redirector help

Phliplip112

I need some help. I have this computer im trying to repair for someone. It redirects from search engine results. Also it crashes IE few seconds after you run it and Firefox crashes when it redirects. windows update doesn't work also.

Spybot, Malwarebytes, Nod32, AVG say its clean, CombFix tell sme there is a rootkit. I run Sophos anti-rootkit and it turns up nothing. Hijackthis has only windows services and anti-virus running. Host file is clean, I also uninstalled all firefox plug-ins and add-ons. Network settings for both browsers are correct.

At this point im thinking a clean install because im about to nerd rage.

Any ideas????

sambuca69

Phliplip112 wrote: »

I need some help. I have this computer im trying to repair for someone. It redirects from search engine results. Also it crashes IE few seconds after you run it and Firefox crashes when it redirects. windows update doesn't work also.

Spybot, Malwarebytes, Nod32, AVG say its clean, CombFix tell sme there is a rootkit. I run Sophos anti-rootkit and it turns up nothing. Hijackthis has only windows services and anti-virus running. Host file is clean, I also uninstalled all firefox plug-ins and add-ons. Network settings for both browsers are correct.

At this point im thinking a clean install because im about to nerd rage.

Any ideas????

A found rootkit has always been a format/reinstall for me. You can never really trust what is there even if it is "cleaned" in my opinion.

Phliplip112

Would a port scan show the port the rootkit is listening on for remote connections?

rogue2shadow

netstat -a is your best friend and maybe wireshark

I agree with sam. You can't tell that you're secure even after one is found.

tiersten

I agree with what sambuca69 said. Once your PC is this badly pwned then you can't be 100% certain it is clean again. The effort required to validate every single item on the system would be significantly more than wiping it clean and reinstalling.

tiersten

Phliplip112 wrote: »

Would a port scan show the port the rootkit is listening on for remote connections?

You're thinking of a botnet but even those don't generally accept incoming connections. They'll connect to a remote server either as a constant connection or periodically check a server. There have been both kinds. The remote server may be a dedicated malware C&C server or a completely legitimate server like Twitter which is hosting an account owned by the malware owners.

Noticing odd connections that are open are a sign that something needs to be looked as closely but it isn't an infallible sign that you've got malware running.

Phliplip112

Looking at the Nod32 log file shows denied connections either to or from address like zliden.info, gotdural.com, duralgot.com, ergoprotect.com, bnhgta.com qwwqww.in and 213.5.64.18.

Then it shows trojans it was using, JS/kryptic.L.gen win32/Olmarik.ACK

the IP is registered in the Netherlands..... interesting....


I told the lady I was gonna format re-install anyways

gosh1976

You could run TDSSKiller, MBRCheck and Root Repeal(32-bit only I think) to see what they have to say. Did you check to make sure the DNS settings are what they should be? or if the computer shows what you expect when you do a nslookup for google?

Phliplip112

I did check the DNS settings and then flushed the DNS. I didn't do nslookup though