MS has a tool that can generate SHA1 and MD5 hashes on files http://support.microsoft.com/kb/841290 . You can generate the hashes and either check online (http://www.virustotal.com/search.html) or send them to the list to see if any of us can point you in the right direction.
Thanks, ------------------------------------------ Ali Mesdaq (CISSP, GIAC-GREM) Sr. Security Researcher Websense Security Labs http://www.WebsenseSecurityLabs.com ------------------------------------------ -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of DSinc Sent: Tuesday, November 02, 2010 2:37 PM To: [email protected] Subject: Re: [H] infected? Ali, Thanks. I do not know how to answer your question. My view is above filenames ATM, and, I know zip about "hashes." Duncan On 11/02/2010 17:14, Mesdaq, Ali wrote: > Got filenames and hashes? > > Thanks, > ------------------------------------------ > Ali Mesdaq (CISSP, GIAC-GREM) > Sr. Security Researcher > Websense Security Labs > http://www.WebsenseSecurityLabs.com > ------------------------------------------ > > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of DSinc > Sent: Tuesday, November 02, 2010 12:41 PM > To: HWG > Subject: [H] infected? > > I suspect my home LAN is infected. > I am chasing an odd trouble on one of my clients (jnk). > Today, I find I have a Non-PlugNPlay Driver labeled "catchme" in my DM view. > Best I can trace it to may be 10/14/2010. > > Worse, I find this item on all of my XP clients!! > Sorry, I forgot how to view None-PnP hidden items in W2K Server. > I can not view them ATM, so, I will accept that my server has this item > also! My bad. > > 6 hours of surfing and research leads me to rootkit. > How painful is the cure? > Best, > Duncan > > > > To report this as spam, please forward to [email protected]. Thank you. > > > Protected by Websense Hosted Email Security -- www.websense.com >
