This is just odd.

Jan. 4th, 2011 02:04 pm
theweaselking: (Default)
[personal profile] theweaselking
Here's a stumper: windows xp machine. Whenever any browser has "windowsupdate" in the url, it returns a connection error. Immediately. Like, google works, but search for that string and boom.

Browser doesn't matter, position of the string in the url doesn't matter. The two words are allowed separately, but the single string "windowsupdate" causes IMMEDIATE "connection to server was reset" messages.

This pretty obviously is malware, but it's not showing in hijackthis, not even in safe mode, and I can't find anything else. Rootkit, sure, but I have never heard of one doing THIS. How can you stop just the url handlers in for different browsers, when it's not even dns or hosts?

It's actually pretty cool.

PS: Running sfc now, will see what it comes up with - but I suspect "bare metal reinstall" is the fastest and best solution.

EDIT: Yeah, now that I have a real keyboard and am not googling from my phone: Looks like there's a couple of rootkits that cause this behaviour. Neat!

EDIT2: Yeah, TDL3. Fuck THAT.

EDIT3: and [livejournal.com profile] fuster_cluck saves the day with a link to a TDL3 fixer. Run a fixer and reboot = even faster than bare metal reinstall.
Tags:
This account has disabled anonymous posting.
If you don't have an account you can create one now.
HTML doesn't work in the subject.
More info about formatting
 
Notice: This account is set to log the IP addresses of everyone who comments.
Links will be displayed as unclickable URLs to help prevent spam.

Profile

theweaselking: (Default)theweaselking
Page generated Feb. 7th, 2026 01:30 pm