Full Disclosure mailing list archives
Re: Help, possible rootkit
From: "MN Vasquez" <mnv () alumni princeton edu>
Date: Sat, 23 Oct 2004 20:04:48 -0700
Any odd traffic coming to or from this machine? What's a sniffer telling you.
I might've missed it, but is this a home user machine or in a business place?
Do you have issues running in safe mode? If you don't, then it would sound like the rootkit's not running, which means you can probably look at some of the normal places for a file/processes loading/starting.
I don't know about the rest of the list, but I haven't seen or heard of too many process hiding xp rootkits that are undetectable by some of the basic methods mentioned. See www.rootkit.com. At least, not floating around on a single PC that sounds like an unlikely "high value" target. It seems much more likely that XP or an application is just crapping out on you, and if you can't figure it out, reinstall. If nothing is revealed after trying some of the methods already suggested here and by others, I think the likelihood -- given the info you've told us so far -- makes it's unlikely that it's a rootkit.
My 2 cents.
----- Original Message ----- From: "BillyBob" <billybobknob () hotmail com> To: "Alan Melia (Melmac)" <alanme () melmac co uk>; "'Full Disclosure'" <full-disclosure () lists netsys com>Sent: Saturday, October 23, 2004 1:30 PM Subject: Re: [Full-disclosure] Help, possible rootkitI have ran Process Explorer, Code Stuff Starter but nothing shows up in thelist as using this 25-30% of my CYP. I also updated and ran PestPatrol,NortonAV, etc but nothing is detected which is why I think I have a rootkit that has patched the kernel and therefore not allowing any of these programsto detect it. Anything else ? ----- Original Message ----- From: "Alan Melia (Melmac)" <alanme () melmac co uk> To: "'BillyBob'" <billybobknob () hotmail com>; "'Full Disclosure'" <full-disclosure () lists netsys com> Sent: Saturday, October 23, 2004 4:47 PM Subject: RE: [Full-disclosure] Help, possible rootkitFirst check to see what processes are running. TaskList is built in but Iwould recommend. http://www.sysinternals.com/ntw2k/freeware/procexp.shtml Get to know your machine and what processes are running normally. With 25-30% CPU it should stick out like a sore thumb. Oh yeah don't run as admin (see )http://blogs.msdn.com/aaron_margosis. Alan -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of BillyBob Sent: 23 October 2004 17:05 To: Full Disclosure Subject: [Full-disclosure] Help, possible rootkit I have noticed that my XP system is behaving like I have a rootkit. - My mouse is jumpy (it freezes for a second when I move it around thedesktop) and the minimized Taskmanager in the systray shows I have around 25 - 30 % usage, but when I open it, there is no process listed using thismuch.- I did a netstat, fport, openports and none of these show that I have anyodd ports open or any connections established. - even when I disconnect from the Internet these symptoms do not stop.Theystop if I reboot, but then start again. I have ran VICE, Klister, PatchFinder and RkDetect from rootkit.com andtheycould not find anything. Any more suggestions ? Any more rootkit finding tools for Windows ? Thanks Bill
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Help, possible rootkit BillyBob (Oct 23)
- Re: Help, possible rootkit Michael Rutledge (Oct 23)
- RE: [inbox] Re: Help, possible rootkit Exibar (Oct 23)
- RE: Help, possible rootkit ISNYC (Oct 23)
- RE: Help, possible rootkit Alan Melia (Melmac) (Oct 23)
- Re: Help, possible rootkit Ali Campbell (Oct 24)
- Re: Help, possible rootkit Harry de Grote (Oct 25)
- <Possible follow-ups>
- Re: Help, possible rootkit BillyBob (Oct 23)
- Re: Help, possible rootkit Azerail (Oct 23)
- Re: Help, possible rootkit MN Vasquez (Oct 23)
- Re: Help, possible rootkit MN Vasquez (Oct 23)
- Re: Help, possible rootkit Gregh (Oct 23)
- RE: Help, possible rootkit Alan Melia (Melmac) (Oct 25)
- Re: Help, possible rootkit Michael Rutledge (Oct 23)
- RE: Help, possible rootkit RandallM (Oct 24)