Home page logo
/

basics logo Security Basics mailing list archives

Re: computer with rootkit?
From: admin lewis <adminlewis () gmail com>
Date: Wed, 28 Sep 2011 21:55:17 +0200

nice.. but generally u need of a new pc with 2 nics..
One of the big problem of the sniffer is exactly this.. u need a new machine..
many years ago it was easy with an ethernet hub..
now hubs are out of the market.. so it's more difficult to run a sniffer..

2011/9/28 Quigley, Joe <Joe.Quigley () informausa com>:
You could use wireshark, or something similar, to see whats going in and out of the machine. I highly recommend you 
don’t leave the machine on the production network as it may be actively scanning it other machine to infect.

Good luck,
jq

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Francois Yang
Sent: Wednesday, September 28, 2011 12:58 PM
To: security basics
Subject: computer with rootkit?

I have a computer with Winxp.
I believe it has a rootkit on it and I'm trying to figure out if
there's a way to find out what it is instead of just wiping the box
clean.
I want to find out what it is and maybe it will give me an idea of how
the computer got infected in the first place so I can prevent others
from getting infected with the same malware.

the rootkit or malware deletes any AV you throw at it.
I tried Symantec, Kaspersky and even Malwarebyte.  Once installed they
automatically get deleted.
when I try to launch tools from the sysinternals suite they close
right after they open or won't open at all.
I tried to launch, process explorer, process monitor, autorun and none
of them worked at first.
I ran msconfig and disabled all startup items and disabled all
services from launching.
when I rebooted, I got the same issue with launching any of the tools.
however, when I used the Desktops utility from Sysinsternals, and
launched the tools from another window, some of them worked.
Process explorer and Process monitor worked, but since most of the
services and startup were disabled, they didn't see much.
autorun would not load at all.

I also ran Gmer and it would run for awhile until it hit something
then it would die.
Gmer did find a suspicious process that pointed to the c:\windows\ directory.
the process is 784049767:255598753.exe
If I move the file from the c:\windows directory to the desktop and
kill the process, it restarts pointing to the file on the desktop.
If I delete the file, it creates a new one with the same name in the
c:\windows directory.
the process is also tied to the lybraries, ntdl.dll and kernel32.dll.

This is probably out of my league, but I'm still interested to figure
out what it is and what it's trying to do.

anyone have any suggestions on what else I can do?

thanks.

Frank

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------





-- 
Linux Server, Microsoft Windows 2003/2008 Server, Exchange 2007
http://predellino.blogspot.com/

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]