Maximum PC

I need a good rootkit scanner. Preferably, for free. I checked the FAQ's for one but only saw one specific type for hijacked browsers. I don't have that specific rootkit.

My symptoms:

1. search engine on both firefox and chrome are being changed to "yahoo" from "google". On firefox, after I used the browser one time, it figured out how to hide the option area where I could change the search engine. I couldn't find that area at all in IE (which is why I didn't include it), however, I figured they're just trying to get back to anti trust court again because they miss it so much. :p

2. random/nearly constant pc activity and slow page loading.
3. "high memory usage" errors from chrome

4. corrupt driver files -other files may also be suffering damage - I may simply not have discovered any yet.
5. setting changes - start up program changes - etc

yes, this sounds like virus activity but if it is, none of the free scanners can find it. I also ran anti malware bytes.

I'm going to reformat anyway in a week or so but I thought I'd give a rootkit scanner a shot just to see if it actually finds anything. I'd like to have a reliable tool for the next time this happens. it seems it's rather inevitable today. I'm extremely careful and still this happened. I have to say it rather p***es me off. a lot.

if theres anything to find..this will find it...http://support.kaspersky.com/faq/?qid=208283363 and get rid of it.

got it, ran it - found nothing.

so - then the question remains - what else could be causing all this? obviously windows itself has no power over third party browsers so at the very least, how is my search engine getting changed? it's not an addon. I disabled all of them.

When I have problems like this I run three apps:

Smitfraudfix, Combofix and Malwarebytes. Be sure you run them in that order in safe mode with networking and I think it will flush your system of wee beasties.


http://siri.geekstogo.com/SmitfraudFix.php

http://www.bleepingcomputer.com/downloa ... s/combofix

http://shop.malwarebytes.org/lpa/342/3/ ... 4AodqiWoAw

Be sure to download them in safe mode. The only one that installs is Malwarebytes....install it, update it and run it, get the free version of Malwarebytes....it works just fine. The rest are free, if you feel like donating to help the first two, please do. All these apps take time to run, be patient and let them do their magic.

Nasty

I already use anti malwarebytes - although, I've never run it in safe mode. Generally only do that if I have a specific cleaner to target a specific piece of malware. It's been so long since I had to run anything in safe mode, I'm not sure I remember how... :p

f8 during boot iirc. Unless there's some new way to do it in win 7.

I'll get on those other two tomorrow. Thanks.

Many viruses cannot run in safe mode and Malwarebytes does its best in Safe Mode after you update it, run it. Run the three pieces of software I suggested in the order I recommended and I think you will kill the little buggers.

Win 7 is the same F8. Choose Safe mode with networking.

Nasty

okee dokee.

thanks mate.

** I thought I posted this earlier but it must not have taken for some reason. I found a tool at - of all places, microsoft security that found a potential rootkit file. I think perhaps it just didn't know what the file was since it was in an older (circa 2005) game that wasn't terribly popular. The game was just installed recently (dumpster diving :p) so the only way this could actually be a rootkit would be if the file was on the disk itself. Certainly possible but it's unlikely it would cause all the malfunctions I listed. My search engine settings are still being changed to yahoo as well so I doubt there was anything to that file.

Another thing to try is this:http://www.freedrweb.com/cureit It does not install on your Computer per se, but scans from the outside. Great for those things that try to block installed scanners.

All that link does is take you to a commercial site to buy things.

Nasty

Damn, I'll see if I can fix that as that is NOT the link I intended.

UPDATE: something changed that thing, but it is right now.

So where is the link already...

Nasty

the link coastie posted goes to the proper site for me. Maybe you're getting a *cough* redirect. :p

Thought I'd try it just to see if I got the redirect as well. I won't have time to pick up with the continued troubleshooting until wednesday. I'll drop a note then or thursday and let ya'll know how they all went.

...no not redirected, just brain dead tonight ...arg!

Nasty

Hi,

I recommend EXTREME caution when running those 3 utilities as described above, I had to go back one restore point and go through a couple of hairy restarts and a shutdown before the system got back to normal.

Brad

Yah, I hear ya. That really goes for anything like that. Those programs don't always know if the file they've identified is actually malware or just a file they don't recognize. I don't see how they'd delete something that would prevent basic system operation though. In your case, I'd suspect a hardware malfunction.

