Security Basics mailing list archives
Re: computer with rootkit?
From: "Jamie Ivanov" <jamie.ivanov () gmail com>
Date: Wed, 28 Sep 2011 17:39:11 +0000
Jamie Ivanov / KC9LFD m.608.399.4252 Blackberry: 32DD619E http://www.linkedin.com/in/jamieivanov -- -- -- -- -- -- -- -- -- -- -- -- This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. Sent from my BlackBerry -----Original Message----- From: "Jamie Ivanov" <jamie.ivanov () gmail com> Date: Wed, 28 Sep 2011 17:17:42 To: Francois Yang<francois.y () gmail com> Reply-To: jamie.ivanov () gmail com Subject: Re: computer with rootkit? Wipe the mbr (do not boot windows until you finish other repairs) and do your repairs from an offline environment such as a new machines or the hirens boot cd. You can load software from a usb disk if you need from the windows xp env on hirens and also have a offline registry editor so you can review loaded files at different runlevels and user startups. Jamie Ivanov / KC9LFD m.608.399.4252 Blackberry: 32DD619E http://www.linkedin.com/in/jamieivanov -- -- -- -- -- -- -- -- -- -- -- -- This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. Sent from my BlackBerry -----Original Message----- From: Francois Yang <francois.y () gmail com> Sender: listbounce () securityfocus com Date: Wed, 28 Sep 2011 11:57:40 To: security basics<security-basics () securityfocus com> Subject: computer with rootkit? I have a computer with Winxp. I believe it has a rootkit on it and I'm trying to figure out if there's a way to find out what it is instead of just wiping the box clean. I want to find out what it is and maybe it will give me an idea of how the computer got infected in the first place so I can prevent others from getting infected with the same malware. the rootkit or malware deletes any AV you throw at it. I tried Symantec, Kaspersky and even Malwarebyte. Once installed they automatically get deleted. when I try to launch tools from the sysinternals suite they close right after they open or won't open at all. I tried to launch, process explorer, process monitor, autorun and none of them worked at first. I ran msconfig and disabled all startup items and disabled all services from launching. when I rebooted, I got the same issue with launching any of the tools. however, when I used the Desktops utility from Sysinsternals, and launched the tools from another window, some of them worked. Process explorer and Process monitor worked, but since most of the services and startup were disabled, they didn't see much. autorun would not load at all. I also ran Gmer and it would run for awhile until it hit something then it would die. Gmer did find a suspicious process that pointed to the c:\windows\ directory. the process is 784049767:255598753.exe If I move the file from the c:\windows directory to the desktop and kill the process, it restarts pointing to the file on the desktop. If I delete the file, it creates a new one with the same name in the c:\windows directory. the process is also tied to the lybraries, ntdl.dll and kernel32.dll. This is probably out of my league, but I'm still interested to figure out what it is and what it's trying to do. anyone have any suggestions on what else I can do? thanks. Frank ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- RE: computer with rootkit?, (continued)
- RE: computer with rootkit? Mikesch, David A (Sep 28)
- Re: RE: computer with rootkit? Adam Pal (Sep 29)
- Message not available
- Re: computer with rootkit? Tyler Johnson (Sep 28)
- RE: computer with rootkit? Mikesch, David A (Sep 28)
- Re: computer with rootkit? John Morrison (Sep 28)
- RE: computer with rootkit? Quigley, Joe (Sep 28)
- Re: computer with rootkit? admin lewis (Sep 28)
- Re: computer with rootkit? Matias Katz (Sep 28)
- Re: computer with rootkit? admin lewis (Sep 28)
- Re: computer with rootkit? Predrag Petrovic (Sep 28)
- Re: computer with rootkit? Francois Yang (Sep 28)
- RE: computer with rootkit? Steven Marco (Modern Compliance Solutions) (Sep 29)
- Re: computer with rootkit? Francois Yang (Sep 28)
- Re: computer with rootkit? Jamie Ivanov (Sep 28)
- RE: computer with rootkit? Brian Rogalski (Sep 29)
- Re: computer with rootkit? Jamie Ivanov (Sep 29)
- Re[2]: computer with rootkit? Adam Pal (Sep 29)
- Re: Re[2]: computer with rootkit? Jamie Ivanov (Sep 29)
- RE: computer with rootkit? Dan Lynch (Sep 29)
- Re: computer with rootkit? Jamie Ivanov (Sep 29)
- RE: computer with rootkit? Joe DeMarco (Sep 29)
- Re: computer with rootkit? Jamie Ivanov (Sep 29)
- RE: computer with rootkit? Dan Lynch (Sep 30)
- Re: computer with rootkit? Security (Sep 30)
- Re: computer with rootkit? Jamie Ivanov (Sep 29)