:hap2: :hap2: made by sysinternals, so safe to try
RootkitRevealer is an advanced patent-pending root kit detection utility. It runs on Windows NT 4 and higher and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit. RootkitRevealer successfully detects all persistent rootkits published at www.rootkit.com, including AFX, Vanquish and HackerDefender.
Since persistent rootkits work by changing API results so that a system view using APIs differs from the actual view in storage, RootkitRevealer compares the results of a system scan at the highest level with that at the lowest level. The highest level is the Windows API and the lowest level is the raw contents of a file system volume or Registry hive (a hive file is the Registry's on-disk storage format).
RootkitRevealer supports several options for auto-scanning systems: usage: rootkitrevealer [-a [-c] [-m] [-r] outputfile]
-a : Automatically scan and exit when done.
-c : Format output as CSV
-m : Show NTFS metadata files
-r : Don't scan the Registry.