How to detect Rootkits without ARK?

I have successfully used Knoppix to scan my system with Antivir, though I am not comfortable using Linux.
I must admit that scanning while the system was active did not yield any results, using 6 different AV scanners, on demand of course.

Using Knoppix to scan with AV showed me the importance of scanning with the system inactive.
I uncovered a trojan, that was part of a downloaded file, that had also copied itself to system restore. Both files were taken care of with Knoppix and updated AV.
I chose Antivir because it will rename the suspect files. Clamscan only offers to remove.
Now if I could only find a version of Dr. Web Cure it for Linux, I would be happy.

I will persue the other boot cd methods, though they are a little more complex, because you have to build a package. But it offers so much more in terms of flexability. Knoppix doesnt run on every Windows installation; cd burn rate issues, bios issues, functionality issues, to name a few. But it runs on most, and more importantly, it ran on my system.

I am thankfull to everyone for their input. This has been the most valuable experience so far, since joining Sysinternals.
For every one who contributed =

Sincerely,
CooKooBird

Edit: for a link to Antivir method if anyone is interested to explore on their own. http://www.castlecops.com/postx185079-0-0.html

Edited by CooKooBird - 29 May 2008 at 9:08pm

Will infections affect the Boot CD, somehow become part of it if created (downloaded .iso or Barts create .iso) on the infected system? Should the Boot CD be created (Bartpe) on a known clean system? Does it matter?

It highly matters, there are some ugly theories outthere that several stealth malware makes use of burned cds.

Unless I have got absolutely no way of doing so, I will always create a bootable rescue CD on a clean machine, never on the infected machine.

Great idea, but in some cases it may be even difficult on new computers to find out if system is clean or not.

So in the absence of a good ARK, the best method/tool is Boot CD(Knoppix, Bartpe). O.K.
If I am infected, whateveritis/malware.woo.dam; Will infections affect the Boot CD, somehow become part of it if created (downloaded .iso or Barts create .iso) on the infected system?
Should the Boot CD be created (Bartpe) on a known clean system? Does it matter?

I learned about netstat and some of its flags/switches.
What ever it is began altering the output of netstat. First time I used it, showed RKU calling home to empty ru webpage. I started playing with it, opened many browsers to see how the results change. It no longer showed any webpages open in netstat or RKU calling home, their IP addresses. So I used other tools like tcp view, showed RKU calling home but netstat did not.
Another issue is that every time I try to configure my router, other than the one I am using, I lose the wired connecting on 4th or 5th apply. The router cycles and when done no wired connection.
So, I understand Karl's point that Kernel mode rootkits alter userland info. But I also know that programmers don't think of everything, so it puts diagnostics in my favor.
Something is reporting out on udp port 53 every program used/accessed, Including ipconfig.
Thank you PROROOTECT and Karlchen. Both of your inputs are useful.

Edited by CooKooBird - 21 May 2008 at 10:05am

mchInjDrv is MadCodeHook's Injection driver used by Online Armour that I see you have installed.