I ran that webdoc on a lark overnight in it's emergency mode. I suspect that's like running it in safe mode as it freezes everything and basically locks you out of all pc functions while it runs. It again, found "suspect" files in older game files - one a demo for "starship tycoon". Very likely nothing there at all it just didn't recognize the file. It also found a couple of adaware files. This type of software always seems to like to identify competition as malware. :p

It did find a trojan file in the sims orgininal version. I don't know if there was anything to that or not. I originally had some errands planned today but a dead truck battery put those on hold. I may run those other three today in safe mode.

In my case, it doesn't matter if something goes awry as I planned on reformatting to get rid of the problem anyway.

I had time to do this since I was unable to run my errands today. I had issues with all of them except malwarebytes.

Smitfraud[b] - looped me to "localhost" - tried manually typing in address. tried disabling firewall and AV. tried downloading in regular mode. got redirected back to my own pc everytime. either malware is preventing this site from loading or there is some other issue.

[b]PcPerformer - I'm surprised you recommended this one after I saw what it was. It's the typical "Scam Scanner" - it claims to find a gazillion issues - doesn't tell you specifically what any of them are - then won't remove them until you pay for the software. I was very disappointed. It wouldn't even give me filepath names. I don't trust that one bit and it's getting removed.

malwarebytes found nothing in safe mode. I guess I'm back to a dead end no choice but to reformat.

I never recommended PcPerformer.

I recommended Combofix, Smitfraudfix and Malwarebytes and they were all to be run in safe mode with networking. I have no Idea what Pcperformer is. You must have pushed the wrong download button to get that one.

Nasty

ah, it's what came up when I clicked that second link. I guess it was supposed to be combofix. either I got redirected or the site got 'napped. Since I'm getting redirected back to myself for the other one, I suspect that whatever is on here is doing it. I guess that reformat is in my future. :p

Been copying files I don't already have backed up today. Not terribly sure how to copy and import my bookmarks back into chrome (from chrome). Nothing terribly important in there anyway. Maybe I'll figure it out.

* just tried combofix link again - it took me to the same page that it took me to the first time. When I hit the download link, it re-directed me to a crap site. Ironically, this time it was a different crap site than this morning. very strange... -- I did download and run everything in safe mode, btw. I also tried to download while not in safe mode when I couldn't get to them in safemode.

*** I used the mirror links this time for both smitfraud and combo fix and they both worked this time. again, very strange. I'm going to pop into safe mode and run them both now.

right okay - smitfraud didn't seem to find anything - although, I really couldn't understand what it was doing. I went to the root file and it had a list but it didn't say whether or not the files were infected or not. When I tried to clean (option 2) - nothing seemed to happen. Again, not sure as the program isn't very user friendly and doesn't tell you what it's doing.

combo fix - all I have to say about this is WTF??!!

first of all, in safe mode it tells me to disable avg - which is impossible in safe mode. there is no way to disable it. the only thing that comes up with avg is the ability to scan - you don't even have access to any other functions. so, I ran it in regular mode as it told me if I ran it with avg running it would futz the machine. well... it futzed the machine anyway.

it deleted pretty much every registry key for every program I had - all my browser keys - even windows system keys. I couldn't run anything. I was lucky as hell that the restore function even worked. Horribly user unfriendly - generated a huge "report" but didn't say what any of it meant - infected, not infected, suspicious - etc. junk. Christ, when are programmers going to learn to write stuff that someone other than them is able to understand and use? it IS the 21st friggin' century... I thought we got over this crap in the 90's...

As far as I can tell then, none of that helped. Just made things worse.



**I did a specific search for yahoo hijacking the search engine- don't know why I didn't think of that before. I found TONS of posts with people having the same issue but not a single solution. everyone points to the usual suspects - run anti malware, run Ccleaner, check your settings, disable addons - etc.

One post claimed that if there are any yahoo cookies on your machine at all - that it will eventually take over everything. Sounds to me like someone needs to go to anti trust court. Did microsoft buy yahoo? I notice it tends to return the exact same junk that their new craptastic bing engine returns.

I found a yahoo update tool in my programs and got rid of it. I have my fingers crossed. :p

Every machine I have ever run those three apps it got all viruses cleaned without touching windows at all. Don't know why they wouldn't work on your machine. Sorry they didn't help out.

When you reformat the drive, fix the master boot record before you format, or whatever virus wrote itself there will write itself back to windows when you load it. If in fact a virus wrote itself there, I don't take chances myself and fix it anyway.

Nasty