IceSword the better Rootkit Revealer?

Martin Brinkmann
Jul 19, 2006
Updated • May 8, 2013

IceSword is a new contender for the title of the best rootkit revealing and removing program out there at the moment. It is rather hard to find a working download of IceSword but as always I provide you with a fast way to download the latest version of IceSword. Just visit the official website of the application and click on the download link there. The latest version at the time of writing is 1.22.

In contrast to other rootkit scanners like Blacklight, Icesword can not be run automatically. Icesword only provides perhaps the most powerful tools currently available to scan your system for rootkits.

There is no way that I have enough time to write about all features of IceSword. I therefore decided to mention the most important ones and leave the rest up to you. The process tab of IceSword is one of the most important ones when it comes to detecting rootkits. Icesword will color most hidden processes red which means it is a good idea to take a look at those first. Some rootkits are not colored however so a second look never hurts. You can terminate processes here with a right-click and the selection of terminate process from the options.

It is a good idea to compare the findings of the program by using other applications on your system. You can use a process explorer that can display hidden processes for example and compare the number found by Icesword with the number displayed by the process viewer. If the results differ, it is likely that Icesword found a rootkit on your system.Mitec's Process Viewer is a good tool that you can use for example.

The ports tab lists all open ports and their applications. Compare the applications with the one that you've started manually. If you see for example that iexplorer.exe is currently connected to the internet but you are not using the  program, you may want to investigate that further, or block the connection right away before you do anything else.

IceSword should show the same connections as the command netstat -an shows. If they differ something is not right.

The Kernel Module tab in Icesword colors hidden drivers red. The BHO tab (Browser Helper Objects) should be empty if you are not using Internet Explorer but Firefox for example. If you see something in there search for it using Google to see if it is spyware or not.

As you can see it is not that easy to use Icesword compared to other rootkit scanners that work by clicking on the scan button. Iceswords biggest advantage is the fact that it offers more information which is good if you know what you are doing or how to search for the information that you need.

Alternatives to Icesword are still the Sysinternals rootkit revealer and blacklight from f-secure.

Update: Icesword has not been updated in a while and the downloads on the developer website are all not working anymore. I suggest you use Rootkit Revealer instead or the recently released Anti-Rootkit by Malwarebytes.


Previous Post: «
Next Post: «


  1. Matt said on July 20, 2006 at 11:40 pm

    Thanks, this should help me out wityh some suspicious double named processes I’ve been experiencing.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.