Can't Access Major Search Sites By URL

Countryside said:
Sounds like you're down to a good 'ol nuke & pave.
Click to expand...
uh what about if they just from the recovery console replace the file that the Avria Rescue CD found as a rootkit before N&P everything? I wonder if that might work.

I wonder also if the SFC was run from within the windows where the root kit is active?
 
B Trevathan said:
uh what about if they just from the recovery console replace the file that the Avria Rescue CD found as a rootkit before N&P everything? I wonder if that might work.

I wonder also if the SFC was run from within the windows where the root kit is active?
Click to expand...
I wonder if it is a false positive?
I uploaded to VirusTotal.com and it was 100% clean.

I don't follow you on the SFC question.
Sorry.
 
Couldn't you just boot to a recovery console or Bart disk and expand a fresh copy off the install CD?

I just had a system with an infected userinit.exe and that's all I needed to do.
 
eHousecalls.ca said:
Couldn't you just boot to a recovery console or Bart disk and expand a fresh copy off the install CD?

I just had a system with an infected userinit.exe and that's all I needed to do.
Click to expand...
I am actually running the same O/S on this computer.
I could grab the file from here.
I think it is a red herring though but I am willing to try it in the morning.
It has been a long couple of days.
 
allanc said:
I wonder if it is a false positive?
I uploaded to VirusTotal.com and it was 100% clean.

I don't follow you on the SFC question..
Click to expand...
What I was meaning was that it is a basic function of a root kit to load at a low level and hide itself and often hide other malware from checks for its existence. So say you were duing a scan in the Windows environment while a root kit was running (active) in the background that root kit is going to change the data that gets reported back to the scanner program so that scanner reports all clean. This is one reason why I suggested running some offline scans like Avria Rescue CD and Dr. Web Live CD because they run outside of Windows and the root kit therefore isn't loaded so it can't hide itself.

Some antimalware software works better in the Windows environment while the malware is running such as MBAM it works better in normal mode than it does even in safe mode where some of the malware may not be active. Speaking of animalware programs running in Windows did you try running Combofix?

Have you tried OTL by oldtimer instead of Hijackthis? From what I have been reading I think most people here have made the switch to OTL, it provides so much more than Hijackthis. I just wish someone would develop a reader for the OTL logs like the online Hijackthis log readers.

It maybe a false positive but how long does it take to replace a file compared to doing a N&P. If fixing it means doing a N&P than that is what has to be done, but I guess I'm just one of those people that likes to find out why something is not working and fix it and also I've heard "wheres my icons I had them all right here in the middle of the screen" or "wheres my background" or "wheres my screensaver" that I don't want to change anything I just want to remove the malware and go.

One other thing I was wondering in your OP I noticed you mentioned "Avira Free (same results with AVG)" and "Neither AVG or Avira find any issues" there's not two AV's installed on this computer is there?
 
Last edited:
Install and run Wireshark. Do a capture and check the dns query and see what is happening there and with the other packets going in and out of the nic.
 
just wondering, is this pc in your shop or onsite? if onsite how many other computers are on the network? any other similar issues on their network pc's? try resetting the router to factory default.


just re-read your first post guess my suggestion does not apply
 
Last edited:
B Trevathan said:
What I was meaning was that it is a basic function of a root kit to load at a low level and hide itself and often hide other malware from checks for its existence. So say you were duing a scan in the Windows environment while a root kit was running (active) in the background that root kit is going to change the data that gets reported back to the scanner program so that scanner reports all clean. This is one reason why I suggested running some offline scans like Avria Rescue CD and Dr. Web Live CD because they run outside of Windows and the root kit therefore isn't loaded so it can't hide itself.
Click to expand...
Right.
I was not grasping how 'intelligent' a rootkit could be.
Lesson learned.

Some antimalware software works better in the Windows environment while the malware is running such as MBAM it works better in normal mode than it does even in safe mode where some of the malware may not be active. Speaking of animalware programs running in Windows did you try running Combofix?
Click to expand...
Yes, I ran it in normal mode and nothing extraordinary was found.

Have you tried OTL by oldtimer instead of Hijackthis? From what I have been reading I think most people here have made the switch to OTL, it provides so much more than Hijackthis. I just wish someone would develop a reader for the OTL logs like the online Hijackthis log readers.
Click to expand...
I looked at their Web site but did not spend a lot of time on it, yet.
Do you know of any in-depth tutorials?

