RE: computer with rootkit?

["Joe DeMarco" <demarcoj () comcast net>]

Do you have a process running that is all numbers separated by a colon? If so, I recommend SOPHOS Rootkit remover. In 
the end your best bet will be to rebuild.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Littlefield, Tyler
Sent: Wednesday, September 28, 2011 1:31 PM
To: security-basics () securityfocus com
Subject: Re: computer with rootkit?

Hello:

On 9/28/2011 10:57 AM, Francois Yang wrote:
> I have a computer with Winxp.
> I believe it has a rootkit on it and I'm trying to figure out if
> there's a way to find out what it is instead of just wiping the box
> clean.
> I want to find out what it is and maybe it will give me an idea of how
> the computer got infected in the first place so I can prevent others
> from getting infected with the same malware.
>
> the rootkit or malware deletes any AV you throw at it.
> I tried Symantec, Kaspersky and even Malwarebyte.  Once installed they
> automatically get deleted.
> when I try to launch tools from the sysinternals suite they close
> right after they open or won't open at all.
> I tried to launch, process explorer, process monitor, autorun and none
> of them worked at first.

Have you tried changing the name of the executable? call it like 
myexe.exe, see if that executes. Also: You could boot up with a Linux 
live cd and run clamav.

> I ran msconfig and disabled all startup items and disabled all
> services from launching.
> when I rebooted, I got the same issue with launching any of the tools.
> however, when I used the Desktops utility from Sysinsternals, and
> launched the tools from another window, some of them worked.
> Process explorer and Process monitor worked, but since most of the
> services and startup were disabled, they didn't see much.
> autorun would not load at all.
>
> I also ran Gmer and it would run for awhile until it hit something
> then it would die.
> Gmer did find a suspicious process that pointed to the c:\windows\ directory.
> the process is 784049767:255598753.exe
> If I move the file from the c:\windows directory to the desktop and
> kill the process, it restarts pointing to the file on the desktop.
> If I delete the file, it creates a new one with the same name in the
> c:\windows directory.
> the process is also tied to the lybraries, ntdl.dll and kernel32.dll.
Looks more like a virus that just changes it's name. Have you looked in 
your startup folder rather than just msconfic? This looks simply like a 
duel-threaded application; maybe three threads, with the main thread 
doing whatever this particularly lovely piece of work does, and the 
other two monitoring for the processes termination and 
restarting/copying the file from another location.

> This is probably out of my league, but I'm still interested to figure
> out what it is and what it's trying to do.
>
> anyone have any suggestions on what else I can do?
Like I mentioned, try a live cd with clamav or something similar. A live 
cd would also just let you mount the harddrive and remove the 
executables, you'd just have to figure out where it's initially starting 
up from. Check services, msconfic and the startup folder under the start 
menu.

> thanks.
>
> Frank
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------


-- 

Take care,
Ty
Web: http://tds-solutions.net
The Aspen project: a light-weight barebones mud engine
http://code.google.com/p/aspenmud

Sent from my toaster.


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 10.0.1410 / Virus Database: 1520/3924 - Release Date: 09/28/11


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------