Top free tools for rooting out rootkit spies

Scott spanbauer By Scott Spanbauer

An easy-to-use rootkit detector and cleaner makes trapping this sneaky spyware a snap.

Whether you’re comfortable sorting through your PC’s processes and Registry keys manually or you prefer to have someone else do the sleuthing, there’s a rootkit detector for you.

Find the malware hiding on your system

Even if you use a firewall and set your antivirus software to update its virus definitions automatically, your PC may not be safe from rootkits.

Subscribe to our Windows Secrets Newsletter - It's Free!

Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

Windows 8.1: Out of the box

Subscribe and get our monthly bonuses - free!

Get a real feel for Windows 8.1 with a wealth of tips in this step-by-step guide. This month, Windows Secrets subscribers can download the first 2 chapters for free: Using Windows 8.1 and Using Email and the Internet. Get this excerpt and other 5 bonuses if you subscribe now!



By manipulating the operating system at a low level, these malware programs can install PC keyloggers and backdoor programs surreptitiously on your PC. Then their authors are able to spy on your activities and control your system remotely.

Though many antivirus vendors have added rootkit detection and removal to their programs’ arsenal of anti-malware weaponry, not all antivirus programs are rootkit-savvy. Even if your security software claims to defend against rootkits, you may benefit from a second opinion.

I tested a number of free rootkit detectors for Windows XP and Windows Vista, and my clear favorite is F-Secure’s Blacklight, which combines thorough system scanning with the familiar interface reminiscent of a standard antivirus program.

On the other hand, do-it-yourself types will find plenty to like in GMER. The utility offers fine-grained control over which files it scans, and it produces detailed reports of your system’s processes, files, Registry entries, and other rootkit-related information.

Trend Micro’s Rootkit Buster beta is similar to Blacklight, but the program’s scans are suspiciously brief.

I ran the three rootkit scanners on two different PCs: one running Windows XP and the other Vista. Since none of the programs found anything dangerous on either system, I wasn’t able to test their rootkit-removal skills, which generally involve renaming or deleting the problem files and processes they discover.

Fortunately, German research group AV-Test recently completed an exhaustive test of more than 20 rootkit-removal tools of all types. Mark Joseph Edwards’ PC-Tune-Up column in this week’s issue describes those results.

If it wasn’t for the fact that all three utilities reported the same result, I might have doubted their cheerful news. That’s why I recommend that you use more than one rootkit remover on your PC.

Doing so is easy, since all three of the programs I tested are only about 1MB in size. Also, they require no installation or registration, and — unlike running multiple antivirus programs — the rootkit scanners don’t conflict with one another.

The simple, secure way to check for rootkits

Antivirus maker F-Secure was one of the first vendors to offer a standalone rootkit detector and remover. In fact, the rootkit-rooting capabilities in F-Secure’s Blacklight utility are also found in the company’s U.S. $80 F-Secure Internet Security 2008 suite as well as in its free online virus scanner.

Blacklight is about as easy to use as a program can be: just download and run, no installation necessary. By default, Blacklight scans for hidden processes, files, and folders. Although not listed, the utility also checks the hard disk’s master boot record.

F-Secure blacklight rootkit scanner
Figure 1. F-Secure’s free Blacklight rootkit-scanning utility is a snap to use.

The program’s scan took only three minutes to complete on my lightly used and relatively fast Vista test system. On the slower Windows XP laptop, however, the scan lasted a good half-hour.

When Blacklight identifies a hidden file or process, it prompts you to rename the interloper to prevent it from functioning in the future. You can also run Blacklight in a more aggressive mode, although the company says doing so could produce false-positive results.

A complete — albeit slow — rootkit scanner

GMER may be the most thorough rootkit detector and cleaner available. The program scans for hidden processes, files, NTFS alternate data streams, services, Registry keys, drivers, and suspicious hooks into drivers.

Like the other two free rootkit scanners I tested, GMER requires no registration or installation — just download the program, extract it from its zip archive, and run the scan.

GMER’s scans take nearly as long as Blacklight’s to complete, which may indicate that GMER is doing a very thorough search. Hidden processes that the program thinks are malware of some kind are highlighted in red. GMER then adds a delete command to its context menu.

When a fast scanner may be too fast

Like the Blacklight and GMER rootkit detectors, Trend Micro’s Rootkit Buster is a download-unzip-run affair. The program’s few scanning options are straightforward: files and master boot record, Registry, processes, and drivers. To rid your system of the rootkits it finds, simply select the detected items and click the Delete button.

My only concern regarding Rootkit Buster is that the program’s scans took almost no time to complete on the Vista test system, and only a few minutes to finish on the XP test machine, compared to Blacklight’s 30-minute-plus perusal. While the quick scans could simply be the result of better programming, I suggest that you use Rootkit Buster as an adjunct to another rootkit detector.

Scott Spanbauer frequently writes for PC World, Business 2.0, CIO, Forbes ASAP, and Fortune Small Business. He has contributed to several books and was technical reviewer of PC Hacks.
= Paid content

All Windows Secrets articles posted on 2008-05-22: