Crash Monitor

Hello list,

my wife using Win 2000 + MS Office to writing her thesis. Of course
there are also such important tools like a Skype, ICQ ...... etc. (you
know ... ) At now it is daily that this PC is crashing. I don't know
why. It is possible to detect the crashing application? Do you know some
tool (something like DrWatson.)? The PC ist patched, Event Viewer show
nothing.
The most probably case is: ca. 1 hour after login hanging this PC up.
Independently of runnig applications. After restart its work normally.

Thank you in advance

Martin


_______________________________________________________________________
EINE FÜR ALLE: die kostenlose WEB.DE-Plattform für Freunde und Deine
Homepage mit eigenem Namen. Jetzt starten! http://unddu.de/?kid=kid@mf2

Virus protection up to date? Any P2P software like lime wire that could bring in tones of problems? Did you recently add any new software or hardware? Also go to Microsoft site and download a root kit program and scan your pc.
------Original Message------
From: GremaGehan@...
Sender: listbounce@...
To: security-basics@...
Sent: Jul 2, 2008 2:20 PM
Subject: Crash Monitor

Hello list,

my wife using Win 2000 + MS Office to writing her thesis. Of course
there are also such important tools like a Skype, ICQ ...... etc. (you
know ... ) At now it is daily that this PC is crashing. I don't know
why. It is possible to detect the crashing application? Do you know some
tool (something like DrWatson.)? The PC ist patched, Event Viewer show
nothing.
The most probably case is: ca. 1 hour after login hanging this PC up.
Independently of runnig applications. After restart its work normally.

Thank you in advance

Martin


_______________________________________________________________________
EINE FÜR ALLE: die kostenlose WEB.DE-Plattform für Freunde und Deine
Homepage mit eigenem Namen. Jetzt starten! http://unddu.de/?kid=kid@mf2



Sent from my Verizon Wireless BlackBerry

Try looking in your event log.

------Original Message------
From: GremaGehan@...
Sender: listbounce@...
To: Security basics
Sent: Jul 2, 2008 11:20 AM
Subject: Crash Monitor

Hello list,

my wife using Win 2000 + MS Office to writing her thesis. Of course
there are also such important tools like a Skype, ICQ ...... etc. (you
know ... ) At now it is daily that this PC is crashing. I don't know
why. It is possible to detect the crashing application? Do you know some
tool (something like DrWatson.)? The PC ist patched, Event Viewer show
nothing.
The most probably case is: ca. 1 hour after login hanging this PC up.
Independently of runnig applications. After restart its work normally.

Thank you in advance

Martin


_______________________________________________________________________
EINE FÜR ALLE: die kostenlose WEB.DE-Plattform für Freunde und Deine
Homepage mit eigenem Namen. Jetzt starten! http://unddu.de/?kid=kid@mf2



Sent from my BlackBerry wireless handheld.

To add to the previous post.

If you are going to look for rootkits I would suggest formatting and
re-installing. If you suspect you have a root-kit on your PC theres no need
to identify it or KNOW you have one. Just do a full format & reinstall.

If you have a rootkit,theres no complete way to remove it. I mean to know
100% that everything critical is removed. The time you are going to spend
investigating this, cleaning it and worrying about the after effects would be
better spent reinstalling.

For all those who are going to hit me with "you should know if there's a
rootkit", this is a stand alone PC, not corporate and the expertise and time
may be lacking. Also the lvl of sensitivity of the PC is probably very low.


Format and move on


Merci / Thanks
Philippe Rivest, CEH
Vérificateur interne en sécurité de l'information
Courriel: Privest@...
Téléphone: (514) 331-4417
www.transforce.ca


-----Message d'origine-----
De : listbounce@... [mailto:listbounce@...] De la
part de infolookup@...
Envoyé : 2 juillet 2008 15:13
À : GremaGehan@...; listbounce@...;
security-basics@...
Objet : Re: Crash Monitor

Virus protection up to date? Any P2P software like lime wire that could bring
in tones of problems? Did you recently add any new software or hardware? Also
go to Microsoft site and download a root kit program and scan your pc.
------Original Message------
From: GremaGehan@...
Sender: listbounce@...
To: security-basics@...
Sent: Jul 2, 2008 2:20 PM
Subject: Crash Monitor

Hello list,

my wife using Win 2000 + MS Office to writing her thesis. Of course
there are also such important tools like a Skype, ICQ ...... etc. (you
know ... ) At now it is daily that this PC is crashing. I don't know
why. It is possible to detect the crashing application? Do you know some
tool (something like DrWatson.)? The PC ist patched, Event Viewer show
nothing.
The most probably case is: ca. 1 hour after login hanging this PC up.
Independently of runnig applications. After restart its work normally.

