How to check your system for rootkits

Martin Brinkmann
May 12, 2006
Updated • May 4, 2013

Rootkits have been in the press lately and it's a good idea to be on the safe side and check your system from time to time to make sure it is not infected by a rootkit. I'm going to introduce two freeware utilities that scan your system and reveal rootkits if they are installed and running on your system.

The first tool is called rootkit hook analyzer, the second one rootkit revealer. Both are great tools and easy to use. You probably have to do some research on the web after you have scanned your system with the programs as you may need to find additional information about the findings to come to a conclusion. You either need to be knowledgeable on the subject, or search on the Internet to find out more about possible rootkits before you make any modifications to your systems and the files discovered.

Websites that can help you with this - other than search engines - are the Rootkit Revealer homepage which has a short introduction on interpreting the output or the website which has lots of information on the subject.

Update: Rootkit Hook Analyzer has not been updated for some time now. The developer website still states that it is only compatible with Vista and earlier versions of the Windows operating system, and that it is not compatible with 64-bit editions of Windows at all.

Rootkit Revealer has also not been updated since 2006, which makes it only compatible with Windows XP or Windows Server 2003, and not newer versions of the Microsoft Windows operating system.

A viable alternative is Kaspersky's TDSS Killer program which can scan a system for rootkits. Unlike the other two programs mentioned, it is fully compatible with the latest versions of the Microsoft Windows operating system.

The program uses signatures to detect known rootkits, and comes with heuristics to check a system for suspicious activities. It is easy to use, especially if a known rootkit is found on the system. Additional research may be needed if it finds suspicious objects though.

To use it simply click on the start scan button in the program interface. A scan should not take longer than a couple of seconds on most computer systems. You can change some parameters before the scan. Here you can include loaded modules in the scan, and also have the program verify digital file signatures and detect TDLFS file systems. Note that the loaded modules scan requires a reboot the first time.  You can also click on report to access the last detailed scan report right in the program interface.

Another alternative is Malwarebyte's Anti-Rootkit which has been released recently as well.


Previous Post: «
Next Post: «


There are no comments on this post yet, be the first one to share your thoughts!

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.