I usually don’t worry so much about viruses and worms anymore because it seems to me that this threat is mostly under control nowadays. However, I always feel a bit uncomfortable when I think about rootkits. Viruses try to spread and often enough they damage their hosts, which makes them easier to detect. But rootkits just hide. It lies in their nature that you simply don’t know of them.

I just played a little with McAfee Rootkit Detective and it indeed found a couple of hidden registry entries and hooked services on my system. The hooked services belong to my Sunbelt Personal Firewall. I wasn’t able to track down the application that created the hidden registry keys, so I just deleted them all. Since this is a test system it is quite probable that they belong to spyware that was installed with one of the tools I tested.

Note that this was just a virtual machine and I created a snapshot before I deleted registry keys. If you intend to mess with the registry on one of your computers, I highly recommend creating a backup of the registry database before you do this even though McAfee Detective has an undo function. I like it that one can delete suspicious registry entries with McAfee Detective. This is an advantage over Sysinternals RootkitRevealer which I usually use when I am on the hunt for rootkits.

I don’t like the window size of Rootkit Detective though, it is quite small and one can’t resize it. So you always have to scroll to read the full path of a registry entry. Another downside of the tool is that it doesn’t support Vista. This is quite strange considering that it was just released recently.

What is your favorite rootkit hunting tool?

• My favorite Sysinternals utilities (7)
• FREE: Windows System Control Center – Launch Sysinternals and NirSoft tools from the web (2)
• FREE: Autoruns – Manage Windows startup programs (0)
• FREE: Disk2vhd – A simple P2V tool that creates VHDs for Hyper-V and Virtual PC (9)
• Help in Sysinternals tool says “Navigation to the webpage was canceled” (7)

I must admit, I am one of those who neglected this topic for quite a while. At least, I googled about it now. Originally, I wanted to make a list of anti-root tools. But then I found Antirootkit.com. They have a comprehensive collection of anti-rootkit tools plus some useful information like a list of articles and of known rootkits.

I have read some reviews about Sysinternals RootkitRevealer a while ago. I suppose, it is the most prominent among the anti-rootkit tools for Windows and it is free. So I would start with this tool first.

• FREE: Microsoft Standalone System Sweeper – Standalone antivirus software (0)
• FREE: Kaspersky Rescue Disk – Offline antivirus tool (2)
• Forefront Endpoint Protection (FEP) 2012 – Part 2: Deployment and configuration (3)
• Offline Antivirus – How to run Microsoft Safety Scanner on Windows PE 3.0 (5)
• Forefront Endpoint Protection 2012 – Part 1: Installation on Configuration Manager 2012 (1)