Thank you in advance

Martin


_______________________________________________________________________
EINE FÜR ALLE: die kostenlose WEB.DE-Plattform für Freunde und Deine
Homepage mit eigenem Namen. Jetzt starten! http://unddu.de/?kid=kid@mf2



Sent from my Verizon Wireless BlackBerry

Philippe, your proposed solution is like demolishing your house and rebuilding because you think you "might" have termites.

I beg to differ than home PC data is less important than corporate data.  Home PC data is very important to that home user. If you assume "expertise is lacking", then a format/reinstall could easily result in data loss (family pictures, financial info, etc).

Bottom line is that if expertise is lacking, the user should find someone who knows what they're doing and check out how severe it is.  

And what if there is no rootkit?  You can at least get an idea of the risk factor by using the various tools of the trade (search and destroy products, netstat for listening ports, software firewall to check for incoming/outgoing connections, task mgr for running processes, etc).

To me, format and reinstall would be a better solution for a corporate PC, as generally data is stored on file servers and not on the local machine, thus there is little risk of a format losing sensitive data (of course this varies from network to network).  Home PCs generally have lots of data on them, and are generally not backed up.  

Case in point, my father-in-law just called Dell with a problem (he's an older guy), Dell ended up having him format the drive.  He had burned his data to a CD a few days before, but guess what, the CD didn't burn correctly (and he's a home user, he didn't test it).  DATA LOSS.  Sucks for him, all his Quicken data and family pics are gone.

Format should be a last resort.  Yes, it works, but there are other things to try first to get an idea of what solution is necessary.  


Scott

-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On Behalf Of Rivest, Philippe
Sent: Wednesday, July 02, 2008 12:22 PM
To: infolookup@...; GremaGehan@...; listbounce@...; security-basics@...
Subject: RE: Crash Monitor

To add to the previous post.

If you are going to look for rootkits I would suggest formatting and
re-installing. If you suspect you have a root-kit on your PC theres no need
to identify it or KNOW you have one. Just do a full format & reinstall.

If you have a rootkit,theres no complete way to remove it. I mean to know
100% that everything critical is removed. The time you are going to spend
investigating this, cleaning it and worrying about the after effects would be
better spent reinstalling.

For all those who are going to hit me with "you should know if there's a
rootkit", this is a stand alone PC, not corporate and the expertise and time
may be lacking. Also the lvl of sensitivity of the PC is probably very low.


Format and move on


Merci / Thanks
Philippe Rivest, CEH
Vérificateur interne en sécurité de l'information
Courriel: Privest@...
Téléphone: (514) 331-4417
www.transforce.ca


-----Message d'origine-----
De : listbounce@... [mailto:listbounce@...] De la
part de infolookup@...
Envoyé : 2 juillet 2008 15:13
À : GremaGehan@...; listbounce@...;
security-basics@...
Objet : Re: Crash Monitor

Virus protection up to date? Any P2P software like lime wire that could bring
in tones of problems? Did you recently add any new software or hardware? Also
go to Microsoft site and download a root kit program and scan your pc.
------Original Message------
From: GremaGehan@...
Sender: listbounce@...
To: security-basics@...
Sent: Jul 2, 2008 2:20 PM
Subject: Crash Monitor

Hello list,

my wife using Win 2000 + MS Office to writing her thesis. Of course
there are also such important tools like a Skype, ICQ ...... etc. (you
know ... ) At now it is daily that this PC is crashing. I don't know
why. It is possible to detect the crashing application? Do you know some
tool (something like DrWatson.)? The PC ist patched, Event Viewer show
nothing.
The most probably case is: ca. 1 hour after login hanging this PC up.
Independently of runnig applications. After restart its work normally.

