Re: Help, possible rootkit

From: Arias Hung (
Date: 10/24/04

  • Next message: Marcus Merrin: "Re: Help, possible rootkit"
    Date: Sun, 24 Oct 2004 14:22:58 -0700

    On Sat, 23 Oct 2004, BillyBob sketched:

    > I have noticed that my XP system is behaving like I have a rootkit.

    > - My mouse is jumpy (it freezes for a second when I move it around the
    > desktop) and the minimized Taskmanager in the systray shows I have around
    > 25 - 30 % usage, but when I open it, there is no process listed using this
    > much.

    This alone can hardly be conclusive that you've been rootkitted, unless you've understated the mouse surfing on its own accord of course. :o

    So far sounds like a memory leak; runaway process somewhere in XP sucking overhead. Mouse erraticism could very well be related.

    > - I did a netstat, fport, openports and none of these show that I have any
    > odd ports open or any connections established.
    > - even when I disconnect from the Internet these symptoms do not stop. They
    > stop if I reboot, but then start again.

    Is this on your home LAN where you have a router that you could independently monitor whether your machine is making or requesting connections out to the net without your knowledge? What you might want to consider as a medium, longer term strategy is setting up an independent IDS like snort to monitor all traffic in and out of your gateway, and ideally on a one way RX only line so you can be absolutely sure of its integrity.

    > I have ran VICE, Klister, PatchFinder and RkDetect from and they
    > could not find anything.

    I'll once again state the obvious that if you've been owned, there's nothing you can possibly do to know 100% that you're not anymore but to do a complete reinstall. Especially, when your attempts originate from the owned machine in question.

    > Any more suggestions ?

    Ditto from above. Peace of mind = complete reinstall, In the future use a 3rd party IDS like snort.

    Still, from what you've desribed, it might still be nothing more than a memory leak.


  • Next message: Marcus Merrin: "Re: Help, possible rootkit"