newest version here

Purpose: detecting rootkits.

Quick overview: when you start RootAlyzer, it performs a very quick scan of a few important places, taking about a second on modern machines. To check the full system, click on the Deep Scan tab.

Background: Rootkits like to hide by blending into system functions and avoiding that they get listed themselves. Windows systems are quite complex though, and files and registry entries can be listed using various ways, processes are referred to in different places, and many rootkits just don't hide from all of them, but only the standard ones that hide them from the regular user. RootAlyzer goes through the file system, the registry and process related lists using various different methods, and compares the results.

Some screenshots: to see what I'm talking about, here are some screenshots:
The Quick Scan screen shown when starting the appplication:

http://www.safer-networking.org/images/rootalyzer/quick-01.png
The drive selection when switching to the Deep Scan:

http://www.safer-networking.org/images/rootalyzer/drives-01.png
The Deep scan itself:

http://www.safer-networking.org/images/rootalyzer/deep-01.png
Properties shown for a hidden file:

http://www.safer-networking.org/images/rootalyzer/properties-file-01.png
Properties shown for a hidden registry key:

http://www.safer-networking.org/images/rootalyzer/properties-regkey-01.png
Properties for a hidden process:

http://www.safer-networking.org/images/rootalyzer/properties-process-01.png
More properties for a hidden process:

http://www.safer-networking.org/images/rootalyzer/properties-process-02.pngThe property sheets are actually a bit newer inside the release version, offering Delete/Terminate buttons.

It's a work-in-progress (with a new project tools category available here (http://forums.spybot.info/project.php?projectid=11) to track bugs and feature requests), but it's already helping to easily locate some of the current malware rootkits.

wow, it looks great! Is it vista compatible?

btw there is a small typo


Some screenshots: to see what I'm taking about

"to see what i'm talking about"

btw there is a small typo
"to see what i'm talking about"

:funny:

Ah yes, compatibility, should've mentioned that somewhere ;)

The whole file/registry stuff is NT/2000/XP/2k3/Vista only, since it compars NT native mode function results against Win32 subsystem results (no NT would mean nothing to compare against). Process stuff could work on 9x as well.

The screenshots show XP, admitted ;) Wouldn't see why it wouldn't work on Vista, though I didn't test it a lot there.

Screenshots of log in next version (ignore the results shown, those are fake entries to have something visible while debugging):

http://www.safer-networking.org/images/rootalyzer/log-01.png

http://www.safer-networking.org/images/rootalyzer/log-02.png

http://www.safer-networking.org/images/rootalyzer/log-03.png

Deleted.

Does RootAlyzer use a driver?

The last time I tested a rootkit scanner, it crashed my Vista so badly that I had to re-image my Vista back.

No, it does not :)
Though a file system filter service/driver might be something to look at in a future version. But if it does, then not permanently installed, but just for the moment.
What it does now is it just communicates more directly with the NT level of the Operating System, instead of using the Win32 subsystem.
If rootkits would hide on the NT level as well (not the standard rootkit current malware ;) ), that would indeed ask for a filesystem filter. Or that other solution in the coming Spybot-S&D plugins update ;)

Thanks. :)

With Windows 2000 the Rootalyzer does not look like the screenshot. The icons are missing as well as the detailed information in the quick scan window (see my attachment).

While testing the deep scan I wondered if the Rootalyzer would find objects with a broken ACL. Obviously it does not.

The background is: Some time ago I screwed up the windows installer. First I didn't know how I've done it, but then I became clear that I likely messed it up with a reg cleaning utility. After a lot of searching I found out that there were some installer related registry keys that couldn't be accessed (with rededit). With regedt32 I found out that the keys didn't have any account authorised on them. (Later I've been told that this is called "broken ACL".) After taking over ownership and authorising the keys the installer was working again.

Accidentally I found another key with a broken ACL in my registry and I guess that there are some more.

I did some tests. Regedit shows this key, but cannot access it. Regalyzer doesn't show this key.

