[Full-disclosure] suspicion of rootkit

Hi list,

I am having a strange issue.
I have a lab virtual machine that behaves as if it was owned by a rootkit: weird behavior with system certificates and keyboard driver.
I first thought that with this knowledge it would be easy to spot the culprit: find some malicious driver or some kernel hook. But I failed...

The problem is I have tried both live and RAM analysis (Volatility) and found absolutely nothing unusual.

I am not an expert of Windows internals, so I am probably missing something.
Could you please give me some hint or point me to some resource? (I have the book Windows Internals, but still I don't see how to start with this mess).

More details are on my blog.


--- phocean

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/