Best ROOTKIT detector/remover

Posted on 2011-09-30
Last Modified: 2013-11-22
I have having a devil of a time removing a series of "ZW" rootkits.  The first one is ZACreateKey, which is somehow hooked to spzr.sys.   I need a solution to this or do I just do a low level format on the drive and resinsall XPP.  The issue is that more than likely there are other PCs on the network that also are infected.   So....I need a quick & dirty rootkit revealer and a rookit remover.   Any suggestions would be most appreciative and welcomed.
Question by:infosys3
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2

Expert Comment

by:Ashok Dewan
ID: 36892973
no one is best but you can try , i use gmer, tuluka
List of antirootkit
    ATool -
    ATool (mirror) -
    Antivir Antirootkit -
    Avast! Antirootkit -
    AVZ -
    Catchme -
    CodeWalker ARK -
    CodeWalker ARK (mirror) -
    CsrWalker -
    CsrWalker (mirror) -
    DarkSpy 1.05 -
    DarkSpy 1.05 (mirror) -
    DeepMonitor -
    Deep System Explorer (dead link) -
    Deep System Explorer (mirror) -
    Dr. Web DwShark (mirror) -
    Dr. Web DwShark (newer version) (mirror) -
    ESET SysInspector
    F-Secure Blacklight -
    Filter Monitor -
    FindDll 2 (by Eric_71) -
    GMER -
    Helios -
    Helios Lite -
    HiddenFinder -
    Hook Analyzer -
    HookShark (dead link) -
    HookShark (mirror) -
    IceSword 1.22 (english) -
    IceSword 1.22 (english) (mirror) -
    Kernel Detective v1.3.1 -
    Kernel Detective v1.3.1 (mirror) -
    kX-Ray -
    Mandiant Memoryze -
    McAfee Rootkit Detective -
    modGREPER -
    NIAP Rootkit Detect Tools -
    NIAP Rootkit Detect Tools (mirror) -
    Panda Antirootkit -
    Process Hunter -
    Process Walker -
    Process Walker (mirror) -
    Radix -
    RegReveal -
    RootkitDetector -
    Rootkit Unhooker 3.8 SR2 -
    Rootkit Revealer -
    RootQuest (dead link) -
    RootQuest (mirror) -
    RootRepeal -
    Safe'n'Sec Personal Pro + Rootkit Detector -
    SafetyCheck 1.7 -
    SanityCheck 2.00 -
    Sophos Antirootkit -
    Stealth MBR Rootkit Detector -
    SysProt Antirootkit -
    SysReveal -
    TDSS Remover -
    Tizer Rootkit Razor -
    TrendMicro RootkitBuster -
    Tuluka Kernel Inspector -
    Tukula Kernel Inspector (mirror) -
    VBA32 Antirootkit -
    XueTr -
    XueTr CLI -
    YasKit 1.223 -
    YasKit 1.223 (mirror) -

Accepted Solution

Ashok Dewan earned 250 total points
ID: 36892989

Author Comment

ID: 36894310
Wow....lots of soltutions.  Many thanks, but anythng in particular about the "ZW Rootskit(s)"????
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now


Author Comment

ID: 36894320
Sorry...but in your opinion is it just easier to low-level format the drive and start again with XP-SP2 and reload all apps.   I am just not comfortable knowing that all the rootkits have been disabled, delelted or quarantineed.   Again, many thanks for your comments.
LVL 47

Assisted Solution

rpggamergirl earned 250 total points
ID: 36895761
I would Try Gmer and or IceSword.
Gmer is good at detecting rootkits and so is IceSword which is a highly advanced highly advanced rootkit scanner.
Usually rootkits are flagged in red but caution is needed as some legit tools' drivers are also flag in red. Icesword also detects hidden as well as non-hidden running processes so check every running processes.
It also lets you save logs so you can post the logs here if you need assistance with the log.

I would also try Combofix as it also detects rootkits and mbr modification and will autofix it and also replaced patched files if a replacement is available and specially if RC is installed.

When using just one rootkit scanners and killing the suspect rootkit you need to make sure that all related files including the loading point are removed before rebooting so the rootkit won't return.

Reformat is also another option I would do easily since I have all my program's discs and no backing up of files since all of my important data is stored in another drive.

Author Closing Comment

ID: 36911060
Many thanks for the help....I appreciate it.
LVL 47

Expert Comment

ID: 36922469
No problem.

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Kaspersky Anti-Ransomware Tool for Business 10 200
Norton antivirus 11 98
Computer has been hijacked? 13 117
Is the 2017 Annual Visitor Survey on Chrome a Virus? 11 657
These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
I recently had to create a utility which aim is to update McAfee's Virusscan and that had to be launched from a command line. I thought I’d share my experience with you. Why is it useful to be able to update an Antivirus from the command line?…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question