Here is a really cool link [ http://www.sysinternals.com/utilities/rootkitrevealer.html ]to another Sysinternals artical with a really nice desciption and download [Download RootkitRevealer (210 KB)]  of  RootkitRevealer that is an advanced patent-pending root kit detection utility. It runs on Windows NT 4 and higher and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit. RootkitRevealer successfully detects all persistent rootkits published at www.rootkit.com, including AFX, Vanquish and HackerDefender (note: RootkitRevealer is not intended to detect rootkits like Fu that don't attempt to hide their files or registry keys). If you use it to identify the presence of a rootkit please let us know!

The reason that there is no longer a command-line version is that malware authors have started targetting RootkitRevealer's scan by using its executable name. We've therefore updated RootkitRevealer to execute its scan from a randomly named copy of itself that runs as a Windows service. This type of execution is not conducive to a command-line interface. Note that you can use command-line options to execute an automatic scan with results logged to a file, which is the equivalent of the command-line version's behavior.

Go to the site and have a look, a really nice article!

Note to Security Professionals

Because rootkits can use various mechanisms to detect RootkitRevealer's presence and foil detection by not hiding their objects from a scan, we are licensing a private build of RootkitRevealer available to qualified security organizations. Email us from your corporate email account if you represent a security company and would like to license the private build.

Copyright © 2005-2006 Bryce Cogswell and Mark Russinovich 

Download RootkitRevealer (210 KB)