Thank you in advance

Martin


_______________________________________________________________________
EINE FÜR ALLE: die kostenlose WEB.DE-Plattform für Freunde und Deine
Homepage mit eigenem Namen. Jetzt starten! http://unddu.de/?kid=kid@mf2



Sent from my Verizon Wireless BlackBerry

First off, the first post seemed to be able to format. In the case he can't,
he would still have to get someone who can (which is a lot easier then
someone who can investigate and remove root kits).

All I wanted to say (I knew I would get hit by this) is that if you are
investigating for the possibility of a rootkit, you must have some serious
doubt about the security of your pc. At that point it would be faster and
safer to format it and reinstall.

Yes backup can screw up, you can not do them or forget. But again.. this
would be the issue if you find the root kit and cant remove it. Save your
files to the D drive format the C, do an external backup.

As for the house & termite, your example is flawed. As you can be sure that
there is no termite left. You can't really be sure for root kits.



Merci / Thanks
Philippe Rivest, CEH
Vérificateur interne en sécurité de l'information
Courriel: Privest@...
Téléphone: (514) 331-4417
www.transforce.ca


-----Message d'origine-----
De : Scott Race [mailto:srace@...]
Envoyé : 2 juillet 2008 15:56
À : Rivest, Philippe; infolookup@...; GremaGehan@...;
listbounce@...; security-basics@...
Objet : RE: Crash Monitor


Philippe, your proposed solution is like demolishing your house and
rebuilding because you think you "might" have termites.

I beg to differ than home PC data is less important than corporate data.
Home PC data is very important to that home user. If you assume "expertise is
lacking", then a format/reinstall could easily result in data loss (family
pictures, financial info, etc).

Bottom line is that if expertise is lacking, the user should find someone who
knows what they're doing and check out how severe it is.  

And what if there is no rootkit?  You can at least get an idea of the risk
factor by using the various tools of the trade (search and destroy products,
netstat for listening ports, software firewall to check for incoming/outgoing
connections, task mgr for running processes, etc).

To me, format and reinstall would be a better solution for a corporate PC, as
generally data is stored on file servers and not on the local machine, thus
there is little risk of a format losing sensitive data (of course this varies
from network to network).  Home PCs generally have lots of data on them, and
are generally not backed up.  

Case in point, my father-in-law just called Dell with a problem (he's an
older guy), Dell ended up having him format the drive.  He had burned his
data to a CD a few days before, but guess what, the CD didn't burn correctly
(and he's a home user, he didn't test it).  DATA LOSS.  Sucks for him, all
his Quicken data and family pics are gone.

Format should be a last resort.  Yes, it works, but there are other things to
try first to get an idea of what solution is necessary.  


Scott

-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On
Behalf Of Rivest, Philippe
Sent: Wednesday, July 02, 2008 12:22 PM
To: infolookup@...; GremaGehan@...; listbounce@...;
security-basics@...
Subject: RE: Crash Monitor

To add to the previous post.

If you are going to look for rootkits I would suggest formatting and
re-installing. If you suspect you have a root-kit on your PC theres no need
to identify it or KNOW you have one. Just do a full format & reinstall.

If you have a rootkit,theres no complete way to remove it. I mean to know
100% that everything critical is removed. The time you are going to spend
investigating this, cleaning it and worrying about the after effects would be
better spent reinstalling.

For all those who are going to hit me with "you should know if there's a
rootkit", this is a stand alone PC, not corporate and the expertise and time
may be lacking. Also the lvl of sensitivity of the PC is probably very low.


