Home

Best Free Rootkit Scanner/Remover

Wed, 06/25/2008 - 17:28 — jeffrey

 Rootkits are a special kind of software tool used to hide trojans, viruses and other malware from your anti virus scanner and other security products. Unfortunately, they are extremely effective, which means that some of you who are reading this will be infected, even though you believe your PC to be totally clean. Thankfully, there is a new class of security product now available, called "rootkit detectors", that use specialized techniques to detect these dangerous intruders.

Most of these detectors require quite a bit of technical skill to interpret the results, but two of the simplest to use are also amongst the most effective. The first is called Panda Anti Rootkit. It's my top recommendation for average users because it's not only good at detecting rootkits, but it's also quite effective at removing them. As a bonus, it's small and doesn't require installation, although you do have to register at the Panda website before you can download it. I suggest that all of you download this product and scan your PCs. The chances of you being infected are small, but for five minutes work it's well worth eliminating the risk.

Panda Anti Rootkit will detect most rootkits missed by AV scanners, but it can't provide perfect detection; no rootkit detector can. That's why I suggest you use more than one.

If you are an experienced user, you should check out Sysinternals RootkitRevealer. It uses a totally different technique than Panda Anti Rootkit and BlackLight, and by using all three products together you'll be getting excellent overall detection. RootkitRevealer is more complex to use than BlackLight, and is a bit prone to false positives, so take care before you delete detected items.

For experienced users, my top recommendation is GMER, although you will need to read the documentation carefully before using this one. I like this product a lot but it's not for everyone. So if you are the type that simply likes to press the "scan" button, then stick with Panda Anti Rootkit ;>)

Currently, two of the biggest guns in the rootkit detection war are the free Chinese products IceSword and DarkSpy. They are not really detectors like the other products, Rather, they offer a set of tools that can help reveal the presence of a rootkit. These tools include a special process viewer, startup manager and port enumerator that are not fooled by rootkits. It's left to the user, though, to interpret the results. In the hands of a skilled user, these are powerful tools, but are not of much use to beginners. The Chinese download sites are slow, so I've given local download links.

The reality is that at the present time, full protection against rootkits may require the use of multiple products, and complete removal may require a system rebuild. For more details, see my introductory article on rootkits.

Product Details

Panda Anti Rootkit
Website: http://www.pandasecurity.com/homeusers/downloads/docs/product/help/rkc/en/rkc_en.htm
Download link: www.download.com/Panda-Anti-Rootkit/3000-8022_4-10717196.html
Author: Panda Software
Date: 06/30/2008
Version:1.08
Download File size: 304KB
License: Freeware
Operating systems supported: Windows 2000 - XP2
64 Bit Capable: no
Portable version available: no
Other languages supported: no
Additional Software Required: no

RootkitRevealer
Website: http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx
Author: Bryce Cogswell and Mark Russinovich
Date: 06/30/2008
Version:1.71
Download File size:231KB
License: Freeware
Operating systems supported: All Windows versions
64 Bit Capable: no
Portable version available: no
Other languages supported: no
Additional Software Required: no

GMER
Website: http://www.gmer.net/index.php
Author: GMER
Date: 06/30/2008
Version:1.0.14
Download File size: 740KB
License: Freeware
Operating systems supported: Windows NT - Vista
64 Bit Capable: no
Portable version available: no
Other languages supported: no
Additional Software Required: no

IceSword
Website: http://antirootkit.com/software/IceSword.htm
Author: XFocus
Date: 06/30/2008
Version:1.22
Download File size: 2.1MB
License: Freeware
Operating systems supported: Windows 2000, XP, Vista (version 1.20)
64 Bit Capable: no
Portable version available: yes
Other languages supported: yes
Additional Software Required: no

DarkSpy
Website: http://www.softpedia.com/get/Antivirus/DarkSpy Anti Rootkit.shtml
Author: CardMajic
Date: 06/30/2008
Version:1.0.5
Download File size: 626KB
License: Freeware
Operating systems supported: Windows 2000, XP, 2003
64 Bit Capable: no
Portable version available: no
Other languages supported: no
Additional Software Required :no


Dealing with the Rootkit Threat
Website: http://www.techsupportalert.com/rootkits.htm

 

“Caveat”.. Products and links recommended by site visitors in our forum are not necessarily endorsed by this site.  Download at your own risk!

 

This software category is maintained by volunteer editor Jeffrey Brown.

Bookmark/Search this post with:
#1Submitted by Anonymous on Mon, 08/25/2008 - 08:59.

The review says that Panda AR requires no installation but shortly after the scan begins two of my HIPS programs (spyware terminator and winpatrol) warn me that it (Panda AR) is trying to install a file. Should I allow the installation of the file or block it?

