active root kit remover?

[footballer62]

hi, I was wondering if there is an active rook kit remover out there. I found out that some nasty root kits are some how blocking my internet access until they are removed (the internet didn't work at all until I removed them with rootkit unhooker), but the bad thing is they come back after ever pc restart, and some times even during a windows session.

[FreewheelinFrank]

Hi footballer62,

I'd recommend F-Secure BlackLight, the Panda scanner, the BitDefender scanner and the Sophos scanner listed here:

http://www.antirootkit.com/software/index.htm

[DavidR]

How did you find out that there may be a rootkit at work ?

Whilst doing this investigation, consider isolating any rootkit elements so that the samples can be sent to avast to help improve detection.

Adding them to the User Files section of the avast Chest will stop them getting up to any further mischief, from here they can be sent to avast.

[Spiritsongs]

   Hi Footballer :

     I see you followed my recommendation on Feb 28 to use Rootkit Unhooker;
     in that Post I mentioned they have Support Forums . It would be wise to
     use them at http://rku.xell.ru/forum/  . Probably their "Technical support"
     forum would be the one to use !? The Russian Programmers and their
     "associates" are very wise ; did you ever read the thread about this
     program at the highly regarded Wilders Security Forums
    ( www.wilderssecurity.com/showthread.php?t=157547&highlight=rootkit+unhooker )  ?

[FreewheelinFrank]

This might be useful:

http://www.informationweek.com/news/showArticle.jhtml?articleID=196901062

[mouniernetwork]

Maybe Avast could build a tool like this 

Al968

[footballer62]

How did you find out that there may be a rootkit at work ?

Whilst doing this investigation, consider isolating any rootkit elements so that the samples can be sent to avast to help improve detection.

Adding them to the User Files section of the avast Chest will stop them getting up to any further mischief, from here they can be sent to avast.

I found out the root kit was at work when my internet stopped working. I would open up both firefox and internet explorer with every page giving me a server not found error (every page!). So I proceeded to try the un hooker, and sure enough my pages loaded directly after that. Now at the start of windows I have to unhook this files, but I think there may still be a thing or two hidden in there, because I still get the server down every so often (but hitting the refresh button usually gets it to load after about 5 tries).

I am going to try the file thing in avast tomorrow, to see if that works, wish me luck!

[DavidR]

That seems strange activity for a rootkit, whose whole idea is stealth to effectively stop you browsing, drawing attention to itself. Good luck and keep us up to date, thanks.

[WuLFe]

yep, strange for a rootkit... there are alot of free rootkit  detectors and removers out there...

try this site out http://www.antirootkit.com/software/index.htm

good luck 

[Vlk]

GMER is the best.

[Lisandro]

GMER is the best.

Why?
Why is their 'official' website off-line?

[DavidR]

I have just visited the 'official' web site and it was on-line, the page at antirootkit.com might be out of date, plus the mirror at castlecops is fine also.

[Vlk]

The site was down for quite some time because the bad guys kept DDOSing it.
That is, their goal was to make the site inaccessible...

You can read about it here:
http://www.castlecops.com/article-6718-nested-0-0.html
and
http://www.castlecops.com/a6725-gmer_in_sanctuary.html


Cheers
Vlk

[Lisandro]

Ok, you gave me the reason for the site to be down. Thanks.
But, why do you like it that much?

[DavidR]

I just ran it to see what the interface is like and I have to say it looked like a turbo charged rootkit revealer, absolutely tons of information. I'm not sure how much help that would be to your average user.

I believe I haven't got any rootkit infections so I guess that is why there was no information as in 'this is a rootkit' alert ?