Format and move on


Merci / Thanks
Philippe Rivest, CEH
Vérificateur interne en sécurité de l'information
Courriel: Privest@...
Téléphone: (514) 331-4417
www.transforce.ca


-----Message d'origine-----
De : listbounce@... [mailto:listbounce@...] De la
part de infolookup@...
Envoyé : 2 juillet 2008 15:13
À : GremaGehan@...; listbounce@...;
security-basics@...
Objet : Re: Crash Monitor

Virus protection up to date? Any P2P software like lime wire that could bring
in tones of problems? Did you recently add any new software or hardware? Also
go to Microsoft site and download a root kit program and scan your pc.
------Original Message------
From: GremaGehan@...
Sender: listbounce@...
To: security-basics@...
Sent: Jul 2, 2008 2:20 PM
Subject: Crash Monitor

Hello list,

my wife using Win 2000 + MS Office to writing her thesis. Of course
there are also such important tools like a Skype, ICQ ...... etc. (you
know ... ) At now it is daily that this PC is crashing. I don't know
why. It is possible to detect the crashing application? Do you know some
tool (something like DrWatson.)? The PC ist patched, Event Viewer show
nothing.
The most probably case is: ca. 1 hour after login hanging this PC up.
Independently of runnig applications. After restart its work normally.

Thank you in advance

Martin


_______________________________________________________________________
EINE FÜR ALLE: die kostenlose WEB.DE-Plattform für Freunde und Deine
Homepage mit eigenem Namen. Jetzt starten! http://unddu.de/?kid=kid@mf2



Sent from my Verizon Wireless BlackBerry

"Win 2000" suggests this is an older computer, then I read "ca. 1 hour after
login hanging this PC up"....
My first suspicions tend toward hardware problem....

You sure the years' layers of dust (viz., "dust bunnies") aren't just
causing the motherboard/CPU to overheat?...  Formatting the harddrive
wouldn't help that....


-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On
Behalf Of Rivest, Philippe
Sent: Wednesday, July 2, 2008 16:10
To: Scott Race; infolookup@...; GremaGehan@...;
listbounce@...; security-basics@...
Subject: RE: Crash Monitor -- rootkit discussion

First off, the first post seemed to be able to format. In the case he can't,
he would still have to get someone who can (which is a lot easier then
someone who can investigate and remove root kits).

All I wanted to say (I knew I would get hit by this) is that if you are
investigating for the possibility of a rootkit, you must have some serious
doubt about the security of your pc. At that point it would be faster and
safer to format it and reinstall.

Yes backup can screw up, you can not do them or forget. But again.. this
would be the issue if you find the root kit and cant remove it. Save your
files to the D drive format the C, do an external backup.

As for the house & termite, your example is flawed. As you can be sure that
there is no termite left. You can't really be sure for root kits.



Merci / Thanks
Philippe Rivest, CEH
Vérificateur interne en sécurité de l'information
Courriel: Privest@...
Téléphone: (514) 331-4417
www.transforce.ca


-----Message d'origine-----
De : Scott Race [mailto:srace@...] Envoyé : 2 juillet 2008 15:56 À :
Rivest, Philippe; infolookup@...; GremaGehan@...;
listbounce@...; security-basics@... Objet : RE:
Crash Monitor


Philippe, your proposed solution is like demolishing your house and
rebuilding because you think you "might" have termites.

I beg to differ than home PC data is less important than corporate data.
Home PC data is very important to that home user. If you assume "expertise
is
lacking", then a format/reinstall could easily result in data loss (family
pictures, financial info, etc).

Bottom line is that if expertise is lacking, the user should find someone
who
knows what they're doing and check out how severe it is.  

And what if there is no rootkit?  You can at least get an idea of the risk
factor by using the various tools of the trade (search and destroy products,
netstat for listening ports, software firewall to check for
incoming/outgoing
connections, task mgr for running processes, etc).

To me, format and reinstall would be a better solution for a corporate PC,
as
generally data is stored on file servers and not on the local machine, thus
there is little risk of a format losing sensitive data (of course this
varies
from network to network).  Home PCs generally have lots of data on them, and
are generally not backed up.  

Case in point, my father-in-law just called Dell with a problem (he's an
older guy), Dell ended up having him format the drive.  He had burned his
data to a CD a few days before, but guess what, the CD didn't burn correctly
(and he's a home user, he didn't test it).  DATA LOSS.  Sucks for him, all
his Quicken data and family pics are gone.

Format should be a last resort.  Yes, it works, but there are other things
to
try first to get an idea of what solution is necessary.  


Scott

-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On
Behalf Of Rivest, Philippe
Sent: Wednesday, July 02, 2008 12:22 PM
To: infolookup@...; GremaGehan@...; listbounce@...;
security-basics@...
Subject: RE: Crash Monitor

To add to the previous post.