#2Submitted by Anonymous on Wed, 08/27/2008 - 04:28.

Why not. Sounds like a false positive. No worries if you took Panda off the home page.

#3Submitted by Anonymous on Tue, 08/19/2008 - 15:13.

Hello all, I'm getting the following error message when I scan with F-Secure's BlackLight:
Scan partially completed (Error 8001 2).

The only forum I've found which addresses this -F-Secure's site was no help- suggests editing Registry Rules. I don't see why, and I'm not confident about, having to alter core system elements to accommodate third party software.
I think Blacklight "may" be having issues with my other security software: Avast! Home Edition AV v4.8; Comodo firewall v3.0.25 and/or Webroot Spy Sweeper v5.8.1 (all of which scan for rootkits, I believe).
XP Pro (SP3).
Any ideas?

P.S. I also use Panda anti-rootkit 1.08 which has always worked fine for me.... as far as I can tell. I suppose just because it never flags anything, it doesn't mean there's nothing there.
P.P.S. I don't remember having ever received any unsolicited emails from Panda.

#4Submitted by Anonymous on Sun, 08/24/2008 - 15:01.

"If" BlackLight manages a complete a scan without the 8001 2 error message, I have a 50/50 chance of either seeing that there are no hidden rootkits installed or that Master Boot Record (MBR) has been discovered.
Out of all the Rootkit Detectors I use, why is BlackLight the only one to flag this?
What are the implications of having MBR on my XP Pro (SP3) system?

#5Submitted by Anonymous on Wed, 08/20/2008 - 13:51.

hmmm, I've just updated my Webroot Spy Sweeper to v5.8.1:55 and BlackLight is now completing scans without the error message.
Thinking about it, I "may" have updated SS to v5.8.1 (from v5.5.7) around the same time the error message started appearing in BlackLight scans.

#6Submitted by Anonymous on Wed, 08/13/2008 - 16:12.

Hey! IceSword is dead, I just get 404 errors on every version i try to download off that link!

#7Submitted by jeffrey on Fri, 08/15/2008 - 23:14.

The server could have been down. It's working fine now.

Thanks

#8Submitted by Anonymous on Sat, 08/09/2008 - 08:03.

Threatfire also has a rootkit scanner and its free. I am not sure how effective it is at detection and removal. Threatfire also has a realtime behavior monitor that can prevent rootkits, viruses, trojan, spyware, etc.

Panda 1.08 freezes everytime I try to use it on my computer. On the Panda forums, they seemd to be ignoring this problem which many have encountered.

#9Submitted by Anonymous on Sun, 08/10/2008 - 04:18.

Yep, Panda freezes on my computer also. While scanning it, freezes at when its progress has reached 20% while scanning the windows registry. Panda has never been able to complete a scan on any of the 5 computers I have tried it on...freezing on every single one. All were Windows XP (some XP home and some XP professional, and each had a different hardware configuration). Seems like an unstable program to me. Not sure how it can be recommended if it does not work for so many users.

#10Submitted by Anonymous on Sun, 08/10/2008 - 23:55.

Panda froze on me too, even though I was using it on a supported system (i.e. XP service pack 2, 32 bit). Does anybody know why it freezes? Is there a solution ot this?

#11Submitted by Anonymous on Mon, 08/11/2008 - 17:36.

I use several of these anti-rootkits. Panda has not been any problem on either of my Windows XP2 Media Center edition PC's. I wonder if it's a Windows update thing, or another security tool interfering? Bad download? Or Panda has changed the download somehow?

#12Submitted by Anonymous on Wed, 07/23/2008 - 20:13.

hi guys what the best root-kite scan for vista beside GMER cause. i have a friend whole just know how to press a button. and he got vista. and i don't what him getting infected . any help in the matter will be nice thanks . some one also told me that Grisoft is come out with it own free version of a root-kite scanner . call anti -root. i don't know if it true or how well it works . thanks .

#13Submitted by jeffrey on Fri, 07/25/2008 - 08:02.

Hi,

Many of the suggested root-kit tools are not yet developed for Vista. You might want to suggest Avira for your friend which has a decent root-kit detector/remover. The Grisoft stand alone root-kit tool is no longer free and is now a suite: http://free.avg.com/ww.download-avg-anti-spyware-and-anti-rootkit

Thanks for your question, and I hope this helps.

#14Submitted by Anonymous on Thu, 07/10/2008 - 12:47.

There's quite a few reasons to avoid Panda. One of them is the spam issue.

"Some users have complained of regularly receiving unsolicited e-mail from Panda and have said that efforts to unsubscribe from the mailings or contact the company have been unsuccessful" ~ http://en.wikipedia.org/wiki/Panda_Security

#15Submitted by peter on Thu, 07/10/2008 - 13:28.