I would be glad if there would be a tool which is able to find objects with a broken ACL.

cu, Robo :)

this feature is now included in spybot, so spybot does scan for rootkits now correct? So therfore, there is no need to download this app correct? I was thinking about putting it on a jump drive to help me clean other people's infected machines. But i won't do it if its already included within spybot. :) thanks!

Greetings,

Just wondering if Rootalyzer will be looking for Mebroot at some point?

@robo: while I did expect only one line of text to show up next to each icon, no icons at all shouldn't be. I'll look at it, planing a new release regarding the post by Coronamaker this weekend.

Regarding the broken ACL thing, that's probably not exactly a rootkit method (unless it would give itself temporary access rights while reading/writing only, and withdraw it again immediately afterwards... interesting thought...), but I'll see if I can "corrupt" an ACL in a way I could expect in the way described above, and how to report it.

@129260: Spybot-S&D always had some basic rootkit detection mechanisms, but the latest updates improved on three important fronts there.

Spybot-S&D usually detects threats in our database only; RootAlyzer just shows any things it identified as hidden, without relating them to known malware. So you could use RootAlyzer to detect even rootkits that are not known yet; but one of the new plugins for Spybot-S&D includes kind of a rootkit heuristics (which is not as generic though).

In summary: use RootAlyzer if Spybot-S&D hasn't found the culprit and you're suspecting an unlisted malware.

@bobisbob: I'll ask our samples juggler whether he has some samples of it, would have to take a look to say.

Updated the link in the first post; now points to version 0.1.2 instead of 0.1.1. Most important change is that it will no longer show entries identified through MaxSubKeyLen only (since the Win32 registry API can deal with that, it cannot really be used as a rootkit exploit anyway).

Microsoft has a tool called Rootkit Revealer (http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx) that seems pretty solid.

Any differences in their program vs yours?

I'll say that yours LOOKS nicer, at least in a few of the screens :)

(Minor bug) I've noticed that the deep scan automatically selects C:, but I have the OS installed to D:, so it would be nice if it could automatically detect which drive and select that appropriately.

Also, in the registry scan, there's a column labeled "Details," but on W2k I don't see anything in there. I've noticed that on the main "quick scan" page, my results don't exactly match your screenshot; the "x files were tested" and "no hidden entries detected" don't show up at all.

In addition to that, there seems to be some odd graphics on the right hand side of the program, see the attached screenshot, which brings me to another point. For some reason, the registry scan has flagged "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{33D9A761-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo® audio software" and "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo® video 5.10 Compression Filter". I suspect the ® symbol is what's causing it to be mistakenly flagged. (A right-click > "Copy to clipboard" option would be helpful). The other 9 detected items in that screenshot also seem to be false positives; they show up in regedit just fine. (See regedit.jpg and regedit2.jpg)

(Since the file is too big to attach, I've uploaded screenshots.zip to http://members.cox.net/sxzhu/screenshots.zip)

@ddcc_7: could you try the newer 0.1.2 link? The entries your screenshot shows look like... well, I'm not sure if it's a false positive, but it's not a rootkit ;)
0.1.1 was quite harsh in testing for buffer overflow possibilities (buffer overflows are responsible for many of todays security holes). It does so by checking the maximum length the registry says a subkey might have against the lengths of all subkeys. Most systems come up clear, but after it has first been reported I've checked all our virtual machines I could get hold of and found a clean one that showed the same symptons.
Since it was just a theoretical concept and the chance of applications failing here and that an exploit for such failing could exist, that thing has been removed from 0.1.2 until we've learned more about the background.
I'll make sure the next version shows more in the "Details" column! (and maybe add the expected length to the popup window that contains more details)

As for W2k and the quick scan page, that's a limitation of Windows; the "tile view" mode with multiple columns per icon is a feature of the common controls library 6.0 or later, shipped since XP. W2k has a 5.x version of it that is not capable of that. Sure, modern GUIs would allow anything, but I prefer using standard controls because that allows for better accessibility support usually.

@SpeeDemon: RootkitRevealer mentions the #0 hiding trick which granted is not checked in RootAlyzer yet, but is on my immediate todo-list (we already cover that in Spybot-S&D).

