A Rootkit (a Kernel Mode Trojan), is a malware program, or a combination of malware programs, designed to take low level control of a computer system.
Techniques used to hide rootkits include; concealing running processes from monitoring programs, and hiding files, or system data, from the operating system. In other words, the rootkit files and processes will be hidden in Explorer, Task Manager, and other detection tools.
It’s easy to see then, that if a threat uses rootkit technology to hide, it is going to be very difficult to find.
Enter the Rootkit detector which will provide you with the tools to find and delete rootkits, and to uncover the threats Rootkits may be hiding.
We’ve written here a number of times on Rootkits and free tools designed to uncover and remove these scourges, and thanks to regular reader Robert, we can share with you a new free tool, Tizer Rootkit Razor, which will allow you to identify and remove Rootkits from your computer.
I should be clear however, this tool is not “one-click simple” to decipher, and users need to be particularly mindful of false positives.
Since the false positive issue, is always a major consideration in using tools of this type, you should be aware that tools like this, are designed for advanced users, and above.
Here’s a reasonable test to determine if you have the skills necessary to use this application effectively. If you’re not capable of using, and interpreting, an application such as HiJackThis for example, it is unlikely that using this program would prove to be beneficial. On the other hand, if you can interpret the results of a HiJackThis scan, you’re probably “good to go”.
The user interface is dead simply – functional and efficient, as the following screens from my test system indicate. BTW, no Rootkits were found during this test.
Main Screen: This page displays information related to your operating system and memory usage.
a.) Smart Scan: This feature automatically scans all the critical areas in the system and displays hidden objects, hence making things easier for the user.
NOTE: User is provided with a feature to fix the hidden object (if any).
Process Scan: This module scans processes currently running on the machine. A process entry will be highlighted in red if it is a hidden rootkit. The user can click on an individual process to display any hidden modules loaded by the process.
NOTE: The user is provided with the option to terminate processes and delete modules.
Registry Scan: This module scan is for hidden registry objects.
a.) Smart Scan: A smart scan will scan the critical areas of the registry.
b.) Custom View: This module provides a virtual registry editor view, hence enables the user to navigate through the registry and check for hidden keys or values. (Hidden keys/values will be highlighted)
Kernel Module Scan: This module scans for loaded drivers in the memory. A module entry will be highlighted in red if it is hidden.
NOTE: The user is provided with a feature to unload and delete a driver module from memory.
Services Scan: This module scans all installed services on the local machine. A particular service entry will be highlighted if it is hidden.
NOTE: The user is provided with start, stop, pause, and resume features. They may also change the startup type of service.
SPI Scan: This module lists all the LSPs installed in the system. This is read only information.
NOTE: The user can check for any unauthorized LSP installed.
SSDT Scan: This module scans for any altered value in the System Service Descriptor Table (SSDT). The process of alteration is termed as “Hooking.”
NOTE: The user can restore the altered value to its original value.
Ports Scan: This module will scan all open TCP and UDP ports. A particular port entry will be highlighted if it is hidden.
NOTE: The user is provided with the option to terminate the connection.
Thread Scan: This module will enumerate all running processes. The user can click on a particular process to view and scan all threads running in context of that process. Any hidden threads will be highlighted in red.
NOTE: The user is provided with the option to terminate a thread.
File/Object Scan: This module will scan for any hidden files in the system. The user selects a location on the computer to scan.
Much like anti-spyware programs, no one Rootkit detector application catches everything, and to highlight the differences in Rootkit detection applications, the publisher of Tizer Rootkit Razor has provided the following comparison chart.
If you think you might have hidden malware on your system, I recommend that you run Tizer Rootkit Razor. Scanning for Rootkits occasionally is good practice in any event, and if you have the necessary skills, Tizer Rootkit Razor appears to be a good choice to help you do that.
System requirements: Windows XP, Vista, Win 7 – (there is no indication on the developer’s site that this app is x64 compatible).
Download at: Tizer Secure
If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.
26 responses to “Free Tizer Rootkit Razor – Detect Kernel Mode Trojans or Rootkits”
I think this type of application is above my pay grade. Very interesting though.
If you’re unsure, it’s best to stay away from this type of app.
It’s not that the app is complex, but interpreting the results can be very tricky.
Thanks for coming by.
“(…)It’s not that the app is complex, but interpreting the results can be very tricky”.
Off this reason please Bill about opinion on program.
Thank you very much Bill for this article & test.
Thank you for recommending this application. Another great tool to use against the bad guys.
What a terrific program, has been added to the toolbox. That toolbox is getting quite full lately lol.
