Results 1 to 2 of 2

Thread: rootkit symtoms

  1. #1
    Junior Member
    Join Date
    Apr 2008

    Default rootkit symtoms

    I have found the following signs of rootkit infection on my XP family Edition :

    Unknown user replacing administrators rights on svchost-dns-tcpip-rcp and alg and WMI. Seen using Process Explorer from sysinternals.

    Anonymous logon privilege for Flash or shockwave activex and flash player in the Macromedia folder in System32. Seen with AccessEnumerator from sysinternals.

    Files called E.tmp in system32 and dump_WMILIB.sys and dump_atapi.sys in system32/drivers seen with icesword.

    No current product on the market seems able to find or remove this problem
    Last edited by cayenneken; 2008-04-14 at 22:16.

  2. #2
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Planet Earth


    Created a project tools entry to deal with the access rights part:
    Detect removed admin privileges

    Copies of the files (and logs of those tools if you want to part with them ) sent to detections at would be appreciated as well of course
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts