View Full Version : rootkit symtoms

2008-04-14, 22:14
I have found the following signs of rootkit infection on my XP family Edition :

Unknown user replacing administrators rights on svchost-dns-tcpip-rcp and alg and WMI. Seen using Process Explorer from sysinternals.

Anonymous logon privilege for Flash or shockwave activex and flash player in the Macromedia folder in System32. Seen with AccessEnumerator from sysinternals.

Files called E.tmp in system32 and dump_WMILIB.sys and dump_atapi.sys in system32/drivers seen with icesword.

No current product on the market seems able to find or remove this problem

2008-04-17, 09:38
Created a project tools entry to deal with the access rights part:
Detect removed admin privileges (http://forums.spybot.info/project.php?do=gotonote&issuenoteid=825)

Copies of the files (and logs of those tools if you want to part with them ;) ) sent to detections at spybot.info would be appreciated as well of course :)