How to find a rootkit on your own computer?

O

optemist2012-02-01 21:17:52

gmail

optemist, 2012-02-01 21:17:52

This was 4 days ago. When I got home, I glanced at my wife's computer, there, in red on white, gmail warned me about changing my account password. I abruptly intervened and changed the pass back, turned on two-factor authentication and at the same time looked at the ip sessions, 189.33.44.246 showed off there. I did not begin to find out the source. one horseradish without an annoimizer or a proxy in our time, no one will get anywhere. Instead, I checked the mail on the phone - he treacherously reported an incorrect password already on my main account, I tensed up and waltzed to the hospital at the pace. I restored the password on my account via SMS, they connected to it from 212.156.58.182. The working gmail is also gone, it was only possible to return it today. They also changed my passwords and merged bitcoin with Mtgox, deepbit.net, slush pool.
At the moment, all 3 computers have been scanned for malware 2-McAfee and 1- Nod32, Rootkit reliever, Sophos Anti-Rootkit, tdsskiller. The result is null.
Before the attack, not a single computer was operated without an antivirus, all the passwords on my accounts were no shorter than 10 characters with letters and numbers (I exclude brute force in the dictionary) and are different. For my laptop and stationary, I can say that all downloaded files were scanned for viruses before opening, sites of dubious content were not visited. Exceptions in antivirus checked-no.
I exclude the phone. I did not log into my work account and pools from it.
Out of suspicion. On my wife's computer, in the firefox folder, a 500MB dumbva0z folder with a sql database was found. But not a single antivirus or other scanner operation.
What do you advise?
Thank you all in advance!
PS: Who read it - well done!
I never allow the browser to remember important passwords, I keep all passwords in my head.
PPS: Include two factor authentication.
Wife, nothing to do with it - she is not in the subject (about bitcoin)!
UPD: Many thanks to everyone for the help, well, rays! I'll just rearrange my systems and be more careful from now on.

Reply

Answer the question

In order to leave comments, you need to log in

8 answer(s)

O

osby, 2012-02-01
@osby

Perhaps this is not a rootkit, but someone is intercepting your traffic. Check if the mac address of your gateway is correct in the arp cache.

E

Evengard, 2012-02-01
@Evengard

Have you tried CureIt?

M

m08pvv, 2012-02-01
@m08pvv

There is a possibility that the malware quietly did its job and silently left.

R

Rafael Osipov, 2012-02-01
@Rafael

Try SpyBot Search & Destroy
After installation, update all databases and run a full scan.

N

nerudo, 2012-02-01
@nerudo

Booted from a liveCD, hopefully to test?

L

LightKeeper, 2012-02-02
@LightKeeper

Most likely the attack is not a network one. Authentication in gmail occurs according to the https protocol, if there was interference with it, the browser would scream loudly about it. Judging by the fact that other passwords are merged, this is something local, and it can be simple (for example, a homemade keylogger that sends keystroke logs to email, or a browser plug-in), of course, antiviruses will not find it for you if the attack was specifically for you.

M

mx2000, 2012-02-02
@mx2000

1. buy your wife a second computer or make her a separate system in VM'ke.
2. As far as I understand, windows is used. Store critical stuff on a computer running, for example, FreeBSD :)
3. make yourself a personal gate to your mail, then it will become almost impossible to steal passwords from real mail accounts.

P

Perkov, 2012-02-02
@Perkov

Is there a Punto Switcher?