Rootkit Detection and Removal Tools

Rootkit

Rootkits are becoming more prevalent and more difficult to find. Technicians need to be aware of the best software tools that will detect and remove this elusive software. Here is a list of rootkit removal tools that will work on the major operating systems.

Windows Based

Rootkit Revealer

Rootkit Revealer is part of the sysinternals suite and is a free portable rootkit scanner. This tool was featured as a repair tool of the week.
Download

Sophos Rootkit Scanner

Sophos offers a suite of security software but most notably they have a free rootkit detector and removal tool available here:
Download

GMER

GMER is a powerful rootkit scanner and usually my first “go-to” rootkit scanner when I suspect suspicious activity above and beyond typical malware. It’s quite small and portable.
Download

TDSSKiller

A great free tool from Kaspersky. It’s portable and easy to use with a simple GUI. This tool recently helped me find a rootkit that was causing multiple browser hijacks. I could not find the rootkit with any malware scanner, HijackThis, Process Explorer, or a couple other rootkit scanners. I ran this tool and it found it almost instantly (this particular rootkit was part of the rootkit.win32.TDSS family). TDSSKiller will search for the win32.TDSS family of rootkits as well as bootkits (MBR rootkits/malware) and other suspicious services.
Download

Microsoft Standalone System Sweeper Beta

This is a fairly new application (still in beta!) that you can boot from a cd or flash drive. It is meant for situations where you can’t boot into a pc due to malicious software/activity. The program detects and removes rootkits and other malware.

Check it out here: Download
(NOTE: This is an excerpt from the Microsoft website regarding licensing for the System Sweeper Tool. Please read the license agreement at the bottom of the page or contact Microsoft for more information.
“INSTALLATION AND USE RIGHTS.
a. Home Use. If you are a home user, then you may install and use any number of copies of the software on your personal devices for use by people who reside in your household to test how it runs with your programs. As a home user, you may not use the software in any commercial, non-profit, or revenue generating business activities.
b. Small Business. If you operate a small business, then you may install and use the software on up to ten (10) devices in your business to test how it runs with your programs.
c. Restrictions.
d. Separation of Components. The components of the software are licensed as a single unit. You may not separate the components and install them on different devices.
e. Included Microsoft Programs. The software may contain other Microsoft programs. The license terms with those programs apply to your use of them.”)

AVG Rootkit Scanner

This is the rootkit scanner that comes bundled with AVG anti-virus. It was only available in the paid version up until AVG 2010 was released; now it comes bundled with the free anti-virus download. In my experience it works pretty well and has detected some rootkits that went otherwise unnoticed. Most well known anti-virus suites do come with a rootkit scanner.
Download

Prevx

Prevx offers a suite of paid security tools; however they do offer a free trial version that includes a rootkit scanner.
Download

RootRepeal

RootRepeal is a rootkit detector that seems to be in a perpetual beta, so use it at your own risk and take precautions. It has an advanced rootkit detector for Windows XP and Vista. This was also featured in a Repair Tool of the Week Article
Download

Linux and Apple Mac OSX Based

Let’s not forget our Unix based systems! It’s fairly slim pickings for rootkit scanners on these operating systems, but there are two that I know of that work well. As the popularity of these systems continue to grow I believe we will be seeing more security concerns, hence more tools.

chkrootkit

A rootkit detector that searches system binaries for modifications.
Download

rkhunter

This is a free tool that will search for backdoors and exploits by comparing MD5 hashes and strange file activity.
Download

Mobile Platform

Lookout Mobile Security

Lookout is a security application for Android, Windows phone7, and Blackberry mobile devices. It isn’t necessarily a rootkit tool but I wanted to include a security tool for the ever increasing mobile platforms. The more a platform grows in popularity the more it will be attacked.
Download

Do you have any other rootkit detectors you would like to share? Please let us know!



Chuck Romano

About the Author

Chuck Romano
More articles by me...
Chuck Romano is a business and technology professional with over 9 years experience in document imaging and 11 years in computer repair. Chuck provides results driven expertise in fields such as Healthcare IT, document imaging/workflow systems, marketing, and management.

Comments (15)

  • jmd says:

    TDSSKiller has saved my butt a few times. Do we consider Combofix in this category or not?

  • Liam says:

    there is also System Virginity Verifier via http://invisiblethings.org/code.html

    and UnHackMe via http://greatis.com/unhackme/

  • When if comes to virus removal, ComboFix and SUPERAntiSpyware Portable are my favorites.

  • I agree, tdsskiller and combofix, are my favorites for rootkit detection and removal.

  • TechLogon says:

    I also find aswMBR from Avast very useful too – not just for MBR infection but covers rootkits too.

  • ajc196 says:

    Not so much “detection” than it is a repair tool, but I’d like to add Partition Wizard Business/Home Edition. It has a “Rebuild MBR” function that will obliterate any rootkit hiding out in the MBR. You can get it and use it any any fashion–Installed on the machine, running their LiveCD, or using it from the program menu in Hirens’ BootCD’s Mini XP.

  • Chefbob says:

    D. Web Cureit is a malware scanner and not specifically a rootkit tool, and frankly it is not a particularly good malware scanner. However, it does have an uncanny ability to find rootkits when all else has failed. Well worth having handy, it has got me out of trouble on a few occasions.

  • Joe says:

    Vba32 ARK is another top option for rootkit detection and removal
    http://www.anti-virus.by/en/vba32arkit.shtml

    Here’s a comparison site worth checking out
    http://www.anti-malware-test.com/?q=node/184

    GMER and root repeal round out the top 3.

    TDSS killer is the only automated RK scanner that’s worth a damn IMO although i haven’t tried the new MS sweeper. I’ve never had any luck with sophos, AVG, Panda or Prevx RK scanners. The new RK’s are just to slick.

    The other thing worth mentioning is bootkits. Lately if i have an severely infected machine and its not a multi boot I will FIXmbr as a matter of course.

  • You guys need to checkout a tool called OTL by one of the guys at the GeeksToGo forum.

    OTL

    It finds all HJT entries and waaaaaaayyy much more it wil correct incorrect/corrupt file extension assoc’s caused by viruses.but be forewarned,read the manual at:

    OTL Manual

    because although it find all the same HJT entries it is way different than HJT and the developer is always updating it,something i dont think HJT has been in a while! I hope everyone finds this helpful!

    Enjoy!

  • Arnel says:

    I have also used unhackme. Seemed pretty good on detection.

  • core says:

    Unhackme all the way

  • Using RKill to first stop malware in their tracks, then Malwarebytes/SuperAntiSpyware/SpybotSD, and if still needed ComboFix. That has removed practically every Rootkit situation I’ve come across. I am willing to test the new MS tool cuz you never know and it’s best to be up on something before coming down on it!!!

  • Adam says:

    I recently used TDSSKiller to find a rootkit that trend micro, malwarebytes and combofix had all missed. TDSSKiller only took ~3 mins to run as well. Great article, thanks for the info!

  • Jason says:

    Actually I found that norton’s FixTdss to be more thorough then Tdsskiller. Had an infection that I couldn’t get rid of, tdsskiller found nothing…but Fixtdss did. And not meaning to hawk norton but I’ve also been using power eraser with some success as well.