RE: [Full-Disclosure] Help, possible rootkit

From: ISNYC (admin_at_infosecnyc.com)
Date: 10/23/04

  • Next message: J.A. Terranson: "Re: [Full-Disclosure] Windows 2000 Remote Buffer Overflow by class101"
    To: "'BillyBob'" <billybobknob@hotmail.com>, "'Full Disclosure'" <full-disclosure@lists.netsys.com>
    Date: Sat, 23 Oct 2004 14:24:37 -0400
    
    

    I wouldnt run detection tools from the OS, use a BootCD.

    Pref: FIRE or Knoppix/Knoppix-STD

    FIRE by DMZ Services Inc.
    http://fire.dmzs.com/

    Knoppix STD 0.1
    http://www.knoppix-std.org/

    KNOPPIX Bootable Linux CD
    http://www.knopper.net/knoppix/index-en.html

    Good Luck,
    Dominick S.

    -----Original Message-----
    From: full-disclosure-admin@lists.netsys.com
    [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of BillyBob
    Sent: Saturday, October 23, 2004 12:05 PM
    To: Full Disclosure
    Subject: [Full-Disclosure] Help, possible rootkit

    I have noticed that my XP system is behaving like I have a rootkit.

    - My mouse is jumpy (it freezes for a second when I move it around the
    desktop) and the minimized Taskmanager in the systray shows I have around 25
    - 30 % usage, but when I open it, there is no process listed using this
    much.
    - I did a netstat, fport, openports and none of these show that I have any
    odd ports open or any connections established.
    - even when I disconnect from the Internet these symptoms do not stop. They
    stop if I reboot, but then start again.

    I have ran VICE, Klister, PatchFinder and RkDetect from rootkit.com and they
    could not find anything.

    Any more suggestions ?
    Any more rootkit finding tools for Windows ?

    Thanks
    Bill

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: J.A. Terranson: "Re: [Full-Disclosure] Windows 2000 Remote Buffer Overflow by class101"