Codewalker is a rootkit detection software that has been developed by a member of the Sysinternals forum. The current version that has been released today is 0.24b which clearly outlines that the software program is a work in progress. It is a portable software that can be run from the local drives or removable devices.

The security program suggests a deep scan of the computer system upon startup which takes a few minutes to complete. It is possible to avoid this deep scan which will lead directly to the main program interface. The main interface uses tabs to display various information including system processes, hidden code, kernelmode and usermode hacks.

The connected disk drives are displayed on the right side with the option to select some or all of them for a scan. The same scan that was suggested upon program start will then be performed. The results are shown in the various tabs after the scan has finished.

The developer explains his program:

For hidden driver detection, you can test it with some pretty well hidden driver PoC such as phide_ex and many builds of Rustock.B variants. Although you have to use the “Hardcore Scan” method to detect them.

For code hooking detection, the engine walks all the branches of scanned module i.e any execution path of it to detect modification (btw, that’s why i call it CodeWalker). IMHO, It can detect code hooking very well especially with rootkits that place abnormal hooks like Rustock.C (FF25 & FF15 – jmp/call dword ptr [abc]) tho there’re still some problems with false-positive hooks/modifications.

Codewalker is a viable alternative to already available rootkit detection programs like Gmer or AVG Anti-Rootkit. It is probably be best used in conjunction with these tools.

As I said earlier, running Gmer is really easy. Just start the application and click on the scan button. Gmer does scan the system automatically and displays the results in the main window. If you spot red entries you should try and search the Internet for clues about them. It is possible to kill processes, service and files by right-clicking an entry in the main window.

Next to scanning for Rootkits you can also scan for Autostart entries, check running processes, services and modules and activate the Intrusion Prevention System and the Firewall. Take a look at this nice Gmer tutorial which walks you through a basic process.

AVG Anti Rootkit is a free software that scans a computer for rootkits and removes them if one or more of those have been identified. The anti rootkit application can be used to either quickly scan the computer for possible rootkits and the other to make an in depth scan which takes longer but is more thorough. The in depth scan for Rootkits takes some time depending on the amount of files and size of your hard drives.

Update: AVG Anti-Rootkit Free has been discontinued in 2006. The program has been integrated into various AVG products including (in 2010) in AVG Anti-Virus Free, AVG Anti-Virus 2012 and AVG Internet Security 2012.

The free version of AVG Anti-Virus is available on the official AVG website. Just download and install it on your Windows system to protect the PC from malicious software and Internet based attacks.

Please note that the free version has limitations, including less frequent and prioritized updates, no email or telephone support, less interface and software customizations as well as no server support. The free product version may also only be used on home and non-commercial use systems.