My Anti Spyware

McAfee free rootkit remover

McAfee have made free rootkit remover is a program designed and developed by McAfee Avert Labs to proactively detect and clean rootkits that are running on the system.

McAfee Rootkit Detective should only be used by knowledgeable individuals at the direction of, and with the support of, a representative from McAfee Avert Labs or McAfee Technical Support. Improper usage of this tool could result in damage to your applications or operating system.

Features
* Designed to proactively detect the system objects like processes, files and registry that are hidden to the user.
* Provides information about all running processes in the system.
* Provides information about various system hooks like SSDT(System Service Descriptor Table) hooks, user/kernel IAT/EAT(Import/Export Address Table) hooks.
* Allows the user to clean/remove the malicious objects from the system by renaming/deleting the hidden files/registry.
* Allows the user to terminate the malicious processes.
* Users can submit samples using the submission feature present in the tool.
* Users can also collect the samples manually after renaming them and submit to stinger@avertlabs.com for further analysis.

Download Rootkit Detective 1.0
Read more here

Sophos Anti-Rootkit Eliminates hidden applications and processes

Removing rootkits without compromising system integrity is particularly challenging and needs to be done with care. Free Sophos Anti-Rootkit, finds and removes any rootkit that is hidden on your computer.
What is a rootkit?

The term rootkit is used to define a Trojan (or technology) used to hide the presence of a malicious object (process, file, registry key, network port) from the computer user or administrator.

Easily detect and remove rootkits

As part of its complete protection of endpoint computers, Sophos Anti-Virus detects rootkits and prevents them being installed on any of your desktops, laptops and servers.
Sophos Anti-Rootkit provides an extra layer of detection, by safely and reliably detecting and removing any rootkit that might already have secreted itself onto your system.

Using Sophos Anti-Rootkit is straightforward. Whether you use its simple graphical user interface or run it from the command line you can easily detect and eliminate any rootkits on your computer.
Download Sophos Anti-Rootkit

Found Mailbot family that use ADS hidden streams to hide themselves

F-Secure reported Mailbot family that use hidden streams to hide themselves.

Let’s take Mailbot.AZ(aka Rustock.A) as an example.

Mailbot.AZ is a kernel-mode rootkit that modifies the kernel to hide its presence on the compromised system. It contains an encrypted payload that will be executed in the context of a process named “services.exe”. The payload is a Spamtool with backdoor capabilities.

There’s only a single component lying on the disk, and that is a kernel-mode driver. It’s stored as hidden data stream attached to the system32 folder (yes, folders can have data streams as well)! Saving your data into Alternate Data Streams is usually enough to hide from many tools. However, in this case, the stream is further hidden using rootkit techniques, which makes detection and removal quite challenging. Because Mailbot.AZ is hiding something that’s not readily visible, it’s very likely that many security products will have a tough time dealing with this one.

F-Secure have just released a new version of our BlackLight rootkit scanner (Build 2.2.1041) that can detect current variants of Mailbot.

To remove the infection, perform the following steps:

• Reboot your system using the Windows Recovery Console (using your Windows installation CD - click on the hyperlink for details).
• Copy a non-executable file from the Windows directory over the Alternate Data Stream.

For example, run the following command:

• copy c:\windows\win.ini c:\windows\system32:18467

Please note that the copy command will fail but the malicious file has actually been truncated to zero-length.