Rootkit Revealer

Rootkit Revealer was created by the guys at SysInternals and since Microsoft bought SysInternals it calls Microsoft home. The current version is v1.71 and is available as a free download from Microsoft.

I ran the Rootkit Revealer on my Windows XP SP2 PC. It found two registry keys that were suspect but a quick search showed they were normal with the latest version of Rootkit Revealer. On a second run, immediately after a reboot, it found some additional files all dated post-reboot. The only old files it flagged were from Microsoft Defender and also appeared to be temporary files that were deleted during normal operations and are an indication of disk/file problems rather than spyware.

The scan also found several files in my Windows\temp directory. Rather than being spyware they all seemed to be temp files that were deleted. The timestamp on all of them was today and since the last boot. The discrepancy is probably due to a disk/file system problem rather than spyware. The message was “Visible in directory index, but not Windows API or MFT”.

I also scanned using Microsoft Defender and AVG Anti-Rootkit (both are available from my links page under Free Security Software). Neither found any spyware or rootkits.

Rootkit Revealer looks for rootkit type activity at a much lower level than the more user friendly scan tools which seem to look for specific rootkits. It’s then up to you to research it and see if it’s a rootkit. Rootkit Revealer also doesn’t include any rootkit removal tools. The SysInternal forums are still around and can be used to help decipher the scan results.