This is just odd.

Jan. 4th, 2011 02:04 pm
theweaselking: (Default)
[personal profile] theweaselking
Here's a stumper: windows xp machine. Whenever any browser has "windowsupdate" in the url, it returns a connection error. Immediately. Like, google works, but search for that string and boom.

Browser doesn't matter, position of the string in the url doesn't matter. The two words are allowed separately, but the single string "windowsupdate" causes IMMEDIATE "connection to server was reset" messages.

This pretty obviously is malware, but it's not showing in hijackthis, not even in safe mode, and I can't find anything else. Rootkit, sure, but I have never heard of one doing THIS. How can you stop just the url handlers in for different browsers, when it's not even dns or hosts?

It's actually pretty cool.

PS: Running sfc now, will see what it comes up with - but I suspect "bare metal reinstall" is the fastest and best solution.

EDIT: Yeah, now that I have a real keyboard and am not googling from my phone: Looks like there's a couple of rootkits that cause this behaviour. Neat!

EDIT2: Yeah, TDL3. Fuck THAT.

EDIT3: and [livejournal.com profile] fuster_cluck saves the day with a link to a TDL3 fixer. Run a fixer and reboot = even faster than bare metal reinstall.
Tags:
Flat | Top-Level Comments Only

(no subject)

Date: 2011-01-04 07:35 pm (UTC)
From: [identity profile] pappy-legba.livejournal.com
Oh... you checked hosts. You coulda said earlier.

On a side note, Safe mode hasn't been safe from rootkits for several years now. I remember the first time I booted a computer into safe mode and the task manager was still hijacked... quite unnerving.

(no subject)

Date: 2011-01-04 07:49 pm (UTC)
From: [identity profile] theweaselking.livejournal.com
I was gonna say - hosts file won't affect "google.com?search=windowsupdate".

(no subject)

Date: 2011-01-04 08:34 pm (UTC)
From: [identity profile] anivair.livejournal.com
drat, that was my best guess, too. but I am not a windows guy.

(no subject)

Date: 2011-01-04 10:14 pm (UTC)
From: [identity profile] theweaselking.livejournal.com
Also: Safe Mode showed rootkits at any point? The whole point of a rootkit is to hide from the OS by modifying the OS, and Safe Mode is just "run the OS and not non-OS stuff".

(no subject)

Date: 2011-01-04 10:55 pm (UTC)
From: [identity profile] pappy-legba.livejournal.com
There was a time when safemode would cripple rootkit functionality, yes. Older 'kits seemed to be more reliant on accessory programs, particularly for self-protection. That seems to be much less the case with modern ones, where safemode has about a 50/50 shot to be helpful at all.

(no subject)

Date: 2011-01-04 07:43 pm (UTC)
From: [identity profile] kakkoi-hakujin.livejournal.com
It's probably conficker or some variant thereof. I had a similar problem with my old XP lappy until I took a baseball bat to it.

(no subject)

Date: 2011-01-04 08:36 pm (UTC)
From: [identity profile] theweaselking.livejournal.com
TDL3. And, frankly, fuck fixing THAT, especially on a Pentium D with 768MB of RAM. Bare metal reinstall is more reliable and the hardware isn't better than the spare machine, so I'm moving the dude's data to a new PC.
(deleted comment)

Re: fix your tdl3 quick.....

Date: 2011-01-04 08:57 pm (UTC)
From: [identity profile] theweaselking.livejournal.com
Hey, sweet. I'll take a look at that.

Re: fix your tdl3 quick.....

Date: 2011-01-04 09:03 pm (UTC)
From: [identity profile] fuster-cluck.livejournal.com
been doing AV cleanup and dissection for over 8 years :)

should fix your wagon... hold onto that pm i sent you too, will make your life much easier.

Re: fix your tdl3 quick.....

Date: 2011-01-04 09:53 pm (UTC)
From: [identity profile] theweaselking.livejournal.com
Worked like a charm. But I see you deleted the comment - is that not supposed to be a public link?

Re: fix your tdl3 quick.....

Date: 2011-01-04 10:00 pm (UTC)
From: [identity profile] fuster-cluck.livejournal.com
ah, removed it in the event a spiderbot went a trollin because your page is open to all. Definately hold onto the information, and dont be afraid to share, however just didnt want it in a public forum for all to see.

Re: fix your tdl3 quick.....

Date: 2011-01-04 10:01 pm (UTC)
From: [identity profile] dilickjm.livejournal.com
Given that my last TDL3 cleanup involved me, a hexeditor, and a LOT of cursing, I'm interested in an easy fix!

Re: fix your tdl3 quick.....

Date: 2011-01-04 10:22 pm (UTC)
From: [identity profile] rbarclay.livejournal.com
Can you PM me the link? I do work for a national CERT, and we're always interested in removal tools (who knows, we might not have it in the arsenal yet ;) ).

Re: fix your tdl3 quick.....

Date: 2011-01-04 11:54 pm (UTC)
From: [identity profile] eididdy.livejournal.com
Could you PM that to me as well?

(no subject)

Date: 2011-01-04 09:53 pm (UTC)
From: [identity profile] theweaselking.livejournal.com
Actually, I got a fix that worked like a charm.

(no subject)

Date: 2011-01-04 07:48 pm (UTC)
From: [identity profile] eididdy.livejournal.com
Had that happen on a neighbor's computer. I worked on it for a while, but once they got back their basic functionality, they told me I didn't have to figure out the rest. Never got to run rootkitrevealer to see if that was it, but that was the last suspect I had.

(no subject)

Date: 2011-01-05 01:43 am (UTC)
maelorin: (awkward)
From: [personal profile] maelorin
had something similar hide underneath one of those fake antivirus ransomware things on finance's computer.

used the equivalent of an os hammer to find it, followed by a car-crash of a car-chase to remove it - every tool i tired just blithely returned 'no problem here sir, move along'.

clean install was last resort due to lack of data backup ... [this has now been remedied].

i'm quite interested in the tool mentioned in posts here.
Flat | Top-Level Comments Only

Profile

theweaselking: (Default)theweaselking
Page generated Feb. 7th, 2026 12:06 pm