[Webinar] Streamline your web hosting managementRegister Today

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2029
  • Last Modified:

Best ROOTKIT detector/remover

I have having a devil of a time removing a series of "ZW" rootkits.  The first one is ZACreateKey, which is somehow hooked to spzr.sys.   I need a solution to this or do I just do a low level format on the drive and resinsall XPP.  The issue is that more than likely there are other PCs on the network that also are infected.   So....I need a quick & dirty rootkit revealer and a rookit remover.   Any suggestions would be most appreciative and welcomed.
  • 3
  • 2
  • 2
2 Solutions
Ashok DewanFreelancerCommented:
no one is best but you can try , i use gmer, tuluka
List of antirootkit
    ATool - http://www.antiy.net/download/atool.rar
    ATool (mirror) - http://www.kernelmode.info/ARKs/atool.rar
    Antivir Antirootkit - http://dl.antivir.de/down/windows/antivir_rootkit.zip
    Avast! Antirootkit - http://files.avast.com/files/beta/aswar.exe
    AVZ - http://www.z-oleg.com/secur/avz/download.php
    Catchme - http://www2.gmer.net/catchme.exe
    CodeWalker ARK - http://cmcinfosec.com/download/cmcark_cw0.2.4.500.rar
    CodeWalker ARK (mirror) - http://www.kernelmode.info/ARKs/cmcark_cw0.2.4.500.rar
    CsrWalker - http://www.rootkit.com/vault/DiabloNova/cwalker.rar
    CsrWalker (mirror) - http://www.kernelmode.info/ARKs/cwalker.rar
    DarkSpy 1.05 - http://www.rootkit.com/vault/cardmagic/DS105fix2beta.rar
    DarkSpy 1.05 (mirror) - http://www.kernelmode.info/ARKs/DS105fix2beta.rar
    DeepMonitor - http://orkblutt.free.fr/DeepMonitor.exe
    Deep System Explorer (dead link) - http://diamondcs.com.au/downloads/dsesetup.exe
    Deep System Explorer (mirror) - http://www.kernelmode.info/ARKs/dsesetup.exe
    Dr. Web DwShark (mirror) - http://www.kernelmode.info/ARKs/DwShark.rar
    Dr. Web DwShark (newer version) (mirror) - http://www.kernelmode.info/ARKs/DrwShark.7z
    ESET SysInspector http://www.eset.eu/en/eset-sysinspector
    F-Secure Blacklight - ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe
    Filter Monitor - http://ntcore.com/files/FilterMon.zip
    FindDll 2 (by Eric_71) - http://eric71.geekstogo.com/beta/FindDll2.exe
    FLISTER - http://www.invisiblethings.org/tools/flister.zip
    GMER - http://www2.gmer.net/gmer.zip
    Helios - http://helios.miel-labs.com/downloads/Helios.zip
    Helios Lite - http://helios.miel-labs.com/downloads/Helios-Lite.zip
    HiddenFinder - http://www.wenpoint.com/download/HiddenFinder_setup.exe
    Hook Analyzer - http://www.resplendence.com/download/hookanlz302.exe
    HookShark (dead link) - http://home.arcor.de/neotracer/HookShark.rar
    HookShark (mirror) - http://www.kernelmode.info/ARKs/HookShark.rar
    IceSword 1.22 (english) - http://mail.ustc.edu.cn/~jfpan/download/IceSword122en.zip
    IceSword 1.22 (english) (mirror) - http://www.kernelmode.info/ARKs/IceSword122en.zip
    Kernel Detective v1.3.1 - http://www.at4re.com/files/Tools/Releases/GamingMasteR/Kernel_Detective_v1.3.1.zip
    Kernel Detective v1.3.1 (mirror) - http://www.kernelmode.info/ARKs/Kernel_Detective_v1.3.1.zip
    kX-Ray - http://bugczech.fu8.com/bin/kX-Ray_v1.0.0.102_XP32_beta.zip
    Mandiant Memoryze - http://fred.mandiant.com/MemoryzeSetup.msi
    McAfee Rootkit Detective - http://download.nai.com/products/mcafee-avert/McafeeRootkitDetective.zip
    modGREPER - http://invisiblethings.org/tools/modGREPER/modGREPER-0.3-bin.zip
    NIAP Rootkit Detect Tools - http://www.rootkit.com/vault/uty/NIAPAntiRootkitTools.rar
    NIAP Rootkit Detect Tools (mirror) - http://www.kernelmode.info/ARKs/NIAPAntiRootkitTools.rar
    Panda Antirootkit - http://research.pandasecurity.com/blogs/images/AntiRootkit.zip
    Process Hunter - http://www.wasm.ru/baixado.php?mode=tool&id=359
