Root Kit Scanner

[Banyarola]

Anyone know of a good free rootkit scanner ?

I want to run it on a friends PC...

Thanks Guys...

[Medico]

I've never had to use one of these, but I have heard tell of several. Google shows several that I have heard of. Sophos, Avast and Kaspersky are listed among others.

[Tinto Tech]

Hi Banyarola, as you no doubt are aware, rootkits can be extremely stealthy and many standard antivirus or antimalware packages will simply not find them. If the rootkit is revealing itself by dropping a other malware onto the system the antimalware may find and eradicate those but leave the rootkit undetected.

I have had some success, by running Kaspersky TDSS Killer and Sophos Anti Root Kit, but most often, the rootkit is burried inside a Windows process that is launched at boot, making it difficult to be certain about the results presented.

Another way is to run in Safe Mode without networking, which loads a restricted set of services and drivers; then run a system restore to a time before the rootkit poisoned the Windows service (returning to Safe Mode to complete the restore). That cleans up any compromised Windows service, but does not give you any indication of detections or cleaning of course.

[DrWho]

A Google search is always BEST, when looking for something like that. It lists MANY Anti-rootkit programs.

I have this one: (FREE)
http://www.softpedia.com/get/Antivirus/RootAlyzer.shtml

I also have an Anti-rootkit app in my AVG 2012 Internet Security program.

I've also used this one (FREE)
http://www.filehippo.com/download_rootkit_revealer/

What indication do you have, that there might be a Rootkit problem? I would shoot at Spyware, Adware and Viruses first. Then maybe even use a Trojan removal program, like Trojan Hunter. Rootkits, would not be excluded, but further down the list of possible threats.

A lot of malware likes to hide out in temporary folders which most people NEVER clean out for the life of the PC. I've found well over 100,000 junk files on customer's PC's.

Cleaning out all those hiding places, gets rid of a lot of possible malware.
Dumping old Restore Points is another way to get rid of malware that may have been saved there.

On an XP PC that I've not worked on before, I like to run the XPCleanup.bat program that I've placed on my web page for easy download. It first counts the number of files on the C: drive, then cleans out all the normal junk folders and then does a re-count and posts the difference. That's all done in a DOS window that opens on the desktop.
It's kind of neat to show someone just how many junk files were on their PC.
If you do that BEFORE you do any malware scans, the scans will have fewer files to scan and the process will go much quicker.

* A good rule to follow: Don't scan junk, Don't defrag junk and Don't Backup Junk. Remove junk!

It will run on Vista or Win-7, but it's not as effective because many folders have been renamed or repositioned in those OS's.
So on those OS's, you'll see a lot of "File not found" or "Folder not found" error messages. The program should still run to completion.

I had a lot of fun writing the program (batch file) but it's even more fun running it on a badly neglected PC. It can be a real "Eye Opener". It quickly points out to the friend/customer that they need to be more active in maintaining their PC.

Then for my XP customers, I install the XPCleanup.bat program, without the file counter, in their Startup folder, to run minimized, for a FREE cleanup every time they boot up their PC. That goes a long, long ways toward keeping a PC clean of junk files. The nice thing about a batch file is, it's technically a Text file and easily edited in notepad. You can add lines for junk folders peculiar to a specific PC, like AV Quarantine folders, Firefox cache folders, etc. On my own PC, I even added the Recycle bins.
NO piece of junk can hide from a well written batch file.
"If you can name it, you can claim it!" (Quote, The Doctor)

Sorry guys, I didn't mean for this to run so long.

The Doctor

[Tinto Tech]

Just an observation Doc....

Dumping old Restore Points is another way to get rid of malware that may have been saved there.

While that may be true, and is a useful way to remove annoying alerts from AV scanning software, it also removes the possibility of using System Restore which offers a well proven route to recover system files that may have been poisoned by a stealthy rootkit. In my opinion, it's better only to remove System Restore files known contain malware rather than all System Restore files.

....but each to his own.

[JoeP517]

Even though RootkitRevealer does NOT run on Vista or Windows 7 I urge you to read the article associated with it. The points about rootkits are still valid especially the "Interpreting the output" section. Removing rootkits is tricky business.

Joe

[Browni]

A Google search is always BEST, when looking for something like that. It lists MANY Anti-rootkit programs.

Are you really sure about that?

I would always come to a site such as this for recommendations rather than trying potluck in Google search results!

[Banyarola]

Well guys, all the suggestions are helpful and informative...

I am going to work on her computer remotely and she has various problems so I just want run various scans and try to cover as many things as I can to search out any things that may be giving her problems..

There may or may not be any infections or it just may be some of her Vista settings are not right...

[handcuff36]

Doc, hello.
You wrote : * A good rule to follow: Don't scan junk, Don't defrag junk and Don't Backup Junk. Remove junk!
A better rule is to lock your MBR, this is done in BIOS, you knew this. Then, never a rootkit. JP.

[satrow]

Cleaning out 'junk' before scanning is not a good idea where recent malware is concerned - some of the 'junk' might be your own files, moved by the very malware you're scanning for.

Better to diagnose first.

[royw]

handcuff36,

How do I lock the MBR?

Please advise.

Thanks and regards,
Roy

[DrWho]

The BIOS was mentioned, but all BIOS are not created equal. In fact, some, on Brand Name PC's are pretty lame.
If someone has a bios that allows locking the Master Boot Record, all well and good, but most don't.

And many Rootkit revealers are just that. They may Reveal where a Rootkit lives, but it won't remove it.
I find that somewhat disconcerting. Eh?

[Banyarola]

Well DrWhy, I'll have to check out my BIOS.
I built my own PC with a ASUS mb and have been in the BIOS many times but don't ever remember seeing that feature...
But, then again, I wasn't looking for it.

[DrWho]

I was repairing an older PC today, that was experiencing all sorts of really weird problems.

Somewhere along the line, Malware Bytes ran a scan and found and then removed two Rootkits.
I'm not sure I'd ever seen MB do that before. It took two more hours to get all the CRAP off of
that old PC to get it running right again.

So I guess you can add "Malware Bytes" to the rootkit "KILLER" list.

Cheers Mates!
The Doctor :coo:

[handcuff36]

Hello.
For those wishing to find out how to lock the MBR, here it goes. In my Phoenix Award BIOS page that I found after hitting Del on booting, I go to the left pane of the offered options, third line from the top says : "Advanced BIOS Features". It then presents me with a third line saying "Virus Warning", I toggled it to Enabled, F10 out of it and then Save and boot. Kid's play.
I have not seen this option on any laptop, has anybody ? Be good, eh !