Alex, I think you need to do a cost/benefit analysis here including cost of your time. If you are seriously suspecting a rootkit infection then you need to wipe that machine and start clean. How much time would it take to back up your documents and user files, format the computer, reinstall from known good media, and restore your stuff? A day?

Besides this being the correct and recommended approach to dealing with serious malware it may even be a faster and cheaper approach to follow. And then you know it's clean and not just think it is.


>I am investigating if my computer has a rootkit infection. http://research.microsoft.com/rootkit/ gives ways to dectect them using a "WinPE GhostBuster". It says the following:
>
>Simple steps you can take to detect some of today's ghostware:
>Run "dir /s /b /ah" and "dir /s /b /a-h" inside the potentially infected OS and save the results.
>Boot into a clean CD, run "dir /s /b /ah" and "dir /s /b /a-h" on the same drive, and save the results.
>Run a clean version of WinDiff from the CD on the two sets of results to detect file-hiding ghostware (i.e., invisible inside, but visible from outside). See Hacker Defender ghostware files revealed (highlighted) for an example.
>Note: there will be some false positives. Also, this does not detect stealth software that hides in BIOS, Video card EEPROM, disk bad sectors, Alternate Data Streams, etc
>
>http://support.microsoft.com/?kbid=303891 gives instrucions on "How to create a custom startup WinPE CD-ROM in Windows XP" for select corporate and OEMcustomers. For that you need an "OEM Preinstallation Kit (OPK) CD-ROM".
>
>Does anybody know of a way to purchase such a CD? It may be a worthwhile investment.
>
>TIA,
>
>Alex