I've double checked; I was running the newer 0.1.2 version, since I just downloaded it this morning. I downloaded it again to double check; the same lines still show up. I can export the values/keys and get them to you, if you want.

Edit:==
I've just checked the log, here's what shows up:
What strikes me are the ?'s in place of the ®'s, and the odd numbers of commas. On second thought, a space after the commas/colons would help make it easier to read, if that doesn't defeat the purpose.

// info: Rootkit removal help file
// copyright: (c) 2008 Safer Networking Ltd. All rights reserved.

:: RootAlyzer Results
RegyKey:"Hidden registry key","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\CLSID\{33D9A761-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo? audio software\",""
RegyKey:"Hidden registry key","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo? video 5.10 Compression Filter\",""
RegyValue:"Hidden registry value","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet002\Control\SecurityProviders\SCHANNEL\","EventLogging"
RegyValue:"Hidden registry value","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet002\Control\Lsa\SspiCache\msapsspc.dll\","Name"
RegyValue:"Hidden registry value","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet002\Control\Lsa\SspiCache\msapsspc.dll\","Comment"
RegyValue:"Hidden registry value","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet002\Control\Lsa\SspiCache\msapsspc.dll\","Capabilities"
RegyValue:"Hidden registry value","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet002\Control\Lsa\SspiCache\msapsspc.dll\","RpcId"
RegyValue:"Hidden registry value","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet002\Control\Lsa\SspiCache\msapsspc.dll\","Version"
RegyValue:"Hidden registry value","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet002\Control\Lsa\SspiCache\msapsspc.dll\","TokenSize"
RegyValue:"Hidden registry value","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet002\Control\Lsa\SspiCache\msapsspc.dll\","Time"
RegyValue:"Hidden registry value","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet002\Control\Lsa\SspiCache\msapsspc.dll\","Type"

==

I've noticed that the odd graphics "corruption" when I maximize the window seems to be because the window behind RootAlyzer is showing through. Screen resolution is 1280*1024 @ 32-bit @ 60Hz. Seems to be a pretty "odd" bug.

Also the "Invisible Processes (from handles)" part of the Quick Scan seems to be a little bit slow; when I started up RootAlyzer again it detected a process with PID 640, with the details completely empty. The only program that might have caused this would have been WinZip; I closed WinZip right when RootAlyzer loaded.

@129260: Spybot-S&D always had some basic rootkit detection mechanisms, but the latest updates improved on three important fronts there.

Spybot-S&D usually detects threats in our database only; RootAlyzer just shows any things it identified as hidden, without relating them to known malware. So you could use RootAlyzer to detect even rootkits that are not known yet; but one of the new plugins for Spybot-S&D includes kind of a rootkit heuristics (which is not as generic though).

In summary: use RootAlyzer if Spybot-S&D hasn't found the culprit and you're suspecting an unlisted malware.


I gotcha ;)

Zero-char detection has been added to 0.1.3.

Pre-selecting the system drive instead of always C: has been added to 0.1.3.

The "Invisible processes from handles" is indeed a bit slow - reading the list of all system handles isn't a standard Windows operation and takes a few seconds, depending on the number of applications running. Unless we would check the process list for each handle while it is checked, which would not be performant at all, there's always the chance for a small out-of-sync effect.
Maybe we should add a message box telling the user to not open or close any application until the results appear.

As for the "odd commas" (if you refer to these between rootkey and keypath, and between keypath and value name), that's SBI format, and expected.

An exported reg file might indeed help, please send to http://forums.spybot.info/misc.php?do=email_dev&email=ZGV0ZWN0aW9uc0BzcHlib3QuaW5mbw==, using "RootAlyzer; for PepiMK, see forum" as subject :)

Hi,
Thank you for the Root Alyzer.
I did download it and execute it from the zip file on the desktop. How do I complete the installation in order to execute it in the future? I did not see it in the Spbbot list of plugins.
I did not find any problems with the quick scan. I got 36 entries like this one from the deep scan. They all dealt with System Certificates. There was no explanation:
Key:"Hidden registry key","HKEY_LOCAL_MACHINE","\SOFTWARE\Policies\Microsoft\SystemCertificates\?????k\",""
Thanks
Frank C

can it remove the rootkits it has found?
And btw i selected the deep scan and chose the c: drive to scan but it doesnt start scanning it says you didnt select any drives for scanning and under it writes registry scanner starting.

