You could try HIDEWNDW (http://www.winsite.com/bin/Info?500000013369).
You can use it to Show hidden Windows. If you see things there that
look out of place, you can shut it down.
Additionally, swing on by SYSINTERNALS, download the PSTOOLS and PROCESS
EXPLORER. Use them to get a good understanding of EXACTLY what is
running on your system.
Use the Process Explorer to identify everything running under that
Hidden Window you found using the hidewndw program. It will lists,
DLL's, path's etc..
Another useful tool is FILEMON. That will list out every file that is
touched/accessed in real time. Nice sorting/highlighting too.
Maybe download ETHEREAL and monitor all incoming/outgoing traffic. You
may see something there.
Under XP, you can run MSCONFIG and see what you have starting up under
windows, whether it be Processes or Registry RUN items.. You can disable
them there.
All the while, confirming that your ANTIVIRUS DAT Files are up to date
and that your computer comes up clean after a SCAN. If you don't have
an AV solution, that's most likely your problem. However, you can swing
on over to TREND MICRO (http://housecall.trendmicro.com/) for a free
scan.
BTW, have you looked at SPYBOT and ADAWARE?
Also.. If your MOUSE is jumpy, are you using WIRELESS products, ie
KEYBOARD or Mouse. Are your batteries fairly new? I've seen bad
batteries cause jumpy mice/keyboards. Also.. STUCK KEYS can cause that
too! Confirm you have no debris/food stuck in your keys. Imagine you
start your computer and the ENTER key is stuck down. That might cause
some problems =). However I'd tend to think that would cause a KEY
STUCK error on boot.
If it was me, I would try to identify the problem, and once I figured it
out, I would REFORMAT anyway.
Once your PC is "infected" by some MALWARE, there is never a way to get
it back 100% to the way it was. It's just not worth the hassle.
Reformat and be on your way!
Good Luck.
JMB
-----Original Message-----
From: Okiwaso [mailto:okiwaso@hotmail.com]
Sent: Saturday, October 23, 2004 12:07 PM
To: security-basics@securityfocus.com
Subject: Help, possible rootkit
I have noticed that my XP system is behaving like I have a rootkit.
- My mouse is jumpy (it freezes for a second when I move it around the
desktop) and the minimized Taskmanager in the systray shows I have
around 25 - 30 % usage, but when I open it, there is no process listed
using this much.
- I did a netstat, fport, openports and none of these show that I have
any odd ports open or any connections established.
- even when I disconnect from the Internet these symptoms do not stop.
They stop if I reboot, but then start again.
I have ran VICE, Klister, PatchFinder and RkDetect from rootkit.com and
they could not find anything.
Any more suggestions ?
Any more rootkit finding tools for Windows ?
Thanks
Bill