    Process Walker - http://www.rootkit.com/vault/DiabloNova/ProcessWalker.rar
    Process Walker (mirror) - http://www.kernelmode.info/ARKs/ProcessWalker.rar
    Radix - http://www.usec.at/downloads3/radix_installer.zip
    RegReveal - http://www.geocities.jp/kiskzo/regreveal_v10beta3.zip
    RootkitDetector - http://www.tarasco.org/security/Rootkit_Detector_rkdetector/RootkitDetector.zip
    Rootkit Unhooker 3.8 SR2 - http://www.kernelmode.info/ARKs/RkU3.8.389.593.rar
    Rootkit Revealer - http://download.sysinternals.com/Files/RootkitRevealer.zip
    RootQuest (dead link) - http://comsentry.com/files/RootQuest_v1.exe
    RootQuest (mirror) - http://www.kernelmode.info/ARKs/RootQuest_v1.rar
    RootRepeal - http://rootrepeal.googlepages.com/RootRepeal.rar
    Safe'n'Sec Personal Pro + Rootkit Detector - http://www.safensoft.com/sns/snsrd_eng.exe
    SafetyCheck 1.7 - http://yyuyao.googlepages.com/SafetyCheck1.7Beta.rar
    SanityCheck 2.00 - http://www.resplendence.com/download/sanitySetup.exe
    Sophos Antirootkit - http://www.sophos.com/products/free-tools/sophos-anti-rootkit/download/
    Stealth MBR Rootkit Detector - http://www2.gmer.net/mbr/mbr.exe
    SysProt Antirootkit - http://sites.google.com/site/sysprotantirootkit/Home/SysProt.zip?attredirects=0&d=1
    SysReveal - http://www.sysreveal.com/download/SysReveal.zip
    TDSS Remover - http://www.esagelab.com/files/tdss_remover_latest.rar
    Tizer Rootkit Razor - http://www.tizersecure.com/freedownloads/Tizer%20Rootkit%20Razor%20Setup.msi
    TrendMicro RootkitBuster - http://www.trendmicro.com/ftp/products/rootkitbuster/RootkitBuster_3.60.1016.zip
    Tuluka Kernel Inspector - http://tuluka.justfree.com
    Tukula Kernel Inspector (mirror) - http://www.kernelmode.info/ARKs/Tuluka_v1.0.360.51beta.zip
    VBA32 Antirootkit - ftp://anti-virus.by/pub/Vba32arkit.zip
    XueTr - http://xuetr.com/download/XueTr.zip
    XueTr CLI - http://www.xuetr.com/download/XueTr_Cmd.zip
    YasKit 1.223 - http://qzdx.kafan.cn/down1//AntiSpyWare/2009/YasKit1.223.rar
    YasKit 1.223 (mirror) - http://www.kernelmode.info/ARKs/YasKit1.223.rar
Ashok DewanFreelancerCommented:
infosys3Author Commented:
Wow....lots of soltutions.  Many thanks, but anythng in particular about the "ZW Rootskit(s)"????
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

infosys3Author Commented:
Sorry...but in your opinion is it just easier to low-level format the drive and start again with XP-SP2 and reload all apps.   I am just not comfortable knowing that all the rootkits have been disabled, delelted or quarantineed.   Again, many thanks for your comments.
I would Try Gmer and or IceSword.
Gmer is good at detecting rootkits and so is IceSword which is a highly advanced highly advanced rootkit scanner.
Usually rootkits are flagged in red but caution is needed as some legit tools' drivers are also flag in red. Icesword also detects hidden as well as non-hidden running processes so check every running processes.
It also lets you save logs so you can post the logs here if you need assistance with the log.

I would also try Combofix as it also detects rootkits and mbr modification and will autofix it and also replaced patched files if a replacement is available and specially if RC is installed.

When using just one rootkit scanners and killing the suspect rootkit you need to make sure that all related files including the loading point are removed before rebooting so the rootkit won't return.

Reformat is also another option I would do easily since I have all my program's discs and no backing up of files since all of my important data is stored in another drive.
infosys3Author Commented:
Many thanks for the help....I appreciate it.
No problem.

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 3
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now