You could check at the IP level on a box that's not the compromised machine. Just launch a sniffer and make sure your on a network that can see the traffic and see where the actual download is going to. Then compare that to where it should be going to. I bet rootkit is redirecting your downloads and just serving malware from that new location. I would be interested in knowing that if it were true.
Thanks, ------------------------------------------ Ali Mesdaq (CISSP, GIAC-GREM) Security Researcher II Websense Security Labs http://www.WebsenseSecurityLabs.com ------------------------------------------ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of FORC5 Sent: Monday, February 11, 2008 2:28 PM To: [email protected] Subject: Re: [H] Symantec AV went NUTS ? good idea, nothing in hosts except 127.0.0.1 localhost all others show nothing suspicious. think I will do a rootkit scan for grins. fp At 11:07 AM 2/11/2008, Mesdaq, Ali Poked the stick with: >Check your host file c:\windows\drivers\etc\hosts or check which IP >your connecting to for downloads. You might have had a trojan mess with >your dns settings. This could happen in the host file or at a lower >level which will be harder to detect. > >Thanks, -- Tallyho ! ]:8) Taglines below ! -- Take the bull by the hand, and don't mix metaphors. Protected by Websense Messaging Security -- www.websense.com