"This site reserves the right to remove any inappropriate comments without notice."

#16Submitted by Anonymous on Thu, 07/10/2008 - 13:41.

If it is true it's relevant and it shouldn't be removed.

#17Submitted by JonathanT on Thu, 07/10/2008 - 13:23.

Hi

Well if it's true it is unacceptable.

But Panda Anti-rootkit does not require giving out any information such as e-mails.

#18Submitted by Anonymous on Wed, 07/09/2008 - 13:09.

Hi guys Great site ! I came here looking for pointers But it all seems so confusing Back and forth This and that and even religious or political at times ! ! hehe Please keep it simple guys ! !

#19Submitted by JonathanT on Wed, 07/09/2008 - 13:59.

Hi

Well if you want to keep it simple you can just read the article and not the comments.

But good discussion is what generates more ideas and people can learn more too.

#20Submitted by Anonymous on Mon, 06/30/2008 - 13:40.

The link for www.techsupportalert.com/rootkits.htm doesn't work. I found a pretty good link on Wikipedia, http://en.wikipedia.org/wiki/Rootkit that does a very good job in describing the threat and the difficulties in removing them. There are also some other free products mentioned.

#21Submitted by jeffrey on Sat, 07/05/2008 - 21:51.

Sorry about that. That new link is:
http://www.techsupportalert.com/best-free-rootkit-scanner-remover.htm
and not www.techsupportalert.com/rootkits.htm

#22Submitted by George on Wed, 06/18/2008 - 17:16.

There is another free rootkit scanner by Sophos (http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html). However, both, Sophos and Panda do not support Windows Vista. That might be worth mentioning.
Regards,
George

#23Submitted by Anonymous on Tue, 06/17/2008 - 02:14.

Hi
Does antivir includes rootkit scan ? I am not sure, if anyone knows...

#24Submitted by JonathanT on Tue, 06/17/2008 - 07:22.

Hi

Yes, it has a built in anti-rootkit component.

#25Submitted by Anonymous on Wed, 06/11/2008 - 12:05.

Installing Gmer and Rootkit Revealer in my Vista PC produced BSOD...

#26Submitted by JonathanT on Sun, 06/08/2008 - 07:10.

I think Trend Micro Rootkit Buster should be an option, because according to av test, the four av s best at detecting rootkits are Symantec, Trend Micro, Panda and F-secure.

#27Submitted by Anonymous on Thu, 06/12/2008 - 21:55.

«Rootkit removal proved even more problematic. Once
again the specialized tools performed the best on average,
with a disinfection score of a little below 66% of the
samples. However, the security suites were not able to
clean more than 50% of the infections and the online
scanners were almost useless, with a disinfection rate of
only around 32%.
We also saw a good number of crashes and related
problems in this section, but sometimes the rootkit was
gone after a bluescreen and one or two reboots. Tools like
Avira RootKit Detection sometimes removed the Windows
explorer.exe file, so the system could not be started after
a ‘successful’ disinfection run. McAfee Rootkit Detective
renamed the original Internet Explorer iexplore.exe fi le
in two cases. Sporadically, AVG Anti-Rootkit Free also
tried to remove some system fi les, leaving the system in
an unbootable state.

Source:
[Virus Bulletin 04/2008] Anti-Stealth Fighters: Testing for Rootkit Detection and Removal (75 KB PDF) - http://www.av-test.org/down/papers/2008-04_vb_rootkits.pdf

#28Submitted by JonathanT on Fri, 06/13/2008 - 10:14.

Hi

The key point is: many rootkits are very hard to get rid of once installed on your pc.

But you always have to remember it has to get in your computer first - there is a source. So if you always sandbox your browsing, malware has very little chance of getting into your real computer.

"Prevention is better than cure".

#29Submitted by Anonymous on Thu, 06/12/2008 - 18:12.

Detection is one thing, removal another...e.g. the Antivir rootkit rate detection is excellent, removall is very bad... this section should pick the best of both worlds. Rootkit tests by Av-test, Virusbtn, Anti-malware.com are contradictory... I think these tests are not as thorough as they can be.

#30Submitted by pcophinas on Mon, 06/02/2008 - 09:20.

***Rootkit Protection***

(1) http://antirootkit.com/

(2) http://downloads.andymanchesta.com/antirk.html

12next ›last »

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <b> <address> <blockquote> <br> <caption> <center> <code> <dd> <del> <div> <dl> <dt> <em> <font> <h2> <h3> <h4> <h5> <h6> <hr> <i> <img> <li> <ol> <p> <pre> <span> <strong> <sub> <sup> <table> <tbody> <td> <tfoot> <th> <thead> <tr> <u> <ul> <tr>
  • Lines and paragraphs break automatically.

More information about formatting options