View Full Version : Do I have a rootkit?
lynchknot
May 31st, 2005, 06:36 PM
so rootkits are invisible so I'm wondering: I found IE running in Outpost, using a Mozilla rules (I have IE set to prompt for connection) but not running in taskmanager. Thanks for help.
http://img25.echo.cx/img25/6083/ie1kn.jpg (http://www.imageshack.us)
Location: Sweden
-{ Quote: "inetnum: 212.78.206.0 - 212.78.206.255
netname: LYCOS-WEBCENTER
descr: Webcenter hosting
descr: Lycos Europe
country: SE
admin-c: MN2433-RIPE
admin-c: HL1251-RIPE
tech-c: HL1251-RIPE
tech-c: MN2609-RIPE
status: ASSIGNED PA
remarks: For abuse issues, please contact *****@lycos-europe.net
mnt-by: SPRAYNET-MNT
changed: *****@spray.se 20030110
source: RIPE" }-
lynchknot
May 31st, 2005, 11:42 PM
It's been 5 hours and IE still shows as connected without showing in taskmanager.
Vikorr
June 1st, 2005, 06:41 AM
This is a beta version rootkit detector : http://www.f-secure.com/blacklight/
and another http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml
They're not 100% effective, but certainly worth a shot
lynchknot
June 1st, 2005, 02:25 PM
So I gather, based on the information that I supplied and your response, that it's possible?
**edit - well, first run is no good -
http://img71.echo.cx/img71/6384/error8db.jpg (http://www.imageshack.us)
richrf
June 1st, 2005, 03:19 PM
I would say that it is strange that it is not showing up in Task Manager.
Another tool you might try out is UnHackme at:
http://greatis.com/unhackme/
Also, which AV/ATs have you scanned with so far?
Rich
lynchknot
June 1st, 2005, 03:23 PM
-{ Quote: "I would say that it is strange that it is not showing up in Task Manager.
Another tool you might try out is UnHackme at:
http://greatis.com/unhackme/
Also, which AV/ATs have you scanned with so far?
Rich" }-
I have unhackme. I have scanned with NOD32, Ewido, TDS-3, counterspy
richrf
June 1st, 2005, 03:32 PM
I might do a couple of more things:
1) You might try DiamondCS's Port Explorer (or something similar)? You can set up a spy on the packets and view what is being transmitted?
2) You might try running another AV which is good at rootkit detection such as Kaspersky Online.
I would be surprised if it is a rootkit, since it is so rare. But somehow you have to figure out what the IE process is doing.
Rich
vBulletin® Copyright ©2000-2012, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2012, Wilders Security Forums