Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Antivirus Plus and Google Searches

  • 18-12-2008 11:18PM
    #1
    Danno
    Registered Users, Registered Users 2 Posts: 8,913 ✭✭✭


    Hi folks, this is a quare one. I got that malware Antivirus Plus. I managed to get rid of the rundll32.exe from the c:\windows\system folder. However, everytime I search for anything in google.ie, the results all fire me off to a malware site - for example if I search google for RTE, the search results seem fine for the RTE website but when I click the link I get re-directed.

    Windows Update is blocked, whatever antivirus program I install will not update, be it AVG, aVast, Spybot S+D, HiJackThis, etc...

    There seems to be constant contact with http://127.0.0.1 I have checked the TCP/IP settings and they *appear* fine. I have ran the winsock repair tool also to no avail.

    My router is fine as another PC accesses the net, Windows Update, AVG Updates etc... with no issuses.

    Please Help! I am perplexed as to what is going on.


Comments

  • #2
    _CreeD_
    Registered Users, Registered Users 2 Posts: 4,180 ✭✭✭_CreeD_


    You might just be better off with a wipe/reinstall but if you still want to be surgical it sounds like your hosts file has been modified to blackhole the AV updates sites (by manually redirecting them to your own Loopback address (127.0.0.1)). Edit C:\WINDOWS\system32\drivers\etc\hosts and remove pretty much everything after the initial blurb (comments at the start that begin with # ), then add 2 lines after the comments:
    127.0.0.1 localhost
    127.0.0.1 your pcs hostname
    thats all that should be there (If you run a tool like Spybot S&D later and choose to innoculate your system it will add 1000s of entries here to blackhole malware sites, but at this stage you just want a clean hosts file so just the one pointer to your own PC name and the generic name localhost)
    See if you can update your AV after that and get things moving again but really a format would be my choice at this stage.


  • #3
    samhail
    Registered Users, Registered Users 2 Posts: 2,699 ✭✭✭samhail


    also if there is contact with your computer (127.0.0.1) then you would most likely have a server of some sort running - which i would look at first before cleaning the HOSTS file as this program may automatically reinfect that file.

    AV: could check out http://housecall.trendmicro.com/ which will scan from online.

    First place i would look would be in the registry,
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

    read: http://support.microsoft.com/kb/179365 first and dont delete anything from the registry unless you are confident to do so :)</disclaimer ;)>

    check the statup folder in the start menu, and any autoexec.bat type programs in c:\


  • #4
    Danno
    Registered Users, Registered Users 2 Posts: 8,913 ✭✭✭Danno


    Hi guys, thanks for the replys. Funnily enough MalwareBytes AntiMalware was unblocked and ran, cleaned 9 infections and everything is back right. Wierd one indeed.


Advertisement