If you are going to look for rootkits I would suggest formatting and
re-installing. If you suspect you have a root-kit on your PC theres no need
to identify it or KNOW you have one. Just do a full format & reinstall.

If you have a rootkit,theres no complete way to remove it. I mean to know
100% that everything critical is removed. The time you are going to spend
investigating this, cleaning it and worrying about the after effects would
be
better spent reinstalling.

For all those who are going to hit me with "you should know if there's a
rootkit", this is a stand alone PC, not corporate and the expertise and time
may be lacking. Also the lvl of sensitivity of the PC is probably very low.


Format and move on


Merci / Thanks
Philippe Rivest, CEH
Vérificateur interne en sécurité de l'information
Courriel: Privest@...
Téléphone: (514) 331-4417
www.transforce.ca


-----Message d'origine-----
De : listbounce@... [mailto:listbounce@...] De
la
part de infolookup@...
Envoyé : 2 juillet 2008 15:13
À : GremaGehan@...; listbounce@...;
security-basics@...
Objet : Re: Crash Monitor

Virus protection up to date? Any P2P software like lime wire that could
bring
in tones of problems? Did you recently add any new software or hardware?
Also
go to Microsoft site and download a root kit program and scan your pc.
------Original Message------
From: GremaGehan@...
Sender: listbounce@...
To: security-basics@...
Sent: Jul 2, 2008 2:20 PM
Subject: Crash Monitor

Hello list,

my wife using Win 2000 + MS Office to writing her thesis. Of course
there are also such important tools like a Skype, ICQ ...... etc. (you
know ... ) At now it is daily that this PC is crashing. I don't know
why. It is possible to detect the crashing application? Do you know some
tool (something like DrWatson.)? The PC ist patched, Event Viewer show
nothing.
The most probably case is: ca. 1 hour after login hanging this PC up.
Independently of runnig applications. After restart its work normally.

Thank you in advance

Martin


_______________________________________________________________________
EINE FÜR ALLE: die kostenlose WEB.DE-Plattform für Freunde und Deine
Homepage mit eigenem Namen. Jetzt starten! http://unddu.de/?kid=kid@mf2



Sent from my Verizon Wireless BlackBerry

Hi

Well, concerning the crash-issue:
As mentioned in the list, check your logs (run compmgmt.msc and go to
the eventlog), there you will find 100% some hints on what caused the
crash. Usualy it can be some driver issue and/or registry fscked up.

as about the rootkit-issue:
If, and only if you are sure to be infected
(http://www.windowsreference.com/security/list-of-free-anti-rootkitrootkit-detection-software-for-windows/)
A clean reinstall is the only possibility to get rid of it, if
a forensic investigation is needed better let someone quallifyed to do
it.
Actualy, you can be pretty sure for rootkits Philippe, but its messy
since you need some tools like helix offers and compare valid and
actual output of the commands.
If i`d write a windows rootkit, i would try to compromise services
which can reveal its presence such as msinfo.msc , taskmanager,
tasklist, clean the eventlog, etc...

--
Best regards,
 Adam Pal  

Wednesday, July 2, 2008, 10:10:00 PM, you wrote:

<==============Original message text===============
RP> First off, the first post seemed to be able to format. In the case he can't,
RP> he would still have to get someone who can (which is a lot easier then
RP> someone who can investigate and remove root kits).

RP> All I wanted to say (I knew I would get hit by this) is that if you are
RP> investigating for the possibility of a rootkit, you must have some serious
RP> doubt about the security of your pc. At that point it would be faster and
RP> safer to format it and reinstall.

RP> Yes backup can screw up, you can not do them or forget. But again.. this
RP> would be the issue if you find the root kit and cant remove it. Save your
RP> files to the D drive format the C, do an external backup.

RP> As for the house & termite, your example is flawed. As you can be sure that
RP> there is no termite left. You can't really be sure for root kits.



