Not exactly a tool of our trade, but Sysinternals work is interesting nonetheless.

http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml

RootkitRevealer is an advanced root kit detection utility. It runs on Windows NT 4 and higher and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit. RootkitRevealer successfully detects all persistent rootkits published at www.rootkit.com, including AFX, Vanquish and HackerDefender.

http://www.f-secure.com/blacklight/

F-secure released something similar a while ago.

RootkitRevealer works by diffing high-level (API) and low-level (direct data-structure interpretation) file/registry views. To hide from it, a rootkit just needs NOT to hide from it.

or assign use root process go to rootkit.com or hxdef home and read through thier forums infact some already hid it and the counter war white hacks have tried to randomize the name and the black hats have started checking the hash of process
http://blogs.msdn.com/robert_hensing/archive/2005/03/10/392092.aspx

There are some nice references in there, thx.

Dear kayaker,
my pleasure
yes pretty interesting techniques from horses mouth like running .gif on cmd.exe to execute an exe etc etc and unpublished forensic tools good blog so i linked it

Russinovich has updated the Rootkit Revealer to block this attack.
There is no more a comand line version of this tool.

This war will be very funny.

Regards,
Opcode