I've sent the email.

Would you consider adding an option to select which registry hive to scan, like the file scanning, so not only is there precise control over individual hives, but also the ability to turn off registry scanning if needed.

Just downloaded and will be interested to see how it works. I have used Rootkit Revealer from Sysinternals, but was not able to interpret results. Being Microsoft they are bureaucratic and yet to respond to my forum registration, after 5 days!
Be curious to know the registry cleaner Robo had a problem with as I think my recent troubles began with a trusted registry cleaner :clown:

Be curious to know the registry cleaner Robo had a problem with as I think my recent troubles began with a trusted registry cleaner :clown:

The registry cleaner I guess that was the reason of my problems was RegSeeker 1.51.

cu, Robo :)

Just to keep everyone up-to-date, I think I've finally been able to reproduce the problems for example ddcc_7 reported - on Windows 2000 (the same registry keys do not cause any trouble on XP), and fixed them.
It was kind of similar to the problem with detecting registry keys: in rare cases, RegQueryInfoKey returns "0" as the maximum length for the name of any values inside a key (lpcMaxValueNameLen). While I see this as a possible trouble cause, since even regedit is able to ignore it, it shouldn't be mentioned here though.

I've also added that missing feature request to the bugtracker:
Select list of reg hives to scan (http://forums.spybot.info/project.php?issueid=206)

As for interpreting the results, only 0.1.3 will start having the "Details" column filled, and then we will have to add a helpfile providing more details on what these short "details" mean ;)

Hi there,

Nice tool!

I've been attempting to remove a very persistant piece of spyware, and I've used every piece of ammo I've got and can't get rid of it.

I've stumbled across this tool in my attempts.

I've got a hidden file: c:\windows\system32\drivers\sajp38.sys.

We do we do from here? I can't find it in Windows Explorer... Nothing shows up in Google about it...

It'd be handy to see the Date Modified properties, and other file properties for the file. At least we'd then have some idea if it is in fact a file that we need to concern ourselves with?

Thanks!
Max

The File Properties dialog for the file (where you found the timestamp information as well) should have that information a Delete button in the lower right.
Should show up by double-clicking a result in the list :)

Will we always have to come back here to check for the latest version of RootAlyzer, or will you incorporate an update feature?
Anyway, it's a great tool!

This tool is of course just an attempt to lure you back to the forums :D

No, just kidding, you're absolutely right; our about dialog already has a very simple button to look whether new updates are available or not integrated (as seen in our Distributed Testing client), just not shown yet. Did enable it for the next version :)

Hi again,

Just a little post. The file that I couldn't find to delete? I found it... sort of...

Turns out, its being loaded as a hidden device driver. I found it in Device Manager under Hidden Devices. Very tricky, cause that means it was getting loaded under all circumstances, and wasn't a running process, and wasn't starting with "startup processes" under Windows XP.

I've disabled it tonight. I'll attempt to delete it tomorrow with Recovery Console.

BUT: Word of warning to those out there: This process was running as a spamming generator! Its just spamming and spamming. The only reason I knew it was even there was because my client got listed on about 6 spam blockers, and all their emails were getting rejected.

I haven't found this mal-ware with any tool around. Spybot, Adaware, HiJack This, CWShredder, SmitFraudFix. Nothing.

We're running Trend Micro Client Server Messaging Suite. That didn't find it.

I have scanned this machine about 30 times. I've done a System Restore. I've deleted all files that came onto the machine the day it got infected.

I ran WireShark and that didn't see any SMTP requests. The firewall didn't block it, even though I explicity blocked port 25, and it was blocking my attempts to telnet into mail servers. Then I blocked all network activity, and it was still occuring.

Netstat -oa didn't show any open or listening SMTP ports.

Its a really tricky one. I've been pulling my hair out for weeks! (I know most of you are wondering why I haven't reinstalled Windows yet... my client just doesn't want me to do that right now... And I really wanted to find it!!!)

