Re: looking for answers about detecting and deleting rootkits on windows XP OS, and getting really annoyed!!!!!

From: Lanwench [MVP - Exchange] (lanwench_at_heybuddy.donotsendme.unsolicitedmail.atyahoo.com)
Date: 04/20/05 

Date: Wed, 20 Apr 2005 10:16:48 -0400

roofy wrote:
> Robert,

(is not Robert, nor are most people in here, but I do agree with Robert)

> So you don't think .tmp files that say there between 10K to 90K in
> size but not have nothing in them when you open them up in notepad is
> some sort of trojan horse?

No, not necessarily. They could just be temp files that weren't deleted. Why
would you think they were?

> I was told that rootkits are trojan horse
> viruses that most scanners can't find.

Rootkit !=trojan horse.

>And you don't think suspicious
> registry keys are not trojan horses? Or exe files that have
> extention .EX_ on them are not Trojan Horses?

No, that's an executable file that hasn't been expanded.

> And you don't think all
> of the sudden Program files that you open that you think your using
> as graphic design software that at times while using it you can here
> your computer proccessor working really hard and when look in the
> processing tab it says that program is using 100% of your cpu is not
> trojan horse that infected your common programs that you use on a
> daily base but they didn't do this before?

Wow! You are today's recipient of the Usenet Faulkner award for that
sentence. ;-) Also, I doubt you can hear your processor. Your hard drive,
sure. If you can hear your processor, drop the mouse and run very very fast
away from your computer.

> And you don't think that a
> memory drop of about 50mb is not some trojan horse running in the
> background that you can't see in task manager?

Not necessarily.

> Isn't this what
> rootkits do? They hide themselves by running in the background and
> infect other program files that you think are ok but they're not
> because they have gotten infected?

That isn't what a rootkit is, per se. Not that it couldn't do that, I guess.

> All of these things that I just
> questioned you are all mentioned in my original post.
>
> The only thing I didn't mention in my original post which I do
> appoligize for but it was really late when I had posted my question
> last night and I was relly pist. Though the couple of things I didn't
> mention where that back in August of 2003, I was infected by the
> spybot worm which I kept on getting a remote RPC call error that said
> that the system will need to shut-down in 60 secs. This had happened
> just when I did not have a firewall, and the virus was in the
> registry which infected IEXPLORE.EXE. Though I thought I have cleaned
> that out, and that was a long time ago. The other 2 things that I
> didn't mention where I noticed that my memory has dropped even more
> this morning to a whopping 159MB of available ram, and lately I have
> been getting a firewall warning that asks if I want to continue to
> block LXSUPMON.EXE which is my Lexmark printer. So I have been
> clicking on remind me later because I didn't know what to do because
> obviously if I clicked on continue to block then my printer wouldn't
> work, but I clicked on the don't block then what if this is a virus.
> So I wasn't sure what to do other than keep clicking on remind me
> later.

I really really really am having a hard time reading your post - but at the
end of the day, if you're that concerned that your PC has a
trojan/virus/rootkit or some other nasty lurking beast, and you can't find
it, then it might be best to back up your data and reinstall. It might be a
lot faster. Just my $.02. :)