Hi Waldo,

I think we need AVAST to detect these rootkit files, because they are seeking a wider theater because they are to be used in the latest internet threat and that is SPYWARE (CWS-variants). AVAST probably finds them in the cloaking routine, but if the stealth driver install is implemented, they can manipulate through API-hooking. Use of classics like TCPview, FPort and Inzider and Vision helps, but Inzider for instance is considered by AVAST as a virus tool (some cgi-scanners also for that matter CGI-4 for instance). You can still check your registry for rootkit configuration files (look in /dev) By renaming regedit.exe to _root_regedit.exe (the rootkit cannot evade that truely, because root ye know) and you can rename taskmanager in that same manner (root etc) Furthermore you can spot them from an uncompromised machine in the net (the hacker must see it) A trick is to use winmsd.exe from the toolbox, bash, netstat, last, w, ifconfig, stat, find, grep, md5sum, mount, lsmod, rmod from a prepared CD. It is dificult to hide evrything from them all.
Sysinternals rootkit revealer is a start but how to bind it with an av scanner (it would be 100 times better) because of the file packagers and the crypters, whereas the scanner cannot see what to delete. Slanret en krei like things will be the pain in the neck of many a security official, and now it is revealed that hackers silently used these techniques for years. It now is quicly becoming a threat as it lands in the hands of the malware guys, which are not that bright and use the same tricks over and over again (e.g. java ByteVerify exploit).

Greetings,

polonus