RP> Merci / Thanks
RP> Philippe Rivest, CEH
RP> Vérificateur interne en sécurité de l'information
RP> Courriel: Privest@...
RP> Téléphone: (514) 331-4417
RP> www.transforce.ca


RP> -----Message d'origine-----
RP> De : Scott Race [mailto:srace@...]
RP> Envoyé : 2 juillet 2008 15:56
RP> À : Rivest, Philippe; infolookup@...; GremaGehan@...;
RP> listbounce@...; security-basics@...
RP> Objet : RE: Crash Monitor


RP> Philippe, your proposed solution is like demolishing your house and
RP> rebuilding because you think you "might" have termites.

RP> I beg to differ than home PC data is less important than corporate data.
RP> Home PC data is very important to that home user. If you assume "expertise is
RP> lacking", then a format/reinstall could easily result in data loss (family
RP> pictures, financial info, etc).

RP> Bottom line is that if expertise is lacking, the user should find someone who
RP> knows what they're doing and check out how severe it is.  

RP> And what if there is no rootkit?  You can at least get an idea of the risk
RP> factor by using the various tools of the trade (search and destroy products,
RP> netstat for listening ports, software firewall to check for incoming/outgoing
RP> connections, task mgr for running processes, etc).

RP> To me, format and reinstall would be a better solution for a corporate PC, as
RP> generally data is stored on file servers and not on the local machine, thus
RP> there is little risk of a format losing sensitive data (of course this varies
RP> from network to network).  Home PCs generally have lots of data on them, and
RP> are generally not backed up.  

RP> Case in point, my father-in-law just called Dell with a problem (he's an
RP> older guy), Dell ended up having him format the drive.  He had burned his
RP> data to a CD a few days before, but guess what, the CD didn't burn correctly
RP> (and he's a home user, he didn't test it).  DATA LOSS.  Sucks for him, all
RP> his Quicken data and family pics are gone.

RP> Format should be a last resort.  Yes, it works, but there are other things to
RP> try first to get an idea of what solution is necessary.  


RP> Scott

RP> -----Original Message-----
RP> From: listbounce@...
RP> [mailto:listbounce@...] On
RP> Behalf Of Rivest, Philippe
RP> Sent: Wednesday, July 02, 2008 12:22 PM
RP> To: infolookup@...; GremaGehan@...; listbounce@...;
RP> security-basics@...
RP> Subject: RE: Crash Monitor

RP> To add to the previous post.

RP> If you are going to look for rootkits I would suggest formatting and
RP> re-installing. If you suspect you have a root-kit on your PC theres no need
RP> to identify it or KNOW you have one. Just do a full format & reinstall.

RP> If you have a rootkit,theres no complete way to remove it. I mean to know
RP> 100% that everything critical is removed. The time you are going to spend
RP> investigating this, cleaning it and worrying about the after effects would be
RP> better spent reinstalling.

RP> For all those who are going to hit me with "you should know if there's a
RP> rootkit", this is a stand alone PC, not corporate and the expertise and time
RP> may be lacking. Also the lvl of sensitivity of the PC is probably very low.


RP> Format and move on


RP> Merci / Thanks
RP> Philippe Rivest, CEH
RP> Vérificateur interne en sécurité de l'information
RP> Courriel: Privest@...
RP> Téléphone: (514) 331-4417
RP> www.transforce.ca


RP> -----Message d'origine-----
RP> De : listbounce@...
RP> [mailto:listbounce@...] De la
RP> part de infolookup@...
RP> Envoyé : 2 juillet 2008 15:13
RP> À : GremaGehan@...; listbounce@...;
RP> security-basics@...
RP> Objet : Re: Crash Monitor

RP> Virus protection up to date? Any P2P software like lime wire that could bring
RP> in tones of problems? Did you recently add any new software or hardware? Also
RP> go to Microsoft site and download a root kit program and scan your pc.
RP> ------Original Message------
RP> From: GremaGehan@...
RP> Sender: listbounce@...
RP> To: security-basics@...
RP> Sent: Jul 2, 2008 2:20 PM
RP> Subject: Crash Monitor

RP> Hello list,

RP> my wife using Win 2000 + MS Office to writing her thesis. Of course
RP> there are also such important tools like a Skype, ICQ ...... etc. (you
RP> know ... ) At now it is daily that this PC is crashing. I don't know
RP> why. It is possible to detect the crashing application? Do you know some
RP> tool (something like DrWatson.)? The PC ist patched, Event Viewer show
RP> nothing.
RP> The most probably case is: ca. 1 hour after login hanging this PC up.
RP> Independently of runnig applications. After restart its work normally.

