A collection of antirootkit apps

Here is a collection of all the antirootkit tools that I know.

I hope that they will help you eliminate a rootkit if you get infected. (:WIN)

The zip has 19 antirootkit (and 8 specific removal) tools.


the only one missing is “Avira Rootkit Detection Beta” which you can find it here

Thanks is ok for vista ???

Since for the majority of them there is no need of installation they should work on vista.

ps. I do not have vista on my pc, so I cannot verify which of them work on vista. If you try them please report back so the others would know.


I updated the zip by adding 5 general and 8 specific removal tools.

They shouldn’t work on vista. Vista has kernel patch protection these tools have to load their own kernel module hence they are extremely unlikely to work on vista.

If they could work through Vista’s security suite API set, then any kernel rootkit that happens to exploit the kernel patch protection will be able to divert those API calls i suspect.

If a rootkit can get itself through the kernel patch protection all it needs to do it put itself in the “Protected” DRM section of the OS. This section would only be accessible by exploiting the OS like the rootkit had to.

Rotty some of them should work with vista (at least that is according to their developers)

All of them can be found at http://www.antirootkit.com/software/index.htm

in my collection I included only the free ones

Ok, well from my research on vista’s kernel changes i can tell you with allot of certainty that unless they are exploiting the Kernel Patch protection then it is not possible.

I looked at most common ones and they do not claim to work on Windows VISTA

As i stated Microsoft locked down the Kernel, Kernel rootkits can no longer EXIST unless the kernel patch protection has been exploited and if it has Hollywood paid millions of dollars for Microsoft to put DRM protection in VISTA that consists of DRM Drivers running at the Kernel level which is what Microsoft are trying to protect with the Kernel Patch Protection.

User mode rootkits are excluded as well, this is because the default account used is not the Administrator account. (This MAY be true, though on revision it is possible for a user mode rootkit to exist but may be detectable).

I believe if a rootkit tries to modify any part of Kernel in Vista , you get a BSOD. This is good in one way but bad in others as some legit security softwares will be put out but haven’t heard if compatability is still an issue. Any time an unsigned driver is implemented , it’s supposed to be kicked out, now Blue pill is proving it wrong by moving the definitions into a VM without a restart of the OS nonetheless, lol, gotta hand it to the other guy, and many cracking experts can implement malware and rootkits going absolutely 100% undetected by Vista OS. I would assume anti rootkit makers would then be able to make this work on vista as well and had better, Vista is not as secure and just like i always said, you lock out security , techs, users, and the bad guy is left with your pc as a playground and you are left picking your nose as your pc gets taken over. I don’t know where this one is headed…


Yes you are right and i think this one is going to go downhill VERY fast.

Basically, Microsoft is going to have to patch any exploits found. But that is after the fact of the exploit being known and being exploited, hence people are going to have rootkits but the exploit that allowed it be their in the first place will be patched against…

BTW just for people thinking that Microsoft HAD to do this, they are wrong here is the reasoning:

Windows XP can be run under a limited user, this locks the kernel just as well as Vista does.
Logging on Administrator allows you to load kernel modules, hence patch the kernel.

Now with Vista, even the Administrator cannot patch the kernel/load kernel modules.
Vista is more secure because a user can easily run as a “Limited user” and is like that by default.

Vista is also less secure because there is no level of access (IE. Administrator access) that can access the kernel in the case that the protections are exploited with a buffer overflow or some other attack.

Absolutely correct but let’s not forget the hand Hollywood had in this which is one big reason MS caved. WIMPS… >:( :smiley: