RE: Help, possible rootkit

From: Bowes, Ronald (EST) (RBowes_at_gov.mb.ca)
Date: 10/25/04

• Previous message: k levinson: "RE: Help, possible rootkit"
• Maybe in reply to: BillyBob: "Help, possible rootkit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

To: "'BillyBob'" <billybobknob@hotmail.com>, Incidents <incidents@securityfocus.com>
Date: Mon, 25 Oct 2004 08:33:14 -0500

I had a very similar problem on Windows XP when I ran out of harddrive
space. Ensure that you have at least 500mb or more of free space, otherwise
Windows insists on eating itself.

Ron Bowes
Information Protection Centre
Government Of Manitoba

-----Original Message-----
From: BillyBob [mailto:billybobknob@hotmail.com]
Sent: Saturday, October 23, 2004 11:06 AM
To: Incidents
Subject: Help, possible rootkit

I have noticed that my XP system is behaving like I have a rootkit.

- My mouse is jumpy (it freezes for a second when I move it around the
desktop) and the minimized Taskmanager in the systray shows I have around
25 - 30 % usage, but when I open it, there is no process listed using this
much.
- I did a netstat, fport, openports and none of these show that I have any
odd ports open or any connections established.
- even when I disconnect from the Internet these symptoms do not stop. They
stop if I reboot, but then start again.

I have ran VICE, Klister, PatchFinder and RkDetect from rootkit.com and they
could not find anything.

Any more suggestions ?
Any more rootkit finding tools for Windows ?

Thanks
Bill

---

• Previous message: k levinson: "RE: Help, possible rootkit"
• Maybe in reply to: BillyBob: "Help, possible rootkit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages [REVS] Analysis of a win32 Userland Rootkit ... Userland rootkit for Microsoft Windows. ... The hook is able to provide the fastest injection of the DLL into target ... and a real taste for circular double-linked lists. ... (Securiteam) Re: Need help removing malware ... The free version is only a on-demand scanner. ... Rootkit Revealer but you need to know how it works and it doesn't do ... When you say you could not "find" the folder, and assuming Explorer is configured to show both hidden AND *system* files, did you manually dig through Explorer to navigate through the folders or did you use the Search function in Windows XP? ... (alt.comp.anti-virus) Re: SDTable ... when you tried using a different router things suddenly improved. ... This is more likely than a PCI rootkit. ... But this rootkit does not care if you reinstall your OS. ... I have installed windows, then installed a debian/ubuntu based Linux ... (microsoft.public.windowsupdate) Re: SDTable ... when you tried using a different router things ... This is more likely than a PCI rootkit. ... But this rootkit does not care if you reinstall your OS. ... I have installed windows, then installed a debian/ubuntu based Linux ... (microsoft.public.windowsupdate) Re: Firewall turns off on Restart--Zonealarm installed ... Least-privileged User Account. ... How to configure and use Automatic Updates in Windows XP ... rootkit detection tools like Rootkit ... "The rules to avoid rootkit infection are for the most part the same as ... (microsoft.public.windowsxp.general)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > incidents  > 2004-10