So, in closing! Thanks to RootAlyzer. Its the only clue I had.

Cateyed

Do you know Total Commander (http://ghisler.com/)? TC is "just" a standard (good) file manager, but it has quite a simple plugin structure. I created two plugins for TC, found here. These will allow you to browse the harddisk, and the registry, using the same native methods that RootAlyzer uses. You might be able to see the file and its registry entries there, in case you need additional tools :)

Ah yes, compatibility, should've mentioned that somewhere ;)

The whole file/registry stuff is NT/2000/XP/2k3/Vista only, since it compars NT native mode function results against Win32 subsystem results (no NT would mean nothing to compare against). Process stuff could work on 9x as well.

The screenshots show XP, admitted ;) Wouldn't see why it wouldn't work on Vista, though I didn't test it a lot there.

I have W98, what are the "Process stuff"? Are there any features that could be dangerous to execute under W98?

Thanks

I have W98, what are the "Process stuff"? Are there any features that could be dangerous to execute under W98?

Thanks

:sad: Just starting it and... Access Violation....
Any ideas to use it on W98?

I'll copy here the bug report

date/time : 2008-04-17, 22:44:53, 740ms
computer name : AST COMPUTER
user name : user2
registered owner : My Self
operating system : Windows 98 SE build 2222
system language : English
system up time : 1 hour 19 minutes
program up time : 10 seconds
physical memory : 348/510 MB (free/total)
system resources : 80/71 (gdi/user)
free disk space : (C:) 3.36 GB
display mode : 800x600, 24 bit
process id : $ffe50f69
allocated memory : 22.89 MB
executable : ROOTALYZER.EXE
exec. date/time : 2008-03-31 12:16
version : 0.1.3.26
compiled with : BCB 2006
madExcept version : 3.0e
callstack crc : $00000000, $17bcefc0, $17bcefc0
count : 2
exception number : 1
exception class : EAccessViolation
exception message : Access violation at address 00000000. Read of address FFFFFFFF.

main thread ($ffe50ee9):
00000000 +000 ???
304f3a41 +0ed ROOTALYZER.EXE snlFilesListWinNative 92 +8 TNTFileEnumerator.EnumNTPathFileNames
30532f97 +073 ROOTALYZER.EXE snlRootKitsNTFiles 49 +8 TRootKitIndicatorNTFiles.ExecuteTests
3053354f +023 ROOTALYZER.EXE snlRootKitsList 75 +3 TRootKitIndicatorList.Process
30536752 +03a ROOTALYZER.EXE FrameUnitRKScanSimple 135 +5 TframeRKScanSimpleBase.Process
3053e069 +019 ROOTALYZER.EXE FormUnitRKIndicators 235 +3 TformRKIndicators.FormPaint
304ad6d9 +015 ROOTALYZER.EXE Forms 4471 +1 TCustomForm.Paint
304ad768 +068 ROOTALYZER.EXE Forms 4486 +5 TCustomForm.PaintWindow
30499b71 +055 ROOTALYZER.EXE Controls 7306 +4 TWinControl.PaintHandler
3049a153 +03f ROOTALYZER.EXE Controls 7462 +6 TWinControl.WMPaint
304ad88d +02d ROOTALYZER.EXE Forms 4523 +4 TCustomForm.WMPaint
30495c8f +2bb ROOTALYZER.EXE Controls 5143 +83 TControl.WndProc
304999d5 +499 ROOTALYZER.EXE Controls 7246 +105 TWinControl.WndProc
304ab1f5 +4c1 ROOTALYZER.EXE Forms 3284 +125 TCustomForm.WndProc
30499160 +02c ROOTALYZER.EXE Controls 7021 +3 TWinControl.MainWndProc
3046bb88 +014 ROOTALYZER.EXE Classes 11572 +8 StdWndProc
304b2834 +0fc ROOTALYZER.EXE Forms 7670 +23 TApplication.ProcessMessage
304b286e +00a ROOTALYZER.EXE Forms 7689 +1 TApplication.HandleMessage
304b2a8e +096 ROOTALYZER.EXE Forms 7773 +16 TApplication.Run
30540c70 +064 ROOTALYZER.EXE RootAlyzer 29 +5 initialization

