Hi Can someone clarify this for me ? To determine whether potential rootkit activity is present, I run an on-demand scan with AS off and then another scan with AS on and then see if there is a discrepancy of the number of files scanned. Is that right ? If so, scan A shows 133,814 files scanned, Scan B 133815. How can I find the file that is 'hidden' from Scan A - sounds to me like finding a needle in a haystack unless I'm missing something a bit more scientific here Sophos AntiRootkit finds no hidden files and Rootkit Revealer displays one Prefetch file as 'hidden'. Said Prefetch file shows up in both NOD scans- so thats not the discrepancy. Any thoughts anyone ?