Both avast and Malwarebytes have built in anti-rootkit technology.
avast Features Overview
Unique "on access" technology checks all kernel-mode drivers that the operating system is loading for signs of rootkit behavior. This enables even unknown rootkits to be detected and stopped before they can do any damage.
If you're unsure how to use a particular Anti-rootkit (ARK) tool or interpret the log it generates, then you should not
be using it. Some ARK tools are intended for advanced users
or to be used under the guidance
of an expert who can interpret the log results. Arks are powerful
tools and using them incorrectly could lead to disastrous problems with your operating system
. Most of the more effective ARK tools should only be used under the guidance of an expert who knows how to investigate its log for malicious entries before taking any removal action.Why? Not all hidden components detected by ARKs are malicious
. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. SSDT (System Service Descriptor Table) is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both Legitimate programs and rootkits can hook into and alter this table. You should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.
Some files are locked by the operating system or running programs during use for protection, so scanners cannot access them. When the scanner finds such a file, it makes a note and then just skips to the next one. API Kernel hooks are not always bad since some system monitoring software and security tools use them as well. If no hooks are active on a system it means that all system services are handled by ntoskrnl.exe which is a base component of Windows operating systems and the process used in the boot-up cycle of a computer.
In most cases further investigation is required after the initial ARK scan to analyze and identify the files which were detected so they can be removed during a subsequent scan (or with other specialized tools) if found to be malicious.
There are many free ARK tools but some of them require a certain level of expertise and investigative ability to use. These are a few of the easier ARKS for novice users:Malwarebytes Anti-Malware
uses a proprietary low level driver (similar to some ARK detectors) to locate hidden files and special techniques which enable it to detect a wide spectrum of threats including active rootkits. SUPERAntiSpyware Free
offers technology to deal with rootkit infections as well.