thread $ffe7eccd:
bff99b32 KERNEL32.DLL

Hmm, I thought I had written it somewhere, but I can't find it right now :D

Most rootkit methods are targeted at NT-based systems, since the dual layer structure allows for hiding things on the upper, regularly used one while being to access the hidden things through the lower one. These kinds of trouble you won't have on 9x. I've added a todo entry for myself to make sure that nt-specific tests won't be executed on 9x though, to make it run for those few left at least.

Hmm, I thought I had written it somewhere, but I can't find it right now :D

Most rootkit methods are targeted at NT-based systems, since the dual layer structure allows for hiding things on the upper, regularly used one while being to access the hidden things through the lower one. These kinds of trouble you won't have on 9x. I've added a todo entry for myself to make sure that nt-specific tests won't be executed on 9x though, to make it run for those few left at least.

Thanks a lot:bigthumb:
Now, How can I know when it is modifyed?

Thanks again

See this entry: 9x compatibility (http://forums.spybot.info/project.php?do=gotonote&issuenoteid=831)

Next version will have a "check for updates" option integrated, until then, you'll have to check the forum. Subscribe to this thread, for example (available in the Thread Tools menu above this thread).

Detect removed admin privileges (http://forums.spybot.info/project.php?do=gotonote&issuenoteid=828) is what I want to finish first before uploading the next version.

Found some false Positives:
:: RootAlyzer Results
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Inbox\401c8a97cf1e451.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Inbox\401c8b15d5c3d38.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
Those are some faxes from the Microsoft Fax program. They are not infected or dangerous.
PacificMorrowind.

Uh... "funny" name for a stream ("Xj1phwzh5qcwungrN45kt3kiCe") :laugh:
Added a feature request here (http://forums.spybot.info/project.php?issueid=240), just need to find out what exactly that first special character is. Thanks for the information :)

Just a suggestion: Could you please update the link on the 1st. note of this thread to point to the new version?
Thanks, Becky

The newest version has a sticky here, so I just linked there to avoid having to update it in two places ;)

221108 2355

Re; Rootkit screenshots - Item dated - Feb.12 2008

Apologies if my queries are either in the wrong Forum area or appear ignorant, but I am both new to this Forum &, as indicated below, my understanding of computers is basic

I would appreciate guidance, please


1.Could you please advise how I can access these screenshots referred to on 120208.
I tried to, but was unsuccessful

2.Since my technical knowledge of computers is limited,
may I please enquire whether the result of a rootkit scan would just produce a lot of alphanumerics which would be unintelligible to me

- or would I in the scan results receive some guidance as to whether the rootkits found are benign or malignant


3.a. Would the scan automatically quarantine the malignant rootkits?
or-
b. if I have to enter prior settings for the scan - what are the steps necessary to enter them & what typical settings might be appropriate, please, for general usage?

4. Finally, is the rootkit scanner currently offered a trial version or is it now fully tested so that it runs without creating problems

Thank you

1. What kind of "access" do you intend?
Screenshots are here for forum readers to see them... are you unable to see them?

2. The help page explains the various kinds of rootkit technologies, but these still require some knowledge. Real guidance on understanding and categorizing the results would be a dozen printed pages or more to explain ;)

3.a. RootAlyzer does not quarantine - or remove - anything. The danger that users who do not understand the results would remove the wrong things would be just too big.

Here, I should probably speak about the concept: RootAlyzer is a diagnosis help tool, not a removal tool. If you want to remove malware rootkits, Spybot-S&D uses the same techniques on known rootkits only. RootAlyzer on the other hand just shows everything that uses rootkit technologies (becausee the thing with rootkits is that you cant see them normally).

3.b. The only "settings" are to choose drives to scan. Scanning all can't harm ;)

4. It does not create any problems. Bu tif you're just looking for rootkit detection, the functions integrated into Spybot-S&D should do for you without the need to learn to interpret RootAlyzers results.