[Dshield] Strange Safe Mode behavior in Windows XP Professional/Eliminating possible virus

Brenden Walker BKWalker at drbsystems.com
Fri Dec 12 13:42:48 GMT 2008


> -----Original Message-----
> From: list-bounces at lists.sans.org [mailto:list-bounces at lists.sans.org]
> On Behalf Of Michael
> Sent: Thursday, December 11, 2008 2:51 PM
> To: Dshield Mailing List
> Subject: [Dshield] Strange Safe Mode behavior in Windows XP
> Professional/Eliminating possible virus
>
> Hi,
>
> I am experiencing strange behavior in Windows XP Professional under
> Safe Mode With Networking.  When I started up the computer in Safe
<snip>
> (3)  Is there any specific algorithm that one should follow if they
> suspect their computer MAY be infected with a virus?  I have anti-
> rootkit tools (e.g., GMER, IceSword), but am not sure if I need them.

The first thing I'd recommend is running this from a command line, probably good idea to be logged in as an administrator:

netstat -abo

That will list every program that has open ports on your system along with the program executable name and PID.  Then you may need to research the applications that have open ports to determine if they are safe.

That's just a start.  I don't know of any way to be sure, other than wiping and doing a clean install.  I've seen XP systems that have been running for a long time just get mucked up (massive registry, partially uninstalled applications and the like).   A clean installation of windows usually fixes that kinda thing.



More information about the Dshield mailing list