RP> Thank you in advance

RP> Martin


RP> _______________________________________________________________________
RP> EINE FÜR ALLE: die kostenlose WEB.DE-Plattform für Freunde und Deine
RP> Homepage mit eigenem Namen. Jetzt starten! http://unddu.de/?kid=kid@mf2



RP> Sent from my Verizon Wireless BlackBerry

<===========End of original message text===========

Reading the description though, it is fine after a reboot when it crashes, suggesting heat is not an issue.

My guess would be hardware too, try and remove individual components to see if it still does it...bit time consuming at an hours wait though!



Karl Lankford, MCSE
Systems Administrator
Kaspersky Lab UK

you could print this email..but it does take a long time to grow trees.

-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On Behalf Of kawasaki.lector
Sent: 02 July 2008 21:51
To: 'Rivest, Philippe'; 'Scott Race'; infolookup@...; GremaGehan@...; listbounce@...; security-basics@...
Subject: RE: Crash Monitor -- rootkit discussion

"Win 2000" suggests this is an older computer, then I read "ca. 1 hour after
login hanging this PC up"....
My first suspicions tend toward hardware problem....

You sure the years' layers of dust (viz., "dust bunnies") aren't just
causing the motherboard/CPU to overheat?...  Formatting the harddrive
wouldn't help that....


-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On
Behalf Of Rivest, Philippe
Sent: Wednesday, July 2, 2008 16:10
To: Scott Race; infolookup@...; GremaGehan@...;
listbounce@...; security-basics@...
Subject: RE: Crash Monitor -- rootkit discussion

First off, the first post seemed to be able to format. In the case he can't,
he would still have to get someone who can (which is a lot easier then
someone who can investigate and remove root kits).

All I wanted to say (I knew I would get hit by this) is that if you are
investigating for the possibility of a rootkit, you must have some serious
doubt about the security of your pc. At that point it would be faster and
safer to format it and reinstall.

Yes backup can screw up, you can not do them or forget. But again.. this
would be the issue if you find the root kit and cant remove it. Save your
files to the D drive format the C, do an external backup.

As for the house & termite, your example is flawed. As you can be sure that
there is no termite left. You can't really be sure for root kits.



Merci / Thanks
Philippe Rivest, CEH
Vérificateur interne en sécurité de l'information
Courriel: Privest@...
Téléphone: (514) 331-4417
www.transforce.ca


-----Message d'origine-----
De : Scott Race [mailto:srace@...] Envoyé : 2 juillet 2008 15:56 À :
Rivest, Philippe; infolookup@...; GremaGehan@...;
listbounce@...; security-basics@... Objet : RE:
Crash Monitor


Philippe, your proposed solution is like demolishing your house and
rebuilding because you think you "might" have termites.

I beg to differ than home PC data is less important than corporate data.
Home PC data is very important to that home user. If you assume "expertise
is
lacking", then a format/reinstall could easily result in data loss (family
pictures, financial info, etc).

Bottom line is that if expertise is lacking, the user should find someone
who
knows what they're doing and check out how severe it is.

And what if there is no rootkit?  You can at least get an idea of the risk
factor by using the various tools of the trade (search and destroy products,
netstat for listening ports, software firewall to check for
incoming/outgoing
connections, task mgr for running processes, etc).

To me, format and reinstall would be a better solution for a corporate PC,
as
generally data is stored on file servers and not on the local machine, thus
there is little risk of a format losing sensitive data (of course this
varies
from network to network).  Home PCs generally have lots of data on them, and
are generally not backed up.

Case in point, my father-in-law just called Dell with a problem (he's an
older guy), Dell ended up having him format the drive.  He had burned his
data to a CD a few days before, but guess what, the CD didn't burn correctly
(and he's a home user, he didn't test it).  DATA LOSS.  Sucks for him, all
his Quicken data and family pics are gone.

Format should be a last resort.  Yes, it works, but there are other things
to
try first to get an idea of what solution is necessary.


