RootkitRevealer is an advanced rootkit detection utility. It runs on Windows NT 4 and higher and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit. RootkitRevealer successfully detects many persistent rootkits including AFX, Vanquish and HackerDefender (note: RootkitRevealer is not intended to detect rootkits like Fu that don't attempt to hide their files or registry keys). If you use it to identify the presence of a rootkit please let us know!
The reason that there is no longer a command-line version is that malware authors have started targetting RootkitRevealer's scan by using its executable name. We've therefore updated RootkitRevealer to execute its scan from a randomly named copy of itself that runs as a Windows service. This type of execution is not conducive to a command-line interface. Note that you can use command-line options to execute an automatic scan with results logged to a file, which is the equivalent of the command-line version's behavior.
What is a Rootkit?
The term rootkit is used to describe the mechanisms and techniques whereby malware, including viruses, spyware, and trojans, attempt to hide their presence from spyware blockers, antivirus, and system management utilities. There are several rootkit classifications depending on whether the malware survives reboot and whether it executes in user mode or kernel mode.
Types of Rootkit
- Persistent Rootkits
A persistent rootkit is one associated with malware that activates each time the system boots. Because such malware contain code that must be executed automatically each system start or when a user logs in, they must store code in a persistent store, such as the Registry or file system, and configure a method by which the code executes without user intervention.
- Memory-Based Rootkits
Memory-based rootkits are malware that has no persistent code and therefore does not survive a reboot.
- User-mode Rootkits
There are many methods by which rootkits attempt to evade detection. For example, a user-mode rootkit might intercept all calls to the Windows FindFirstFile/FindNextFile APIs, which are used by file system exploration utilities, including Explorer and the command prompt, to enumerate the contents of file system directories. When an application performs a directory listing that would otherwise return results that contain entries identifying the files associated with the rootkit, the rootkit intercepts and modifies the output to remove the entries.
The Windows native API serves as the interface between user-mode clients and kernel-mode services and more sophisticated user-mode rootkits intercept file system, Registry, and process enumeration functions of the Native API. This prevents their detection by scanners that compare the results of a Windows API enumeration with that returned by a native API enumeration.
- Kernel-mode Rootkits
Kernel-mode rootkits can be even more powerful since, not only can they intercept the native API in kernel-mode, but they can also directly manipulate kernel-mode data structures. A common technique for hiding the presence of a malware process is to remove the process from the kernel's list of active processes. Since process management APIs rely on the contents of the list, the malware process will not display in process management tools like Task Manager or Process Explorer.
Some Rootkit removal tools:
The rootkit installs a backdoor giving the hacker a full control of the computer. It hides their files, registry keys, and process names, and network connections from your eyes. Your antivirus could not detect such programs because they use compression and encryption of its files. UnHackMe allows you to detect and remove Rootkits.
Language: English, Japanese, Russian
Size: 1 Mb
RootKit Hook Analyzer
RootKit Hook Analyzer is a security tool which checks if there are any rootkits installed on your computer which hook the kernel system services. Kernel RootKit Hooks are installed modules which intercept the principal system services that all programs and the operating system rely on. This program will display all kernel services and the responsible modules for handling them, along with company and product information.
Size: 771 Kb
Acronis Privacy Expert Suite
Acronis Privacy Expert Suite provides you with proactive, real time protection against malware; including spyware parasites, rootkits, adware, keyloggers, hidden dialers, browser hijackers, and other malicious programs. Our latest version, 9.0, adds key new features to ensure that your PC is not infected with malware.
Size: 4 Mb
Mamutu monitors in realtime all active programs for dangerous behavior and blocks malicious activities. It recognizes new and unknown Trojans, Backdoors, Keyloggers, Worms, Viruses, Spyware, Adware and Rootkits (Zero-Day attacks), without the need of daily signature updates. Mamutu gives you full control over internal system activities. It's small but very powerful. Mamutu saves resources and does not slow down the PC.
Language: English, Arabic, Dutch, French, German, Italian
Size: 3 Mb
RemoveAny finds spyware, adware, Trojan horses, key-loggers, rootkits on your computer. RemoveAny product recognizes malicious software by watching for suspicious behavior, not by searching for known signatures. It has constant protection that is always up-to-date without requiring signature updates. RemoveAny starts at system startup and monitors all drivers and processes run.
Size: 177 Kb
Also some more Tips is here Rootkits danger and prevention