Wow half my customers machines have a rootkit+dns changer trojan someone out there is phishing for information.

When ever i get a customer that says wow my surfing is a lot slower than it use to be i scanned their machine for rootkits and find a rootkit+dns changer about 50% of my customers are infected.

What software are you using?

Unhackme it's the only boot time rootkit scanner it detects rootkits before they hook into os.

Unhackme it's the only boot time rootkit scanner it detects rootkits before they hook into os.

If you don't mind, what are your current choices for other rootkit scanning?

Malwarebytes has a very effective rootkit scanner. As does ComboFix.

Malwarebytes has a very effective rootkit scanner. As does ComboFix.

I've had Combofix cite rootkit activity a number of times and tell me to write them down as we may need them later, but I've never needed them.

Is that unusual?

Malwarebytes has a very effective rootkit scanner. As does ComboFix.
Combofix uses GMER which can be downloaded as a standalone rootkit finder.

The rootkit i am finding is not found by any free rootkit scanners i have tried them all, i knew there was something there the way the machine was acting.

I could not go to any av or spyware cleaning site, none of the programs i would install would update ie av, spybot,malwarebytes,a2free.

I tried combofix, smitfruadfix,gmer,rootkit revealer ect ect.

Only unhackme seems to find it sure you have to pay for it but it's worth it in long run, it also finds trojans and worms running in the background.

Only unhackme seems to find it sure you have to pay for it but it's worth it in long run, it also finds trojans and worms running in the background.
Be careful with that one, I tried it and found it generated a lot of false positives.

Be careful with that one, I tried it and found it generated a lot of false positives.

Have you tried version 5 there is a learning mode so far not one false positive , i know what files windows and other software and drivers use so i never have a problem.

The scans are blazing fast 10-12 secs it also allows me to remove leftovers that trojans create.

In advanced mode you need to know what your doing i have been cleaning viruses and spyware since viruses were created elk cloner.

I don't know what version it was I've deleted it off my system now, but it was downloaded it from www.greatis.com so I would guess it would be the latest version.

I found it was generating false positives on software that really should be in its data set, such as the SQL driver for Outlook Business Contact Manager, my Digipad, Sony ebook reader driver plus a couple of Norton dlls even though they state "Compatible with all known antiviral software".

I was also unhappy about it being an installed application, anything that has to live on the system disk is bound to be prey for virus writers, I much prefer to use rootkit detectors that can be run from external media.

It doesn't get very good reviews and I'm not a fan of these "press a button to fix" tools, I like to know what's being done.

Not one for me.

That is not a false positive it's telling you what is running in the background and asking if it's ok it also shows the company and directory where it is.
Its a learning mode you have to really know what your doing once you say it's a false positive it puts it in a white list, this way you can catch zero day trojans and rootkits.
It is sort of like hackthis you have to know what is good and what is bad ,just now my customer dropped a laptop with this new rogue anti-spyware junk i ran antivir,mbam, spybot,superantispyware,a2free, gmer,blacklight it did not find a thing ran unhackme found a trojan and removed it in less than a min.
The reason i like it is because of the speed of the scan its faster than anything i have seen, but again you need to know what files are good and which ones are bad, usually the ones with company name are good, ones without are in question and need to be looked up.
I do like hypersight but it is only compatible with newer cpu's with visualization.

There is one other besides hypersight that you dont have to install (lite) version its called helios

http://helios.miel-labs.com/2006/07/helios-videos.html

I've had Combofix cite rootkit activity a number of times and tell me to write them down as we may need them later, but I've never needed them.

Is that unusual?

No, if you look in the log afterwords, you will probably see the rootkit that it told you to write down in the list of deleted files.

Malwarebytes has a very effective rootkit scanner. As does ComboFix.



yeah - MBAM and comboFix are the silverbullets lately