Best Anti-Rootkit for x64 windows 7?

Carbonyl · 17 Jun 2011

Hi everyone.

It's been a while since the 64-bit version of Win 7 became mainstream. Back when it was new, there were very few anti-rootkit solutions available for any x64 system, and very few people who were concerned about rootkits on 64-bit operating systems.

Times, though, have changed. Rookits are more capable than ever, infecting and hiding in the MBR of your hard disk. This not only makes it possible for them to survive a reinstallation of the operating system (if a format is not performed first), but also renders them essentially invisible to everything you can try from within the operating system! This is something that even impacts x64 systems, regardless of PatchGuard or driver signing.

So now that the rootkits have caught up, I'm curious as to what tools are available to scan, detect, and remove them? My old standby, Rootkit Revealer, seems to be still unavailable for x64 systems. The much lauded TDSSKiller is also only functional on 32 bit windows systems. I've heard that Sophos Antirootkit is x64 compatible, but I've also read that it's plagued with false positives and causes system instability.

Does anyone have any recommendations for a good x64 compatible rootkit scanner?

marsmimar · 17 Jun 2011

Here's one of my concerns about listing the best of anything. If your machine doesn't have any rootkits, then logically, a rootkit scan shouldn't show anything. But if it doesn't show anything, then how do you know if the machine is infected but the scan didn't pick it up? For that reason I use the same logic that people use for any similar product like antivirus or antispyware apps. No anti-whatever is 100% effective 100% of the time. Pick one for real time (or on demand) scanning and use others for extra on demand scans just to make sure the primary didn't miss something.

Best Free Rootkit Scanner/Remover

I'd also add one more: Hitman Pro 3 - SurfRight

A Guy · 18 Jun 2011

I have Sophos Anti-Rootkit, and Panda Anti-Rootkit, both are said to be x64, Sophos says so on their site. Neither have ever found anything, or caused any problems. Neither have updated in a while either.

There are more advanced tools, but they require advanced knowledge as well. Such as Ice Sword, and GMER.

A Guy

I be he · 18 Jun 2011

I use Sandboxie when surfing, delete upon finish, no more rootkit

If im not mistaken.

TheGuru · 04 Aug 2012

+1 on the Sandboxie. I like the concept, surprised OS developers never conceptualized it.

I'm actually boning up on rootkits and tooling, after a sweet attack by a "Toolbar". What a bear that thing was... or should I say, IS... Its an unsolicited installer too, weeee.... Good times indeed.

As it turns out the newest variant of the "Babylon Toolbar" entrenches itself in your NTUSER.DAT. Little ******* wouldn't stay dead, came back at each reboot, and just as strong as ever. Don't bother trying to restore registry backups while your OS is online, it'll eventually eat up all your good backups...

I had to drop my NTUSER.DAT cold, and bring in a fresh copy. Meaning all done via live disk, and with the OS "Completely offline". At the same time, I did a thorough cleaning of my system files. And walla, here I am... I haven't even brought my raid storage back online yet... lol...

While I'm thinking of it, ERUNT. Get it, and let it run every boot! You should even forget about it like I did. In all seriousness, this application was compiled back in 05, in our world of IT that's practically an antique. But what a life saver. And yes its happy as a clam on x64 systems. My current being a heavily modded Server 08 R2 package, x64 of coursee, and ERUNT just save my ass! Oh, and did I mention how I had just wiped my restore points prior to my infection. I was so glad I did that, wow... Good job fella!

Like I said "weeeeee...."

A Guy · 04 Aug 2012

I posted a method to run ERUNT as a task on Windows 7 a couple of years ago, and it works, but in several threads people have reported that restoring the backup is problematic. I have system images, so finally just deleted the ERUNT task and program (kept NTREGOPT). Have a look at this program, Registry Backup. Nice review here from Hal at Raymond Forum

Backup and Restore the Whole Windows Registry or Selected Hives

Haven't used it myself, but it uses the Volume Shadow Copy Service, unlike ERUNT and others that use the RegSaveKey function. Have a read. A Guy

monkeylove · 04 Aug 2012

Some companies also provide rescue CDs for free:

13 Antivirus Rescue CDs Software Compared in Search For the Best Rescue Disk