Think that a malicious program or tool is running on your system but your resident antivirus solution can't seem to grasp it? Then it is time to use alternative security software to throughly check your computer and get a second, third or even fourth opinion. Programs that I like to use for that task are Dr.Web CureIt, an excellent program that does not interfere with installed applications, SuperAntiSpyware or Malwarebytes Anti-Malware. While I prefer those tools for the job, I keep an assortment of tools ready on my PC in case I need to dig deeper than that.
And Ring3 API Hook Scanner has just been added to it. The program is a free portable security application for the Windows operating system that can be used to scan all running processes for "some types of usermode hooks". In other words, it is an anti-rootkit software.
Here is how it works: you run the 32-bit or 64-bit version of the program on your system, and click on scan once the interface shows up. It takes a couple of seconds to scan all processes, and if anything is found, it is displayed directly in the interface.
The only indication that the scan has finished is that it returns to its former start after the scan. There is no notification in the end, and if nothing is found, you may just find yourself clicking again on Scan just to make sure you did it right the first time.
If something is found though you will receive information about the hook type and the process. That's however just the beginning of your journey then, as Ring3 API Hook Scanner can't resolve the issue for you, as it is only able to detect but not remove. Not everything that is found by the software is necessarily a rootkit. If you are using Sandboxie for instance, you may find the program listed here even though it is a legit program.
Ring3 Api Hook Scanner can also be run from the command line to scan all running processes or a particular process only. You can use the following command line parameters to do that:
The first command scans all processes and saves a log file to the main hard drive, the second scans only the process with ID 1234 and saves a log file to the same location.
The software is compatible with all 32-bit and 64-bit editions of the Microsoft Windows operating system from Windows 2000 all the way to the latest version.Advertisement
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.