Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit infection?


  • Please log in to reply
No replies to this topic

#1 Micheal B

Micheal B

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:40 PM

Posted 06 May 2011 - 08:11 AM

I'm not entirely sure what happened here, but I am sure of how it started.

I was looking for pictures of fire, so I Googled up "inferno pic" and took a look at the image results. One of the first few showed a nice blaze with a bunch of lines drawn in it. At least that's what it looked like. Not sure what that was about I clicked on it, and went to click the show full sized image button, only to get redirected. I'm not entirely sure what I was redirected to, or the exact wording of what came up next because it resized my Firefox window to be about 1 inch square and centered in my screen. When I maximized it there was a command prompt trying to insist that I download Windows... something or another. It was obvious fake anti malware software, so I clicked close tab instead. That didn't work, as it instead brought up another command prompt asking if I was sure I would like to navigate away from the page and insisting I download the fake anti malware. So I hit Ctrl Alt Del, and End Process on Firefox, then opened it again and chose to start it without the problem tab.

That seemed to work fine, but not entirely convinced I started paying close attention to my computer. I noticed that sometimes when I clicked a link, it would open in IE rather than Firefox. That hasn't happened before, it isn't supposed to happen, and IE seems even slower and clunkier than it normally is. It also likes opening plugincontainer.exe at the same time, and for some reason just closing the window doesn't actually end the process on either of those, so I just started End Processing them immediately when they come up. It doesn't matter what the link actually is, just that it opens in the wrong browser and causes suspicious behavior. It does eventually open the correct link, without redirects, but I'm not too interested in trying it more to see if that will change.

I've also noticed my computer will sometimes open pages very slowly in Firefox. Doesn't matter what the pages actually are, just sometimes it takes 10-15 seconds or more to open something that should be instant or near instant. This could be coincidental... or not.

I haven't seen any more odd redirects, but I'm still suspicious. I haven't found anything though.

Malwarebytes detects nothing.
F-Secure Blacklight detects nothing.
RootkitRevealer shows various hidden files, most of which based on the file name pertain to either my AIM screenname or my Firefox cache, but I'm not sure if they mean anything or not. It doesn't definitively say if there is a problem or not. Just that it seems suspicious that there are a bunch of lines mentioning AIM, redirect, and my AIM screenname that are being detected due to not showing up with a very recent last updated time that are displayed because they don't show up in Windows API or something. And that it also seems to have divided my cache by letter and number. I tried to check again to confirm the exact wording of the messages, but they aren't there anymore. Instead it just displays 10 discrepancies, instead of the 40-92 it was before, and the last two were "videobyapi" or something to that effect, identical except that one was tagged [1] and the other tagged [2], there was a half hour difference in last edited times, and one said it was hidden from Windows API while the other said it was hidden from everything else but Windows API. Unfortunately when I went to save the log, it immediately closed the program, and the log, or the other log I gotten that shows the other problems says absolutely nothing. It's just a blank text document. I realize this isn't the place to post logs but it'd be nice if I had something other than memory to quote the exact problem. Lastly, what it does and does not display seems to vary a lot. Even running the scan twice or more in immediate succession displays dramatically different results.
Finally, Sophos Anti Rootkit previously showed a number of suspicious entries, but now only shows two.

I haven't deleted them or anything, they just vanished on their own. Not sure what's going on with them.

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users