Rootkits in Vista RC-1 and RC-2 ?

I have Win XP on my first physical drive and a second physical drive for
trying out Vista
Before the Vista install my system was clean of virus's and root kits
After the install I ran root kit revealer again and have 27 discrepancies
over both drives
I have had some strange behavior in XP, I burned a linux DVD for my other
box and when I shut down Nero I got the small hourglass flickering next to my
mouse pointet
I did the three finger salute and looked at the process tab in task
manager, I spotted rundll.32 appearing and disappearing all over the place
I reopened Nero and closed it to calm things down
I am concerned about these findings, I tried sophos antirootkit and it
found two files on my Vista drive
Does Vista use a new boot scheme ? I noticed some new files in the root
directory of my XP drive and the boot.ini has been tweaked
Boot times for XP have increased a bit
And then the strange behavior
Looks like I get to format half a terabyte a drive space and start over

Hi,

The roottkit tool may not know what to do with various Vista functions, so
before making assumptions check with the distributor.

Vista uses winload.exe to start the OS before passing control to
ntoskrnl.exe, and it (winload.exe) relies on reading a BCD file under
C:\boot. This initial startup sequence is very different than that used by
previous NT systems, so may be part of what is confusing the rootkit tool.

Nero has had problems reported on every build of Vista so far, I wouldn't
rely on anything regarding it thus far. Hopefully, the folks at Ahead will
get it worked out shortly as Vista goes RTM.

> Looks like I get to format half a terabyte a drive space and start over

You should not get involved in beta products if you are not willing and able
to do this. It's par for the course.

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP
http://mvp.support.microsoft.com/
Windows help - www.rickrogers.org

"breakin hardware" <breakinhardware@discussions.microsoft.com> wrote in
message news:35C43A83-FD2B-4026-B31D-F997B3DB7D01@microsoft.com...
>I have Win XP on my first physical drive and a second physical drive for
> trying out Vista
> Before the Vista install my system was clean of virus's and root kits
> After the install I ran root kit revealer again and have 27 discrepancies
> over both drives
> I have had some strange behavior in XP, I burned a linux DVD for my other
> box and when I shut down Nero I got the small hourglass flickering next to
> my
> mouse pointet
> I did the three finger salute and looked at the process tab in task
> manager, I spotted rundll.32 appearing and disappearing all over the place
> I reopened Nero and closed it to calm things down
> I am concerned about these findings, I tried sophos antirootkit and it
> found two files on my Vista drive
> Does Vista use a new boot scheme ? I noticed some new files in the root
> directory of my XP drive and the boot.ini has been tweaked
> Boot times for XP have increased a bit
> And then the strange behavior
> Looks like I get to format half a terabyte a drive space and start over

I agree with Rick Rogers. I wouldn't trust the output from a rootkit scanner
on a computer that has Vista installed. The boot process is very different
and Vista has changed the ACLs on many folders and files which may cause the
rootkit scanner to give false positives. Interpeting the result from a
rootkit scanner takes an expert. I have been cleaning viruses, malware, and
rootkits for years and I often have to do a considerable amount of research
when interpeting the results of any given scan. If you want to use a rootkit
scanner with Vista the only way to proceed would be to set up the computer
without Vista, scan it and note the results. Install Vista, run the scan,
and note the differences. For future scans look for any more changes and
then research these changes.

--
Kerry
MS-MVP Windows - Shell/User
http://www.vistahelp.ca


breakin hardware wrote:
> I have Win XP on my first physical drive and a second physical drive
> for trying out Vista
> Before the Vista install my system was clean of virus's and root kits
> After the install I ran root kit revealer again and have 27
> discrepancies over both drives
> I have had some strange behavior in XP, I burned a linux DVD for my
> other box and when I shut down Nero I got the small hourglass
> flickering next to my mouse pointet
> I did the three finger salute and looked at the process tab in task
> manager, I spotted rundll.32 appearing and disappearing all over the
> place
> I reopened Nero and closed it to calm things down
> I am concerned about these findings, I tried sophos antirootkit and it
> found two files on my Vista drive
> Does Vista use a new boot scheme ? I noticed some new files in the
> root directory of my XP drive and the boot.ini has been tweaked
> Boot times for XP have increased a bit
> And then the strange behavior
> Looks like I get to format half a terabyte a drive space and start
> over