redirector help
Phliplip112
Member Posts: 96 ■■□□□□□□□□
in Off-Topic
I need some help. I have this computer im trying to repair for someone. It redirects from search engine results. Also it crashes IE few seconds after you run it and Firefox crashes when it redirects. windows update doesn't work also.
Spybot, Malwarebytes, Nod32, AVG say its clean, CombFix tell sme there is a rootkit. I run Sophos anti-rootkit and it turns up nothing. Hijackthis has only windows services and anti-virus running. Host file is clean, I also uninstalled all firefox plug-ins and add-ons. Network settings for both browsers are correct.
At this point im thinking a clean install because im about to nerd rage.
Any ideas????
Spybot, Malwarebytes, Nod32, AVG say its clean, CombFix tell sme there is a rootkit. I run Sophos anti-rootkit and it turns up nothing. Hijackthis has only windows services and anti-virus running. Host file is clean, I also uninstalled all firefox plug-ins and add-ons. Network settings for both browsers are correct.
At this point im thinking a clean install because im about to nerd rage.
Any ideas????
Comments
-
sambuca69
Member Posts: 262
Phliplip112 wrote: »I need some help. I have this computer im trying to repair for someone. It redirects from search engine results. Also it crashes IE few seconds after you run it and Firefox crashes when it redirects. windows update doesn't work also.
Spybot, Malwarebytes, Nod32, AVG say its clean, CombFix tell sme there is a rootkit. I run Sophos anti-rootkit and it turns up nothing. Hijackthis has only windows services and anti-virus running. Host file is clean, I also uninstalled all firefox plug-ins and add-ons. Network settings for both browsers are correct.
At this point im thinking a clean install because im about to nerd rage.
Any ideas????
A found rootkit has always been a format/reinstall for me. You can never really trust what is there even if it is "cleaned" in my opinion. -
Phliplip112
Member Posts: 96 ■■□□□□□□□□
Would a port scan show the port the rootkit is listening on for remote connections?
-
rogue2shadow
Member Posts: 1,501 ■■■■■■■■□□
netstat -a is your best friend and maybe wireshark
I agree with sam. You can't tell that you're secure even after one is found. -
tiersten
Member Posts: 4,505
I agree with what sambuca69 said. Once your PC is this badly pwned then you can't be 100% certain it is clean again. The effort required to validate every single item on the system would be significantly more than wiping it clean and reinstalling.
-
tiersten
Member Posts: 4,505
You're thinking of a botnet but even those don't generally accept incoming connections. They'll connect to a remote server either as a constant connection or periodically check a server. There have been both kinds. The remote server may be a dedicated malware C&C server or a completely legitimate server like Twitter which is hosting an account owned by the malware owners.Phliplip112 wrote: »Would a port scan show the port the rootkit is listening on for remote connections?
Noticing odd connections that are open are a sign that something needs to be looked as closely but it isn't an infallible sign that you've got malware running. -
Phliplip112
Member Posts: 96 ■■□□□□□□□□
Looking at the Nod32 log file shows denied connections either to or from address like zliden.info, gotdural.com, duralgot.com, ergoprotect.com, bnhgta.com qwwqww.in and 213.5.64.18.
Then it shows trojans it was using, JS/kryptic.L.gen win32/Olmarik.ACK
the IP is registered in the Netherlands..... interesting....
I told the lady I was gonna format re-install anyways -
gosh1976
Member Posts: 441
You could run TDSSKiller, MBRCheck and Root Repeal(32-bit only I think) to see what they have to say. Did you check to make sure the DNS settings are what they should be? or if the computer shows what you expect when you do a nslookup for google?
-
Phliplip112
Member Posts: 96 ■■□□□□□□□□
I did check the DNS settings and then flushed the DNS. I didn't do nslookup though
