Full Disclosure mailing list archives
Re: Help, possible rootkit
From: "MN Vasquez" <mnv () alumni princeton edu>
Date: Sat, 23 Oct 2004 19:16:56 -0700
The bootable CD has already been mentioned. Have you scanned it for open ports?
----- Original Message ----- From: "BillyBob" <billybobknob () hotmail com> To: "Alan Melia (Melmac)" <alanme () melmac co uk>; "'Full Disclosure'" <full-disclosure () lists netsys com>
Sent: Saturday, October 23, 2004 1:30 PM Subject: Re: [Full-disclosure] Help, possible rootkit
I have ran Process Explorer, Code Stuff Starter but nothing shows up in the list as using this 25-30% of my CYP. I also updated and ran PestPatrol,NortonAV, etc but nothing is detected which is why I think I have a rootkit that has patched the kernel and therefore not allowing any of these programsto detect it. Anything else ? ----- Original Message ----- From: "Alan Melia (Melmac)" <alanme () melmac co uk> To: "'BillyBob'" <billybobknob () hotmail com>; "'Full Disclosure'" <full-disclosure () lists netsys com> Sent: Saturday, October 23, 2004 4:47 PM Subject: RE: [Full-disclosure] Help, possible rootkitFirst check to see what processes are running. TaskList is built in but Iwould recommend. http://www.sysinternals.com/ntw2k/freeware/procexp.shtml Get to know your machine and what processes are running normally. With 25-30% CPU it should stick out like a sore thumb. Oh yeah don't run as admin (see )http://blogs.msdn.com/aaron_margosis. Alan -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of BillyBob Sent: 23 October 2004 17:05 To: Full Disclosure Subject: [Full-disclosure] Help, possible rootkit I have noticed that my XP system is behaving like I have a rootkit. - My mouse is jumpy (it freezes for a second when I move it around the desktop) and the minimized Taskmanager in the systray shows I have around25 - 30 % usage, but when I open it, there is no process listed using thismuch.- I did a netstat, fport, openports and none of these show that I have anyodd ports open or any connections established. - even when I disconnect from the Internet these symptoms do not stop.Theystop if I reboot, but then start again. I have ran VICE, Klister, PatchFinder and RkDetect from rootkit.com andtheycould not find anything. Any more suggestions ? Any more rootkit finding tools for Windows ? Thanks Bill _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Help, possible rootkit BillyBob (Oct 23)
- Re: Help, possible rootkit Michael Rutledge (Oct 23)
- RE: [inbox] Re: Help, possible rootkit Exibar (Oct 23)
- RE: Help, possible rootkit ISNYC (Oct 23)
- RE: Help, possible rootkit Alan Melia (Melmac) (Oct 23)
- Re: Help, possible rootkit Ali Campbell (Oct 24)
- Re: Help, possible rootkit Harry de Grote (Oct 25)
- <Possible follow-ups>
- Re: Help, possible rootkit BillyBob (Oct 23)
- Re: Help, possible rootkit Azerail (Oct 23)
- Re: Help, possible rootkit MN Vasquez (Oct 23)
- Re: Help, possible rootkit MN Vasquez (Oct 23)
- Re: Help, possible rootkit Gregh (Oct 23)
- RE: Help, possible rootkit Alan Melia (Melmac) (Oct 25)
- Re: Help, possible rootkit Michael Rutledge (Oct 23)
- RE: Help, possible rootkit RandallM (Oct 24)