How to Detect Rootkits and Hidden Malware on Windows

What Causes This?

Rootkits are a type of malware designed to hide deep inside Windows, often by loading early in the boot process or modifying system components so they can avoid normal antivirus scans. They usually get installed through malicious downloads, fake software updates, infected email attachments, or by exploiting unpatched security flaws. In some cases, other malware installs a rootkit first so it can stay hidden and keep reinstalling itself.

Common Symptoms

• Security tools are disabled, crash, or refuse to update
• Unexplained network activity or high CPU/disk use when the PC should be idle
• Unknown processes, drivers, or startup items appear and then disappear
• Browser redirects, fake warnings, or settings that keep changing back
• Windows behaves strangely after a malware infection was supposedly removed

How to Fix It Manually

1. Disconnect the PC from the internet

   • Turn off Wi-Fi or unplug the Ethernet cable.
   • This helps stop hidden malware from communicating with remote servers or downloading more threats.

2. Boot into Windows Security Offline scan

   • Click Start > Settings > Privacy & security > Windows Security > Virus & threat protection.
   • Under Current threats, click Scan options.
   • Select Microsoft Defender Offline scan, then click Scan now.
   • Your PC will restart and run a deeper scan before Windows fully loads, which can catch malware that hides during normal use.

3. Check for suspicious startup items and processes

   • Open Task Manager with Ctrl + Shift + Esc.
   • Click More details if needed, then review the Processes tab for unknown apps using unusual CPU, memory, or disk activity.
   • Open the Startup apps tab and disable anything suspicious or unfamiliar by right-clicking it and choosing Disable.
   • If you find a suspicious process, right-click it and choose Open file location so you can investigate the file path.

4. Review installed drivers and hidden devices

   • Right-click Start and choose Device Manager.
   • Click View > Show hidden devices.
   • Expand categories like Network adapters, System devices, and Storage controllers.
   • Look for unknown devices, duplicate entries, or drivers with strange names. If you find one tied to recently installed malware, right-click it and choose Uninstall device.
   • Be careful not to remove legitimate hardware you recognize.

5. Run System File Checker and DISM

   • Right-click Start and choose Terminal (Admin) or Windows PowerShell (Admin).
   • Run these commands one at a time:
     1. sfc /scannow
     2. DISM /Online /Cleanup-Image /RestoreHealth
   • These tools repair damaged Windows system files that malware may have modified.

6. Check for unusual scheduled tasks and services

   • Press Win + R, type taskschd.msc, and press Enter.
   • Review Task Scheduler Library for tasks with random names, odd triggers, or actions pointing to unknown files.
   • Then press Win + R, type services.msc, and press Enter.
   • Look for services with blank descriptions, strange names, or suspicious file paths. If needed, note the name and research it before disabling anything.

7. Update Windows and change important passwords

   • Go to Start > Settings > Windows Update and install all available updates.
   • If you suspect a rootkit was active, change passwords for email, banking, and other important accounts from a different trusted device.
   • If the infection keeps returning, back up personal files and consider a full Windows reset or clean reinstall.

Fix It Automatically with Kudu

Kudu can help detect hidden malware behavior, suspicious startup entries, broken system settings, and other signs that something deeper is wrong. Instead of checking drivers, services, scheduled tasks, and repair tools one by one, Kudu gives you a faster way to investigate and clean up common persistence methods.

Download Kudu Free →