Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: looking for a tool
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Tue, 2 Mar 2004 09:52:42 -0600

First of all, I'd like to thank all the people who offered to help.
There were quite a few of them, and so I am not able to respond to all
of the emails personally.  For future reference, you may assume that
when I post something like this, I've already gone through all the
standard troubleshooting steps.  In fact, the techs had before I ever
got there.  I was called in because the standard steps didn't resolve
the problem.

These include (but are not limited to):
1) Running a full scan using up to date antivirus software (in our case,
2) Running McAfee's Stinger, latest version
3) Booting in Safe Mode and removing files and registry entries
4) Killing processes and resetting permissions so they can't be
5) Checking for open ports using Fport (as well as netstat, but it isn't
to be trusted in a case like this)
6) Monitoring the machine's network activity using various tools
7) Etc., etc.

(Of course tools used were on a CD and other machines, not on the
suspect computer's hard drive.)

My recommendation yesterday (to tech support) was to format the machine,
because we can't afford to spend inordinate amounts of time trying to
track down the origins of malicious software.  (Besides it's kind of a
lesson learned for the end user that way anyway.)  My real concern, and
the reason for posting to the list, was to find out why tools that I've
depended on to give me the information I needed were unable to point to
the cause of this problem and to see if there were other tools that
would have been useful.

I *did* learn about some tools that I was not aware of, which I will be
adding to my arsenal:
1) Gregh told me about Essential Net Tools and Procmon
2) Robert Cowles told me about PORTqry v2
3) On another list I was told about Bart, a bootable Windows PE CD,
HijackThis and CWSshredder

I received a number of suggestions, almost all of which I had already
done.  The most useful was that this was "CWS.Loadbat - Dastardly",
which I think it may well have been.

For the purists among you, I apologize for mixing up Foundstone's and
Sysinternals' tools in my original post.  Mea culpa.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]