RE: [Full-Disclosure] Help, possible rootkit

From: ISNYC (admin_at_infosecnyc.com)
Date: 10/23/04

Next message: J.A. Terranson: "Re: [Full-Disclosure] Windows 2000 Remote Buffer Overflow by class101"

Previous message: Michael Rutledge: "Re: [Full-Disclosure] Help, possible rootkit"
In reply to: BillyBob: "[Full-Disclosure] Help, possible rootkit"
Next in thread: Alan Melia (Melmac): "RE: [Full-Disclosure] Help, possible rootkit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'BillyBob'" <billybobknob@hotmail.com>, "'Full Disclosure'" <full-disclosure@lists.netsys.com>
Date: Sat, 23 Oct 2004 14:24:37 -0400

I wouldnt run detection tools from the OS, use a BootCD.

Pref: FIRE or Knoppix/Knoppix-STD

FIRE by DMZ Services Inc.
http://fire.dmzs.com/

Knoppix STD 0.1
http://www.knoppix-std.org/

KNOPPIX Bootable Linux CD
http://www.knopper.net/knoppix/index-en.html

Good Luck,
Dominick S.

-----Original Message-----
From: full-disclosure-admin@lists.netsys.com
[mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of BillyBob
Sent: Saturday, October 23, 2004 12:05 PM
To: Full Disclosure
Subject: [Full-Disclosure] Help, possible rootkit

I have noticed that my XP system is behaving like I have a rootkit.

- My mouse is jumpy (it freezes for a second when I move it around the
desktop) and the minimized Taskmanager in the systray shows I have around 25
- 30 % usage, but when I open it, there is no process listed using this
much.
- I did a netstat, fport, openports and none of these show that I have any
odd ports open or any connections established.
- even when I disconnect from the Internet these symptoms do not stop. They
stop if I reboot, but then start again.

I have ran VICE, Klister, PatchFinder and RkDetect from rootkit.com and they
could not find anything.

Any more suggestions ?
Any more rootkit finding tools for Windows ?

Thanks
Bill

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: J.A. Terranson: "Re: [Full-Disclosure] Windows 2000 Remote Buffer Overflow by class101"

Previous message: Michael Rutledge: "Re: [Full-Disclosure] Help, possible rootkit"
In reply to: BillyBob: "[Full-Disclosure] Help, possible rootkit"
Next in thread: Alan Melia (Melmac): "RE: [Full-Disclosure] Help, possible rootkit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]