RootRepeal Version 1.0.2:A new rootkit detector - currently in beta.
Information
RootRepeal is a new rootkit detector currently in public beta. It is designed with the following goals in mind: Easy to use - a user with little to no computer experience should be able to use it. Powerful - it should be able to detect all publicly available rootkits. Stable - it should work on as many different system configurations as possible, and, in the event of an incompatibility, not crash the host computer. Safe - it will not use any rootkit-like techniques (hooking, etc.) to protect itself.
Currently, RootRepeal includes the following features: Driver Scan - scans the system for kernel-mode drivers. Displays all drivers currently loaded, and shows if a driver has been hidden, and whether the driver's file is visible on-disk. Files Scan - scans any fixed drive on the system for hidden, locked or falsified* files. Processes Scan - scans the system for processes. Displays all processes currently running, and shows if a processes is hidden or locked.
* - falsified files are files which have their size mis-reported to the Windows API. Some rootkits use this to hide data.
RootRepeal is currently in public beta. Whereas every effort has been made to ensure compatibility with every system configuration on Windows 2000, XP, 2003 and Vista, it cannot be guaranteed. There is always some risk when scanning for rootkits. Before running RootRepeal, please make sure you have backups of all important data and have saved all open documents.
Frequently Asked Questions
Question: What is a rootkit? Answer: A rootkit is a set of tools or a program that is designed to hide activity on a computer (legitimate or otherwise). A rootkit in itself is not malicious - many antivirus programs and some games (for example, nProtect GameGuard) use rootkit-like technology to hide or protect themselves. RootRepeal does not target any specific product or malware, but simply identifies rootkit-like activity on a computer and leaves the decision of what is malware or not to the user. For more information, please refer to the Wikipedia entry on rootkits here.
Question: How do I install/run RootRepeal? Answer: Simply run RootRepeal.exe by double-clicking on it. No installation is necessary.
Question: How do I uninstall RootRepeal? Answer: Delete RootRepeal.exe and (optionally) settings.dat, and reboot. RootRepeal is completely self-contained and no uninstallation is necessary.
Question: How do I know if I have a rootkit? Answer: Run a system scan using the "Report" tab, and send the log to an expert for analysis. Some good resources are the forums at Sysinternals here, and the Castlecops forums here. If you are unsure if something is a rootkit, DO NOT DELETE IT!
Question: Does RootRepeal contain any malware/spyware/adware/other bad stuff? Answer: Absolutely not! However, some Antivirus products may flag RootRepeal as malware because it is packed (compressed). See the VirusTotal link in the Download section for more information.
MD5 (of the EXE): 0732431b3d392228630edb58961dce05 SHA-1 (of the EXE): 62e8f7027ddee611726fe49d2cc0ae6e71418b3b
Because, as mentioned above, there is always an element of risk when scanning for rootkits, the author offers NO WARRANTY for RootRepeal. USE AT YOUR OWN RISK!MD5 (of the EXE): 0732431b3d392228630edb58961dce05 SHA-1 (of the EXE): 62e8f7027ddee611726fe49d2cc0ae6e71418b3b
Because, as mentioned above, there is always an element of risk when scanning for rootkits, the author offers NO WARRANTY for RootRepeal. USE AT YOUR OWN RISK!
