rootkits detection and removal

[mc42]

Is it necessary to have a program that specializes in rootkits detection and removal as well as an antivirus and anti malware program?

If so is F-Secure Blacklight Rootkit Eliminator a good one?

[exile360]

Greetings .

These days most antiviruses contain anti-rootkit tech, meaning they can scan for and detect rootkits. Malwarebytes' itself is also capable of scanning for and detecting them. Blacklight is easy to use, but not too effective against most modern rootkits because it hasn't been updated for a long time. Most of the time, if a standalone anti-rootkit scanner is used by an expert it is either GMER or RootRepeal, but be warned, these tools are only to be used under expert supervision because they are powerful and don't contain blacklists and white lists for good and bad rootkits so the logs they create need to be analyzed by an expert who knows what to look for. By good rootkits, what I mean is rootkits that are used in Windows for legitimate purposes (such as the kernel level drivers used by the majority of antivirus software).

[mc42]

Thank you for your reply.

[exile360]

You're very welcome .

[Firefox]

I have used trojan-remover with good results

[prairie dog]

I have used trojan-remover with good results

For rootkits, I think its hard to beat Prevx . That with MBAM is a great 1-2 punch

[Firefox]

For rootkits, I think its hard to beat Prevx . That with MBAM is a great 1-2 punch

Never heard of that one?

[prairie dog]

Never heard of that one?

Here is the Prevx site. You can scan for free, but have to register and pay to remove. I used the free scanner to detect the file locations of a nasty rootkit, then went in and manually deleted. Good stuff

Here is a link to Wilders security forum. There is section just for Prevx. You can receive excellent help from their support here. you should check it out

[Firefox]

going to have to check them out for sure, the remove we can always do ourselves, just need to know what to remove right.....

[prairie dog]

going to have to check them out for sure, the remove we can always do ourselves, just need to know what to remove right.....

yep (make sure its not a FP though). MBAM normally gets them, but as with any security software, a second opinion is sometimes needed

[exile360]

How on earth could you remove a rootkit "manually"? You can't see it or its registry entries, even when showing hidden and system files, that's what makes it a rootkit. You'd need something besides Windows Explorer to get at it, which is why I mentioned GMER and RootRepeal .

[prairie dog]

How on earth could you remove a rootkit "manually"? You can't see it or its registry entries, even when showing hidden and system files, that's what makes it a rootkit. You'd need something besides Windows Explorer to get at it, which is why I mentioned GMER and RootRepeal .

I guess it wasnt a rootkit then. Could it have been the drivers that were regenerating the malware? MBAM kept finding the same file and When I ran Prevx it showed 3 or 4 hidden files. I went in manually and deleted those files/drivers (cant remember). After that all was good. Had the experts here check his logs and all was clean. Sorry must be wrong on exactly what it was.

PS. I told him I had no business doing this, but he didnt care. He was going to switch out PC's if I couldn't fix it.

[exile360]

It was probably a rootkit that MBAM had "unhidden" by removing certain components that were protecting it, but not the parts that were regenerating it, which is what PREVX found .

[prairie dog]

It was probably a rootkit that MBAM had "unhidden" by removing certain components that were protecting it, but not the parts that were regenerating it, which is what PREVX found .

AHHH! thanks for the info

[exile360]

No problem . Most infections these days are pretty complex, often employing multiple tactics and many components, hence the reason you often see things like Trojan.Downloader in detection logs from various AV's and AM tools. They download and install other malware on the user's system to further infect and/or control it, often working in tandem (the same way many rootkits and trojans now do in order to protect an installed Rogue security software).

[marktreg]

How on earth could you remove a rootkit "manually"? You can't see it or its registry entries, even when showing hidden and system files, that's what makes it a rootkit. You'd need something besides Windows Explorer to get at it, which is why I mentioned GMER and RootRepeal .

I remove rootkits manually all the time. I use a combination of tools such as GMER, RootRepeal, Rootkit Unhooker etc to identify the hidden files and registry entries. Then I boot the computer with an ERD Commander boot disk and manually delete the offending files and registry entries. I find this is a lot easier than having to 'unhook' things or paste commands into Combofix.

As you say though, you can't see the rootkit infected files and registry entries to delete them under a normal Windows installation. However, because the rootkit is inactive under an ERD Commander PE environment, all hidden files and registry entries automatically become visible and can easily be manually deleted.