Full, and heavy, no doubt! lol
Nice.. Its worth a try… Even if one cant take decision what to do with the thing displayed in it, one can atleast know if there’s any hidden thing running in his/her pc and then google it for more info…
You’re right. Most professional techs that I know, Google an entry that they are not sure of.
Can you help me in suggesting a simple user friendly S/W which will remove all kinds of rootkits and trojans,doesn’t matter how long you take,I will wait for your suggestions.When I used hitman pro free version it detected a cgi proxy rootkit,when I tried to delete it corrupted my os.It seems there are even S/W’s for specifically removing trojans like trojan hunter and SAS…
Take a look at Uncover Kernel Mode Trojans or Rootkits, on my site, which includes info and download links for Microsoft Rootkit Revealer, IceSword, and GMER.
This should be helpful.
I can confirm that Tizer Rootkit Razor cannot be installed on Vista/7 64 bit. Shame.
I agree John. It’s past time that all apps were x64 compatible.
You are right that the current version is for 32 bit OS but we are working on a 64 bit version for release soon. Please check tizersecure.com for updates.
Though it looks interesting there’re a couple of things that prevent me from feeling comfortable enough to try it out:
1. No reviews of any kind on any security site/ forum.
2. Though the comparison table clearly has a red X at IAT/ EAT, on their site & under its features they claim “Detects hidden objects if a file is hidden using IAT, EAT, or SSDT hooks”.
3. A couple of threats at wilderssecurity.com & dslreports.com and a review at brighthub.com on Tizer Secure (beta, but including the rootkit scan) are not favorable and noone came back with a review on the final product.
Thanks for the heads up, but I think I’m going to wait a bit.
I can appreciate your hesitation. I should point out however, that to this point, 133 readers have downloaded this application. Since the malware removal market is more vigorous than most, with new products being released constantly, the lack of reviews should not impact negatively on an application. As well, an application suite is not always the sum of it’s parts – Tizer Rootkit Razor, as a standalone application, is a valuable addition to a users security toolkit.
As always, thanks for visiting.
Just few words to say “Never judge a book by its Cover.”
Brighthub.com? Gimme a break.
Nice post! I really like your posting.
i will come back to read more of your posts.
1. Updated version of Tizer Rootkit Razor has been launched. Please see screen shots of detection of the latest version of TDL3 rootkits at http://www.wilderssecurity.com/showthread.php?p=1633770
2. The comparison chart that you are referring to has to be read horizontally and not vertically and you can see that for Rootkit Razor there is no red X rather it is a green check mark clearly indicating that it is able to detect hidden objects if a file is hidden using IAT, EAT, or SSDT hooks.
3. This is a new product version so you are right there may not be a lot of reviews but a lot of people have started using it and giving very positive feedback based on which a more recent and updated version capable of detecting and removing TDL3 was launched today.
Thanks Joe, for the update on your new release of Tizer Rootkit Razor.
Thanks Joe. I look forward to the release of the 64bit version
BM> I agree John. It’s past time that all apps were x64 compatible.
“Blame Microsoft!” 🙂
Thanks Joe, for posting the link about Rootkit Razor on the Wilder Security forum and your comments. The newest release of Tizer Rootkit Razor (just uploaded on tizersecure.com March 4th) includes detection of the newly updated rootkits Rustock and TDL3. These rootkits update themselves, and TDL3 was updated by it’s developer last weekend so our team was able to come up with a new technique to combat it.
We also plan to add 64-bit OS compatibility shortly.
For those users who feel interpreting the results as being tricky, please note that any infection found on your computer will show up in red and you may right click to safely remove it.
For novice users, we have provided a smart scan button on the main screen which does all the required scans to detect and remove all types of rootkits. It scans services, files, registry, and drivers. If any rootkits are detected, the application walks the user through steps to remove them and will prompt user if restart is required.
We are also looking at incorporating reporting into Rootkit Razor in an upcoming release, so users can report any questionable rootkits on their machine.
–Tizer Secure Support
While I can appreciate that you, as the developer, or representing the developer, feel that removing rootkits is an easy process – my advice to my readers still stands. With more than 25+ years experience in the computer industry, I know this – removing rootkits should not be undertaken lightly, particularly by novices/inexperienced users. Depending on the extent of the infection, dealing with rootkits can not only be tricky, but hazardous to the OS. Ask any professional technician, who has had to rebuild a system following rootkit removal.
Tizer Rootkit Razor will detect and safely remove rootkits Rustock and 4DW4R3.
We just released a separate tool called Tizer TDL3 Razor that is specifically for detection/safe removal of the newly updated TDL3 rootkit that infects Windows XP machines.
Feel free to download Tizer TDL3 Razor for free at http://www.tizersecure.com/about_TDL3_rootkit_detect_remove.php.
Thanks for the update Shelley.