I did a comparison of stealth malware detectors (VirusBlokAda, GMER, Volatility, etc) back around April. VirusBlockAda's beta anti-rootkit has the most ability to remove malicious changes. WinDbg has the most ability to detect changes, but only because I allowed for detection under the assumption that the analyst knew what to look for and was trying to find that specifically. Volatility with Michael Hale Ligh's malware plugin also did very well. The results are included as part of my rootkits class materials here: http://OpenSecurityTraining.info/Rootkits.html

The comparison is attached. 2524

I'm about ready to update the matrix. If anyone has any tools which they think could do well in this comparison please post them below. XueTr is definitely going to be on the next comparison. Also I obviously need to get some NDIS_PROTOCOL_CHARACTERISTICS Kernel Object Hooking and OBJECT_TYPE_INITIALIZER Kernel Object Hooking examples. I know they're used in real malware, but if anyone has some standalone PoC examples please contact me.

you write :
what is a rootkit ?
its an overused term is what it is
an attacker tool
a rookit is a set of program which patch and trojan the exiting system
the only universal truth about rootkits is that they are trying to hide the attackers presence


so after all that you have wrote nothing about if the user himself use a program to hide/protect/secure about malware from several big companys

at the end this will remove the computers owner the rights of his own computer