RE: Help, possible rootkit

["Alan Melia \(Melmac\)" <alanme () melmac co uk>]

Sorry but something MUST show up.  Enable 'Context Switch Delta' and I/O
stuff. Then inspect the process/thread with the highest Context Switch.

The most probable cause if it shows up against system is some faulty
hardware generating high hardware interrupts.  You do not have any evidence
that a rootkit is involved.  IMHO never overlook the obvious.

Alan

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of BillyBob
Sent: 23 October 2004 21:30
To: Alan Melia (Melmac); 'Full Disclosure'
Subject: Re: [Full-disclosure] Help, possible rootkit

I have ran Process Explorer, Code Stuff Starter but nothing shows up in the
list as using this 25-30% of my CYP.  I also updated and ran PestPatrol,
NortonAV, etc but nothing  is detected which is why I think I have a rootkit
that has patched the kernel and therefore not allowing any of these programs
to detect it.

Anything else ?


----- Original Message -----
From: "Alan Melia (Melmac)" <alanme () melmac co uk>
To: "'BillyBob'" <billybobknob () hotmail com>; "'Full Disclosure'"
<full-disclosure () lists netsys com>
Sent: Saturday, October 23, 2004 4:47 PM
Subject: RE: [Full-disclosure] Help, possible rootkit


> First check to see what processes are running.  TaskList is built in 
> but I would recommend.
> http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
>
> Get to know your machine and what processes are running normally.  
> With 25-30% CPU it should stick out like a sore thumb.
>
> Oh yeah don't run as admin (see )http://blogs.msdn.com/aaron_margosis.
>
> Alan
>
>
> -----Original Message-----
> From: full-disclosure-admin () lists netsys com
> [mailto:full-disclosure-admin () lists netsys com] On Behalf Of BillyBob
> Sent: 23 October 2004 17:05
> To: Full Disclosure
> Subject: [Full-disclosure] Help, possible rootkit
>
> I have noticed that my XP system is behaving like I have a rootkit.
>
> - My mouse is jumpy (it freezes for a second when I move it around the
> desktop) and the minimized Taskmanager in the systray shows I have 
> around
> 25 - 30 % usage, but when I open it, there is no process listed using 
> this much.
> - I did a netstat, fport, openports and none of these show that I have 
> any odd ports open or any connections established.
> - even when I disconnect from the Internet these symptoms do not stop.
They
> stop if I reboot, but then start again.
>
> I have ran VICE, Klister, PatchFinder and RkDetect from rootkit.com 
> and
they
> could not find anything.
>
> Any more suggestions ?
> Any more rootkit finding tools for Windows ?
>
> Thanks
> Bill
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html