hi, I was wondering if there is an active rook kit remover out there. I found out that some nasty root kits are some how blocking my internet access until they are removed (the internet didn’t work at all until I removed them with rootkit unhooker), but the bad thing is they come back after ever pc restart, and some times even during a windows session.
Hi footballer62,
I’d recommend F-Secure BlackLight, the Panda scanner, the BitDefender scanner and the Sophos scanner listed here:
How did you find out that there may be a rootkit at work ?
Whilst doing this investigation, consider isolating any rootkit elements so that the samples can be sent to avast to help improve detection.
Adding them to the User Files section of the avast Chest will stop them getting up to any further mischief, from here they can be sent to avast.
Hi Footballer :
I see you followed my recommendation on Feb 28 to use Rootkit Unhooker;
in that Post I mentioned they have Support Forums . It would be wise to
use them at http://rku.xell.ru/forum/ . Probably their "Technical support"
forum would be the one to use !? The Russian Programmers and their
"associates" are very wise ; did you ever read the thread about this
program at the highly regarded Wilders Security Forums
( www.wilderssecurity.com/showthread.php?t=157547&highlight=rootkit+unhooker ) ?
This might be useful:
http://www.informationweek.com/news/showArticle.jhtml?articleID=196901062
Maybe Avast could build a tool like this
Al968
I found out the root kit was at work when my internet stopped working. I would open up both firefox and internet explorer with every page giving me a server not found error (every page!). So I proceeded to try the un hooker, and sure enough my pages loaded directly after that. Now at the start of windows I have to unhook this files, but I think there may still be a thing or two hidden in there, because I still get the server down every so often (but hitting the refresh button usually gets it to load after about 5 tries).
I am going to try the file thing in avast tomorrow, to see if that works, wish me luck!
That seems strange activity for a rootkit, whose whole idea is stealth to effectively stop you browsing, drawing attention to itself. Good luck and keep us up to date, thanks.
yep, strange for a rootkit… there are alot of free rootkit detectors and removers out there…
try this site out http://www.antirootkit.com/software/index.htm
good luck
GMER is the best.
Why?
Why is their ‘official’ website off-line?
I have just visited the ‘official’ web site and it was on-line, the page at antirootkit.com might be out of date, plus the mirror at castlecops is fine also.
The site was down for quite some time because the bad guys kept DDOSing it. ;D
That is, their goal was to make the site inaccessible…
You can read about it here:
http://www.castlecops.com/article-6718-nested-0-0.html
and
http://www.castlecops.com/a6725-gmer_in_sanctuary.html
Cheers
Vlk
Ok, you gave me the reason for the site to be down. Thanks.
But, why do you like it that much?
I just ran it to see what the interface is like and I have to say it looked like a turbo charged rootkit revealer, absolutely tons of information. I’m not sure how much help that would be to your average user.
I believe I haven’t got any rootkit infections ;D so I guess that is why there was no information as in ‘this is a rootkit’ alert ?
Basically, it produces lots of data but only RED entries are of interest (unless you really know what to look for).
But the efficiency of the program consists in showing the RED entries whenever necessary.
Additionally, if you right-click any of the red entries, the program lets you “fix” it.
Cheers
Vlk
Thanks. I’ll give it a try.
Hi Vlk & Others :
Have never disagreed with you before Vlk but everthing I read on the
various threads on the "other anti-malware software" forum at Wilders
( www.wilderssecurity.com/forumdisplay.php?f=35 ) indicates that
GMER is NOT the best ; see threads such as :
www.wilderssecurity.com/showthread.php?t=168814 and
www.wilderssecurity.com/showthread.php?t=157547 and our thread at
http://forum.avast.com/index.php?topic=26128.0 .
yep, i agree with Vlk, currently using Gmer and Darkspy…
is Icesword still being updated…?
Spiritsongs,
-
During the last year, GMER has vastly improved.
-
Saying that a certain program is BEST is of of course always a bit exaggeration (there’s nothing like BEST antivirus, BEST firewall, BEST antirootkit etc.) but what I said is my personal oppinion based on certain facts and some personal sympathies.
-
I don’t think the threads over at Wilders’ (that you linked) indicate that GMER is “not the best”. The first one doesn’t mention GMER at all and the second one is of these super-lengthy threads that never lead to anything…
-
The test carried out by informationweek (mentioned in the thread on the avast forum) is definitely NOT something I’d base my judgements on… Compare this to magazine tests of antivirus software.
Cheers
Vlk