RootkitRevealer is a rootkit scanner from Microsoft Sysinternals. This program will search for user-mode or kernel-mode rootkits and list any API discrepancies that are found. The program was originally developed in 2006, which was before the more advanced rootkits were developed. Therefore, this program will not be able to properly detect new rootkits that use MBR or other advanced technologies.
RootkitRevealer, though, is still a useful tool to looks for API hooks or other discrepancies that could alert you to a program, or malware, doing something it shouldn't be.
Product Description from Microsoft:
RootkitRevealer is an advanced rootkit detection utility. It runs on Windows XP (32-bit) and Windows Server 2003 (32-bit), and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit. RootkitRevealer successfully detects many persistent rootkits including AFX, Vanquish and HackerDefender (note: RootkitRevealer is not intended to detect rootkits like Fu that don't attempt to hide their files or registry keys). If you use it to identify the presence of a rootkit please let us know!
The reason that there is no longer a command-line version is that malware authors have started targetting RootkitRevealer's scan by using its executable name. We've therefore updated RootkitRevealer to execute its scan from a randomly named copy of itself that runs as a Windows service. This type of execution is not conducive to a command-line interface. Note that you can use command-line options to execute an automatic scan with results logged to a file, which is the equivalent of the command-line version's behavior.
|Tech Support Forums | The Computer Glossary | RSS Feeds | Startups | The File Database | Virus Removal Guides | Downloads|