On Sat, 23 Oct 2004, BillyBob sketched:
I have noticed that my XP system is behaving like I have a rootkit.
- My mouse is jumpy (it freezes for a second when I move it around the
desktop) and the minimized Taskmanager in the systray shows I have around
25 - 30 % usage, but when I open it, there is no process listed using this
much.
This alone can hardly be conclusive that you've been rootkitted, unless you've
understated the mouse surfing on its own accord of course. :o
So far sounds like a memory leak; runaway process somewhere in XP sucking
overhead. Mouse erraticism could very well be related.
- I did a netstat, fport, openports and none of these show that I have any
odd ports open or any connections established.
- even when I disconnect from the Internet these symptoms do not stop. They
stop if I reboot, but then start again.
Is this on your home LAN where you have a router that you could independently
monitor whether your machine is making or requesting connections out to the net
without your knowledge? What you might want to consider as a medium, longer
term strategy is setting up an independent IDS like snort to monitor all
traffic in and out of your gateway, and ideally on a one way RX only line so
you can be absolutely sure of its integrity.
I have ran VICE, Klister, PatchFinder and RkDetect from rootkit.com and they
could not find anything.
I'll once again state the obvious that if you've been owned, there's nothing
you can possibly do to know 100% that you're not anymore but to do a complete
reinstall. Especially, when your attempts originate from the owned machine in
question.
Any more suggestions ?
Ditto from above. Peace of mind = complete reinstall, In the future use a 3rd
party IDS like snort.
Still, from what you've desribed, it might still be nothing more than a memory
leak.
A
