Klister Problem...

GovernmentSecurity.org > System Security > Windows Systems

XeLoRy

Oct 10 2004, 05:32 PM

Well, i have a rootkit on a box but i can't remove it.

I ve used rkdetector and it found 1 rootkit (hxdef)

but when i use klister to list hidden process to locate the hxdef one, it crash my pc ! (violent reboot)

i ve just run the w2k_load kmodule.sys in a shell as it said in the readme and then i ve run klister.exe from the same shell and then CRASH !

what's wrong ?

edit: i have that result with rkdetector.exe (0.62)

CODE

-Searching again for Hidden Services..
-Gathering Service list Information... ( Found: 0 Hidden Services)
-Searching for wrong Service Paths.... ( Found: 0 wrong Services )
-Searching for Rootkit Modules........ ( Found: 0 Suspicious modules )
-Trying to detect hxdef with TCP data..( Found: 1 running rootkits)
----------------------------------------------------------------------------
*ROOTKIT HACKER DEFENDER v1.0.0 IS INSTALLED IN YOUR HOST.
----------------------------------------------------------------------------
-Searching for hxdef hooks............ ( Found: 1 running rootkits)
----------------------------------------------------------------------------
*ROOTKIT HACKER DEFENDER >= v0.82 FOUND. Path not available
----------------------------------------------------------------------------
-Searching for other rootkits......... ( Found: 0 running rootkits)

no path

and no servicename listed, please help !

da_cash

Oct 10 2004, 10:05 PM

just one tip ... taken from hxdef readme..

CODE

Q: I'm using DameWare and i can see all your services and all that should be
hidden. Is this the bug?

A: Nope. DameWare and others who use remote sessions (and or netbios) can see
hidden services because this feature is not implemented yet. It's a big
difference between the bug and not implemented. See todo list on the web for
things that are not implemented yet.

hope now you know how to remove it ...

dunno what os you are using but klister won't work on xp systems..

cheers

Dr.Death

Oct 11 2004, 05:11 AM

rename the taskmgr.exe to _root_taksmgr.exe

and you will be able to see hidden processes in your system.

da_cash

Oct 11 2004, 06:04 AM

dr.death don't try to misguide him ..He already said he got hxdef installed and not NT Rootkit .. For more info about that rootkit visit to www.rootkit.com...

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.


Help - Search - Member List - Calendar Full Version: Klister Problem... GovernmentSecurity.org > System Security > Windows Systems XeLoRy Oct 10 2004, 05:32 PM Well, i have a rootkit on a box but i can't remove it. I ve used rkdetector and it found 1 rootkit (hxdef) but when i use klister to list hidden process to locate the hxdef one, it crash my pc ! (violent reboot) i ve just run the w2k_load kmodule.sys in a shell as it said in the readme and then i ve run klister.exe from the same shell and then CRASH ! what's wrong ? edit: i have that result with rkdetector.exe (0.62) CODE -Searching again for Hidden Services.. -Gathering Service list Information... ( Found: 0 Hidden Services) -Searching for wrong Service Paths.... ( Found: 0 wrong Services ) -Searching for Rootkit Modules........ ( Found: 0 Suspicious modules ) -Trying to detect hxdef with TCP data..( Found: 1 running rootkits) ---------------------------------------------------------------------------- ROOTKIT HACKER DEFENDER v1.0.0 IS INSTALLED IN YOUR HOST. ---------------------------------------------------------------------------- -Searching for hxdef hooks............ ( Found: 1 running rootkits) ---------------------------------------------------------------------------- ROOTKIT HACKER DEFENDER >= v0.82 FOUND. Path not available ---------------------------------------------------------------------------- -Searching for other rootkits......... ( Found: 0 running rootkits) no path and no servicename listed, please help ! da_cash Oct 10 2004, 10:05 PM just one tip ... taken from hxdef readme.. CODE Q: I'm using DameWare and i can see all your services and all that should be hidden. Is this the bug? A: Nope. DameWare and others who use remote sessions (and or netbios) can see hidden services because this feature is not implemented yet. It's a big difference between the bug and not implemented. See todo list on the web for things that are not implemented yet. hope now you know how to remove it ... dunno what os you are using but klister won't work on xp systems.. cheers Dr.Death Oct 11 2004, 05:11 AM rename the taskmgr.exe to _root_taksmgr.exe and you will be able to see hidden processes in your system. da_cash Oct 11 2004, 06:04 AM dr.death don't try to misguide him ..He already said he got hxdef installed and not NT Rootkit .. For more info about that rootkit visit to www.rootkit.com... This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.