Re: Help, possible rootkit

["MN Vasquez" <mnv () alumni princeton edu>]

Any odd traffic coming to or from this machine?  What's a sniffer telling 
you.

I might've missed it, but is this a home user machine or in a business 
place?

Do you have issues running in safe mode?  If you don't, then it would sound 
like the rootkit's not running, which means you can probably look at some of 
the normal places for a file/processes loading/starting.

I don't know about the rest of the list, but I haven't seen or heard of too 
many process hiding xp rootkits that are undetectable by some of the basic 
methods mentioned.  See www.rootkit.com.  At least, not floating around on a 
single PC that sounds like an unlikely "high value" target.  It seems much 
more likely that XP or an application is just crapping out on you, and if 
you can't figure it out,  reinstall.  If nothing is revealed after trying 
some of the methods already suggested here and by others, I think the 
likelihood -- given the info you've told us so far -- makes it's unlikely 
that it's a rootkit.

My 2 cents.


> ----- Original Message ----- 
> From: "BillyBob" <billybobknob () hotmail com>
> To: "Alan Melia (Melmac)" <alanme () melmac co uk>; "'Full Disclosure'" 
> <full-disclosure () lists netsys com>
> Sent: Saturday, October 23, 2004 1:30 PM
> Subject: Re: [Full-disclosure] Help, possible rootkit
>
>
> > I have ran Process Explorer, Code Stuff Starter but nothing shows up in 
> > the
> > list as using this 25-30% of my CYP.  I also updated and ran PestPatrol,
> > NortonAV, etc but nothing  is detected which is why I think I have a 
> > rootkit
> > that has patched the kernel and therefore not allowing any of these 
> > programs
> > to detect it.
> >
> > Anything else ?
> >
> >
> > ----- Original Message -----
> > From: "Alan Melia (Melmac)" <alanme () melmac co uk>
> > To: "'BillyBob'" <billybobknob () hotmail com>; "'Full Disclosure'"
> > <full-disclosure () lists netsys com>
> > Sent: Saturday, October 23, 2004 4:47 PM
> > Subject: RE: [Full-disclosure] Help, possible rootkit
> >
> >
> > > First check to see what processes are running.  TaskList is built in but 
> > > I
> > > would recommend.
> > > http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
> > >
> > > Get to know your machine and what processes are running normally.  With
> > > 25-30% CPU it should stick out like a sore thumb.
> > >
> > > Oh yeah don't run as admin (see )http://blogs.msdn.com/aaron_margosis.
> > >
> > > Alan
> > >
> > >
> > > -----Original Message-----
> > > From: full-disclosure-admin () lists netsys com
> > > [mailto:full-disclosure-admin () lists netsys com] On Behalf Of BillyBob
> > > Sent: 23 October 2004 17:05
> > > To: Full Disclosure
> > > Subject: [Full-disclosure] Help, possible rootkit
> > >
> > > I have noticed that my XP system is behaving like I have a rootkit.
> > >
> > > - My mouse is jumpy (it freezes for a second when I move it around the
> > > desktop) and the minimized Taskmanager in the systray shows I have 
> > > around
> > > 25 - 30 % usage, but when I open it, there is no process listed using 
> > > this
> > > much.
> > > - I did a netstat, fport, openports and none of these show that I have 
> > > any
> > > odd ports open or any connections established.
> > > - even when I disconnect from the Internet these symptoms do not stop.
> > They
> > > stop if I reboot, but then start again.
> > >
> > > I have ran VICE, Klister, PatchFinder and RkDetect from rootkit.com and
> > they
> > > could not find anything.
> > >
> > > Any more suggestions ?
> > > Any more rootkit finding tools for Windows ?
> > >
> > > Thanks
> > > Bill


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html