It maybe a false positive but how long does it take to replace a file compared to doing a N&P. If fixing it means doing a N&P than that is what has to be done, but I guess I'm just one of those people that likes to find out why something is not working and fix it and also I've heard "wheres my icons I had them all right here in the middle of the screen" or "wheres my background" or "wheres my screensaver" that I don't want to change anything I just want to remove the malware and go.
Click to expand...
Agreed. I am not a 'nuke & pave' type of guy:)

One other thing I was wondering in your OP I noticed you mentioned "Avira Free (same results with AVG)" and "Neither AVG or Avira find any issues" there's not two AV's installed on this computer is there?
Click to expand...
No, I only had one installed at any given time.
 
I'm glad you fixed it without having to N&P, to me it seems finding the malware and replacing the infected files is a lot more interesting than just doing a N&P that is why I suggested it:
B Trevathan said:
from the recovery console replace the file that the Avria Rescue CD found as a rootkit before N&P everything
Click to expand...
I know that doing a N&P would proably make it more secure but it just seems fixing it that way would be so boring.

Now that the root kit is not running it can't hide malware anymore, have you done any more checks. In the future you might want to run anti root kit programs as one of the first things you do in malware removal, they don't take very long for example TDSSKiller only take a few minutes, by the way does it still result in a BSOD?



allanc said:
I looked at their Web site but did not spend a lot of time on it, yet.
Do you know of any in-depth tutorials?
Click to expand...
From the geekstogo website: http://www.geekstogo.com/forum/topic/277391-otl-tutorial-how-to-use-oldtimer-listit/
A complete and detailed OTL tutorial has just been made public. It has been available to experts and forum helpers for some time. While most people will never use all the features of OTL, or only use it to create a log, others will find all the information offered in the tutorial helpful.
Click to expand...
 
B Trevathan said:
I'm glad you fixed it without having to N&P, to me it seems finding the malware and replacing the infected files is a lot more interesting than just doing a N&P that is why I suggested it:
I know that doing a N&P would proably make it more secure but it just seems fixing it that way would be so boring.
Click to expand...
Correct.

Now that the root kit is not running it can't hide malware anymore, have you done any more checks. In the future you might want to run anti root kit programs as one of the first things you do in malware removal, they don't take very long for example TDSSKiller only take a few minutes, by the way does it still result in a BSOD?
Click to expand...
The TDDSKiller is near the top of my list.
When it resulted in the BSOD I resorted to Gmer (which takes longer).
Gmer was clean.

After removing the rootkit, TDDSKiller ran to completion (no BSOD) and was clean.

From the geekstogo website: http://www.geekstogo.com/forum/topic/277391-otl-tutorial-how-to-use-oldtimer-listit/
Click to expand...
I will read this.
Thank you.
 
Congrats on finding the culprit :)

I've been using rootkithooker alongside gmer and tdsskiller recently as the latter two keep getting hooked themselves by the rootkit. Rootkitunhooker seems able to see this and then you can unhook your rootkit scanner.

Things are getting far more complicated these days :rolleyes:

edit: but weirdly I can often not clear a rootkit with just rootkitunhooker, probably just need to learn more about it though.
 
ZenTree said:
Congrats on finding the culprit :)

I've been using rootkithooker alongside gmer and tdsskiller recently as the latter two keep getting hooked themselves by the rootkit. Rootkitunhooker seems able to see this and then you can unhook your rootkit scanner.

Things are getting far more complicated these days :rolleyes:

edit: but weirdly I can often not clear a rootkit with just rootkitunhooker, probably just need to learn more about it though.
Click to expand...
I will add rootkithooker to my kit.

Thanks to all for their assistance.
 
allanc said:
Originally Posted by eHousecalls.ca
Couldn't you just boot to a recovery console or Bart disk and expand a fresh copy off the install CD?

I just had a system with an infected userinit.exe and that's all I needed to do.
Click to expand...
Bingo!

Replacing the ACPI.SYS with that from my XP SP3 computer fixed the problem of not being able to access www.google.com!
Thank you so much.
Click to expand...
Wooooooooooooooooooooo!

Edit: What do you do when you think a part might be bad? Two words: Known Good.
 
Last edited:
You must log in or register to reply here.

Similar threads

GTP
Missing info
Replies
5
Views
486
GTP
GTP
Rigo
Google phone support number? Email pwd issues
2
Replies
23
Views
3K
Rigo
Rigo
HCHTech
Fun with Google Business listing
Replies
1
Views
311
ThatPlace928
ThatPlace928
callthatgirl
Outlook Classic Search vs New Outlook Search
Replies
0
Views
436
callthatgirl
callthatgirl
thecomputerguy
Punishing clients for their transgressions.
Replies
6
Views
552
sapphirescales
sapphirescales
Back
Top