Scott

-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On
Behalf Of Rivest, Philippe
Sent: Wednesday, July 02, 2008 12:22 PM
To: infolookup@...; GremaGehan@...; listbounce@...;
security-basics@...
Subject: RE: Crash Monitor

To add to the previous post.

If you are going to look for rootkits I would suggest formatting and
re-installing. If you suspect you have a root-kit on your PC theres no need
to identify it or KNOW you have one. Just do a full format & reinstall.

If you have a rootkit,theres no complete way to remove it. I mean to know
100% that everything critical is removed. The time you are going to spend
investigating this, cleaning it and worrying about the after effects would
be
better spent reinstalling.

For all those who are going to hit me with "you should know if there's a
rootkit", this is a stand alone PC, not corporate and the expertise and time
may be lacking. Also the lvl of sensitivity of the PC is probably very low.


Format and move on


Merci / Thanks
Philippe Rivest, CEH
Vérificateur interne en sécurité de l'information
Courriel: Privest@...
Téléphone: (514) 331-4417
www.transforce.ca


-----Message d'origine-----
De : listbounce@... [mailto:listbounce@...] De
la
part de infolookup@...
Envoyé : 2 juillet 2008 15:13
À : GremaGehan@...; listbounce@...;
security-basics@...
Objet : Re: Crash Monitor

Virus protection up to date? Any P2P software like lime wire that could
bring
in tones of problems? Did you recently add any new software or hardware?
Also
go to Microsoft site and download a root kit program and scan your pc.
------Original Message------
From: GremaGehan@...
Sender: listbounce@...
To: security-basics@...
Sent: Jul 2, 2008 2:20 PM
Subject: Crash Monitor

Hello list,

my wife using Win 2000 + MS Office to writing her thesis. Of course
there are also such important tools like a Skype, ICQ ...... etc. (you
know ... ) At now it is daily that this PC is crashing. I don't know
why. It is possible to detect the crashing application? Do you know some
tool (something like DrWatson.)? The PC ist patched, Event Viewer show
nothing.
The most probably case is: ca. 1 hour after login hanging this PC up.
Independently of runnig applications. After restart its work normally.

Thank you in advance

Martin


_______________________________________________________________________
EINE FÜR ALLE: die kostenlose WEB.DE-Plattform für Freunde und Deine
Homepage mit eigenem Namen. Jetzt starten! http://unddu.de/?kid=kid@mf2



Sent from my Verizon Wireless BlackBerry

Uff uff,

actually, is the box reinstalled (XP), patched and protected by firewall
and AV. The new configuration is similar to previous p2p-"decorations"
just in a newer versions.
At now it seems everything  in order. (Probably we have all data
secured !!! )

My first suggestion was also hardware. But such problem can't be removed
with restart.

Some direct answers asking me about HW. In brief:
- capacitors around the CPU      OK.
- CPU  fan                       OK
- Memory                         ?? => to be checked
- HDD                            ?? => to be checked
         but I do periodically defragmentation
         after some crashes In was nessessary to run CHDSK
         but no error were detected.

What of Audit-tool would you suggest? (I Have ols SUSE 9.0 Install DVD
with memory check-Software)
What about Auditor? (Linux [Knoppix?] bootable CD with some tools)

But now I try to ask more precisely:
It is possible monitoring all windows processes on some standalone
machine? It must be possible, but how? I'm searching for a tool like
FileMon, RegMon, which can get me some informations about actual
situation on my box (best way : service which write a logfile).

Thank you very much for all answers.

Have a nice day (Im goning BACKUP our DATA!)


Martin

On Fri, 2008-07-04 at 14:58 +0530, Sumeet Narula wrote:

You might want to take a look at a piece of software called  
EventSentry. I am currently using it to monitor several important  
servers. It is reading Tomcat logs, system events, etc and sending  
emails to me if certain events or log entries occur. It is also able  
to monitor services for start, stop actions. It is very robust, but  
the UI is a bit quirky. Still it is a great and powerful log / event  
monitoring package. http://www.eventsentry.com/

-SKip
On Jul 5, 2008, at 1:08 PM, Unknown wrote: