Windows 98 has a nice feature that allows you to create a DOS boot floppy. Booting to a DOS boot floppy, enables you to obtain a directory listing from an external uncompromised OS. You can then compare that listing, to a directory listing that was produced from your computer, when booting normally. This comparison will reveal hidden files, though some FPs are normally encountered.

For more info - look here (under the Tools section at the bottom):
http://research.microsoft.com/rootkit/

Windows 98 rootkits are rare since malware writers like to spend there time coding for OS that will get them the most bang for their buck. Because the Windows 98 design is very different from Windows NT based operating systems, rootkits that run on Windows NT cannot be successfully ported to Windows 98. That ensures some type of protection.

_________________
Negster22 - MS MVP - Consumer Security 2006-2008

Here is a guide that I made for windows 98/ME rootkits.
http://abuibrahim.castlecops.com/archives/2007/03/detecting_rootkits_in_windows.html#more

May not be the best out there.

Thanks Abu. If lkkb really wants to pursue this, or has any questions regarding the details - we can create a new topic about troubleshooting rootkits on Windows 98. That way everyone can see it.

_________________
Negster22 - MS MVP - Consumer Security 2006-2008

"AbuIbrahim,"

What you provided with that link is more of what I have been looking for, as I feel my system may have become compromised. The amount of time required to boot up has recently been extended and when opening some programs they take a little longer as well. Even when shutting down it is needing a little bit longer than before. This is judged by having this system running since 1998 and have had only one crash that required a reformat and reload, in Oct,2005. As you can also tell from my sig there are some unorthodox installs on my system.

Will leave for now to attempt to use some of the info you both have provided. Will report back later.

P.S. "Negster22" > I have a copy of SysInternal's RootKitRevealer and it will not run on Win98. If you have a link to one that will work would be appreciated.

"Negster22,"

I just finished downloading that file, actually the 'MainServer' version and 'SecondaryServer' version. What is the diffs on them?

Plus the CS-RCS to test it out as well, it is also FREE. That was provided in the link from AbuIbrahim's little set of instructions.

Now I am out of here to do some TESTING as I am not very good, yet, with this system and on a dialup it is a ssslllloooowwww process.

Thank you for the FP explained,

CU L8R,

The secondary server is a mirror site for download.

I looking at Abu's instructions which are very good. To be completely safe, I would suggest running the file difference comparison from the floppy, so nothing is run on the potentially compromised OS (Windows 98 in your case). That means you would need to put WinDiff or the file difference tool you are using on the floppy disk.

_________________
Negster22 - MS MVP - Consumer Security 2006-2008

"Negster22,"

Could that WinDiff be run from a different partition or H/D? See I have three H/Ds on my system and several partitions. Would that work AOK just so long as the C: partition is not used? Maybe from B: drive just so I do not have to remove the BootDisc.

If I listed all that I have learnt about this system it would take a 2 meg PDF and there is not enough time left in my life time to write a book. Suffice to say there is not an operation that I am afraid to accomplish, even editing the Registry file.

OK, another question?

Where may we find this 'Strider GhostBuster'? Especially for Win98.

TIA,

"Negster22,"

Thank you for this info, will need to set thingys up a little different than what I have now. Plus, there is a sharp curve of learning needed as well. Will be back later with any results. So far nothing has been shown, still learning how to use these programs.

Have some Honey-Dos to complete as well.

By-cycle,

Well it is a little later, but; more confused than ever. How do you run the HTMLDIFF from a floppy? The only way I have found is within Windows, if in DOS the message is "This program runs only in Windows" or words to that effect.

My learning curve will take me some time, maybe several days to come up to speed. My files of the listing of just the C: and all sub folders are in the range of 475Kb to 650Kb. Which files should be on the floppy for running the HTMLDIFF, if I put them all on there is no room for my two files for analyzing.

Maybe my main problem is there is NO problem on my system as far as RtKts are concerned.

I await your reply, if there is one that can HELP,

Excuse me for the double posting. I have been to Germany and back and this was up in another bowser window. When I clicked on this location to read any messages there was a box popped up about PostData and clicked the OK button and it evidently reposted my last message. If you would remove one of them would be GREAT. I do studder some times but this is a littel rediculos.

I do apologize for this error though,