Haxxors Help Request

Mize

Mize

3dfx Fan
Legend
Okay, so I've got this snazzy HP 8430 notebook that's great. Seems to run fine.
Security suite is ZoneAlarm (6.5 and now 7.0). The old ZA 6.5 used the CA AV engine and the new one uses Kaspersky 6.

Anyway, no issues on the computer...BUT! I have a SofaWare/Checkpoint firewall that logs my computer doing strange things...

- it stops Phishing signatures with its gateway antivirus originating from my machine (uses ClamAV) over port 80

- it occassionally stops an https connection originating from my computer to paypal/ebay - BUT I've NEVER SURFED there!

Regular scans with zonealarm find nothing. Spybot S&D finds nothing. Sophos Rootkit Detector finds nothing...

Created a Kaspersky rescue disk at home and running that scan now...

Any ideas?
 
Tried RootkitRevealer from Microsoft Sysinternals?

Also, for a comprehensive util that lets you see what actually starts up when you boot, try Autoruns (also from MS Sysinternals)

www.sysinternals.com

In autoruns, enable "verify signatures" in options and investigate everything without a signature.
 
Bludd said:
Tried RootkitRevealer from Microsoft Sysinternals?

Also, for a comprehensive util that lets you see what actually starts up when you boot, try Autoruns (also from MS Sysinternals)

www.sysinternals.com

In autoruns, enable "verify signatures" in options and investigate everything without a signature.
Click to expand...

RootkitRevealer is too plextor for me (it's up to the user to determine which is a valid hook/redirect).
I'll give sysinternals a shot.

Kaspersky found nothing after a 6 (SIX) hour scan.
 
Mize said:
- it occassionally stops an https connection originating from my computer to paypal/ebay - BUT I've NEVER SURFED there!
Click to expand...
Many websites that have Paypal buttons (to donate or whatnot) load the image over a https link. It doesn't make any sense really. I can only assume that webmasters copy and paste this code from somewhere.
 
zeckensack said:
Many websites that have Paypal buttons (to donate or whatnot) load the image over a https link. It doesn't make any sense really. I can only assume that webmasters copy and paste this code from somewhere.
Click to expand...

This is what I'm thinking now (but why oh why over https? That's a typical spyware tactic since most firewalls cannot inspect https), though it doesn't explain the supposed Phishing signatures on port 80 (usually destined for Google).

I ran the KAV boot scan (found one old trojan in an email archive) and then both sophos anti rootkit and spybot s&d from safe mode. Nothing from sophos but a few browser things in spybot. I'm going to put it back on the lan today and log all the packets for a day or so and also use that firefox anti-script plug-in that I use at home...
 
try a-squared in safe mode and use Hijackthis in regular windows, see if you see any strange things running, especially oddly named addons attached to your browser. Chances are what ever it is, you wont be able to delete it unless you're in safemode, so once you do find things only do it there. Its my experiance many malware/spyware things duplicate themselves otherwise. Hijackthis only reports what is currently running so if you do see anything strange you can try removing it with that, or simply using it to identify the process then doing it manually in safe mode.

The stuff spybot finds at the end of its detection is just garbage cookies which are normal, if that found any malware it does it about mid way through. For the most part something messing with your browser will be located in the C:\WINDOWS\system32 folder.
 
You must log in or register to reply here.
Back
Top