is still in BETA status. It received a lot of reviews and publicity when it was released to public because everyone had very high hopes for products by Malwarebytes.

Malwarebytes Anti-Rootkit

It is unclear what variants of rootkits can be detected by Malwarebytes Anti-Rootkit because it is not mentioned in their official website, but it failed to detect any of the 3 rootkit keyloggers during testing. A very useful tool called “FixDamage” that comes together in the ZIP archive file can be used to repair damages made by rootkit by restoring important Windows services.

Download Malwarebytes Anti-Rootkit


7. McAfee Rootkit Remover

McAfee Rootkit Remover

McAfee Rootkit Remover is a very simple and small (532KB) utility to detect and remove ZeroAccess and TDSS family of rootkits. The program runs on command line window, automatically checks for updates and takes only a few seconds to scan for rootkit infections. As expected, McAfee Rootkit Remover didn’t detect all 3 rootkit keyloggers as threat because it can only recognize 2 types of rootkits that was mentioned earlier.

Download McAfee Rootkit Remover


8. Norton Power Eraser

We don’t normally see Symantec offering any of their tools for free. Even their rescue disk known as Norton Bootable Recovery Tool requires a valid product key to run. Thankfully there is one tool called Norton Power Eraser which is free to use for detecting and removing malware that is hidden deep inside the system.

Norton Power Eraser Rootkit Scan

It is a single portable executable file of only around 3MB in size. The Rootkit scan option is enabled by default in Settings and will first require a restart before performing a rootkit scan. Norton Power Eraser detected All In One Keylogger and Invisible KeyLogger Stealth. As for Elite Keylogger, one of the DLL files are flagged as unknown. Other than that, it also had 3 false positives by detecting COMODO Time Machine driver files as unsafe.

Download Norton Power Eraser


9. Trend Micro RootkitBuster

RootkitBuster is a free tool by Trend Micro that is able to check multiple locations in Windows such as the Master Boot Record (MBR), files, registry entries, kernel code patches, operating system service hooks, file streams, drivers, ports, processes and services to identify rootkit presence. It was last updated a month ago and has dedicated builds for both 32-bit and 64-bit.

Rootkit Buster

RootkitBuster only managed to detect All In One Keylogger while missing the other 2. It also has the same false detection as Kaspersky TDSSKiller and Norton Power Eraser by wrongly identifying 3 system driver files as threats.

Download Trend Micro RootkitBuster


10. UnHackMe

UnHackMe is the only shareware rootkit killer with monitoring capabilities to auto check your computer for any possible rootkit infection. The trial version of UnHackMe allows you to use it for 30 days without limitation. The program’s user interface looks simple enough for beginners to use and you can even send the generated regrunlog.txt report file to their support center to obtain advice if you’re not fully sure the detected unknown/suspicious file is indeed malicious.

UnHackMe

There are a few buttons such as stopping a service, deleting a registry key and disabling autorun to help disable the suspicious file but we found that most effective one is the “Delete File at Next Reboot” if the malware is very persistent. UnHackMe found All In One Keylogger and Invisible KeyLogger Stealth but missed Elite Keylogger.

Download UnHackMe

As you can see from the results above, very few automated rootkit detection tools manage to detect all 3 rootkits. Norton Power Eraser did the best by confirming 2 infections with 1 unknown status. There is another category of antirootkit utilities designed for more advanced users to manually analyze, decide and remove rootkits which can be found on the next page.

You might also like:

32 Comments - Write a Comment

  1. janice marlow 11 months ago
  2. Jo 12 months ago
  3. Bill 3 years ago
  4. Alexandre Marcondes Machado 3 years ago
  5. owolabi,babatunde oluwaseyyi 3 years ago
  6. John 3 years ago
  7. leonardo 3 years ago
  8. joe 3 years ago
    • Raymond 3 years ago
  9. Icaro 3 years ago
    • Raymond 3 years ago
  10. actionjksn 3 years ago
  11. Chuck 3 years ago
  12. taory manoj 3 years ago
  13. B-boy/StyLe/ 3 years ago
  14. tray 3 years ago
  15. billy13 3 years ago
  16. Smith 3 years ago
  17. Jim 3 years ago
    • Raymond 3 years ago
  18. kash 3 years ago
  19. MarkN.P 3 years ago
    • Raymond 3 years ago
  20. sinela 3 years ago
  21. Charlie 3 years ago
  22. Ron15 6 years ago
  23. Merlin_Magii 6 years ago
  24. AtOdds 6 years ago
  25. Nicks 6 years ago
  26. Sujay 6 years ago
  27. Mohamed 6 years ago
  28. Ahmad Saleem 6 years ago

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Your comment is subject to approval. Read our Terms of Use. If you are seeking additional information on this article, please ask in our forum or contact us directly.