[Dshield] Strange Windows Behavior
haled at pionet.net
Tue Jan 23 16:19:04 GMT 2007
Jon, Go to the cmd prompt on the machine. Go to the windows\system32
directory and do an attrib *.* |more. Look at the files that are marked
hidden and/or system. You may find the culprit hiding under a different
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Jon R. Kibler
Sent: Tuesday, January 23, 2007 8:46 AM
To: General DShield Discussion List
Subject: [Dshield] Strange Windows Behavior
I have a client that has a few of apparently infected systems, but I cannot
find anything wrong. All are Win XP/SP2, fully patched. I have run a full
nmap scan (all 64K TCP and UDP ports), sniffed the network for any bogus
traffic, ran spybot, hijackthis, AV, RootKitRevealer, netstat, fport,
processexplorer, etc. and found nothing unexpected.
Following Paul Marsh's posting, I looked for a 'kdnjh.exe' file but found
none. (Paul, was this file the 'wareout' file?) I have not run fixwareout,
and that may be my next step unless someone can give me some better ideas.
System 1: Runs slow. Task Manager shows a consistent 15% to 25% CPU
utilization on the Performance tab, but shows the system idle process
consuming 98% to 99% of the CPU on the Processes tab. Apparently it has a
hidden process, but what and where? Cannot really take this system down and
rebuild until after all of the EOY processing is completed.
Systems 2-6: Runs a ktelnet application for industry-specific software.
Initially, systems kept dropping their telnet sessions at random. Switch
logs would show a 5 to 10 second period between logging 'protocol down' and
'protocol up' for the system that lost its telnet session, thus it appears
the telnet session drops because the network connection drops. At present,
systems are 'winking out' (screen goes solid black [sometimes solid white]
and even mouse cursor disappears) at the same time the network connection
bites the dust. If this was only one system, I would thought it was a
hardware issue, but it is 5 systems and it happens at random and to usually
only one system at a time.
Other than nuke the boxes and rebuild (which could not be done until the
weekend for systems 2-6, or until Feb for system 1), I haven't a clue where
to proceed from here.
Jon R. Kibler
Chief Technical Officer
Charleston, SC USA
Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.
More information about the list