Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows update goes to MSN.COM


  • This topic is locked This topic is locked
14 replies to this topic

#1 zw2042

zw2042

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Location:Birmingham, England
  • Local time:01:58 PM

Posted 31 October 2008 - 08:01 AM

I have been unable to access WIndows update for about 10 days. Every time I try I keep getting directed to the MSN.COM website. I emailed Microsoft about the problem but they just directed me to their knowledge base on their website. I did a google search to see if anyone else has the same problem and sure enough they do. I read some forums and tried various things suggested for other people but nothing has changed. One of the forums suggested contacting you guys so here I am looking for some help please.

BC AdBot (Login to Remove)

 


#2 Spiegy

Spiegy

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 01 November 2008 - 12:02 PM

I wish I had an answer for you but I have the same problem. I've been researching for days. I've tried going to the Microsoft site and get to Windows Update that way, but the link always directs me to MSN.com.

So, I decided to reformat my hard drive and start with a new copy of Windows XP. After installing service pack 2 (I have a CD for the service pack), I tried Windows Update. The same thing happened.

Then I downloaded Eraser to really destroy all the data on my hard drive and did a new installation again. With no service pack installed, I still couldn't get to Windows Update. It kept on taking me to MSN.com.

Figuring that the virus or whatever it is was in the firmware of my hard drive, I changed the hard drive with another one I had as a spare. Again, a new installation of Windows XP and again, the same problem. The Windows XP CD I have is a corporate version of XP Pro that I've used on many PC's since 2001 without any problem. So it can't be my version of Windows.

Now I figure it must be code in my BIOS, but I'm not sure. So, I'm as anxious as you to find out what's doing this.
Hope we get an answer.

#3 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:08:58 AM

Posted 01 November 2008 - 01:55 PM

I have been unable to access WIndows update for about 10 days. Every time I try I keep getting directed to the MSN.COM website. I emailed Microsoft about the problem but they just directed me to their knowledge base on their website. I did a google search to see if anyone else has the same problem and sure enough they do. I read some forums and tried various things suggested for other people but nothing has changed. One of the forums suggested contacting you guys so here I am looking for some help please.


If you're being redirected, let's first check for some nasties
----------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#4 zw2042

zw2042
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Location:Birmingham, England
  • Local time:01:58 PM

Posted 02 November 2008 - 07:38 AM

I wish I had an answer for you but I have the same problem. I've been researching for days. I've tried going to the Microsoft site and get to Windows Update that way, but the link always directs me to MSN.com.

So, I decided to reformat my hard drive and start with a new copy of Windows XP. After installing service pack 2 (I have a CD for the service pack), I tried Windows Update. The same thing happened.

Then I downloaded Eraser to really destroy all the data on my hard drive and did a new installation again. With no service pack installed, I still couldn't get to Windows Update. It kept on taking me to MSN.com.

Figuring that the virus or whatever it is was in the firmware of my hard drive, I changed the hard drive with another one I had as a spare. Again, a new installation of Windows XP and again, the same problem. The Windows XP CD I have is a corporate version of XP Pro that I've used on many PC's since 2001 without any problem. So it can't be my version of Windows.

Now I figure it must be code in my BIOS, but I'm not sure. So, I'm as anxious as you to find out what's doing this.
Hope we get an answer.

It's good to know that I'm not alone with this problem - thanks for your reply.

#5 zw2042

zw2042
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Location:Birmingham, England
  • Local time:01:58 PM

Posted 02 November 2008 - 08:00 AM

Mark - I carried out your instructions as detailed and the MBAM report log is below. I did encounter a problem at the end of the scan though. 6 baddies were found so I clicked on Remove Selected and was asked to reboot which is what I did before posting this reply. After a successful reboot I could not get on to any website through IE so I rebooted again. After this reboot I can get back on to websites and post this reply but I suspect the baddies are back.

Malwarebytes' Anti-Malware 1.30
Database version: 1355
Windows 5.1.2600 Service Pack 3

02/11/2008 12:40:22
mbam-log-2008-11-02 (12-40-22).txt

Scan type: Quick Scan
Objects scanned: 72331
Time elapsed: 22 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.25 192.168.0.1 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{12dc2ef2-3019-4671-b4d7-bc16c478fbd5}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.25 192.168.0.1 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.25 192.168.0.1 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{12dc2ef2-3019-4671-b4d7-bc16c478fbd5}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.25 192.168.0.1 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.25 192.168.0.1 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{12dc2ef2-3019-4671-b4d7-bc16c478fbd5}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.25 192.168.0.1 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:08:58 AM

Posted 02 November 2008 - 08:38 AM

Mbam should handle this. Run it again and post another log. It might take a few times
DhcpNameServer is a trojan that effects IE
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#7 zw2042

zw2042
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Location:Birmingham, England
  • Local time:01:58 PM

Posted 02 November 2008 - 09:54 AM

Mbam should handle this. Run it again and post another log. It might take a few times
DhcpNameServer is a trojan that effects IE

Mbam scan run - 6 baddies found again. See log below. Rebooted after scan before gathering report log. Able to get onto websites without another reboot this time.

Malwarebytes' Anti-Malware 1.30
Database version: 1356
Windows 5.1.2600 Service Pack 3

02/11/2008 14:41:35
mbam-log-2008-11-02 (14-41-35).txt

Scan type: Quick Scan
Objects scanned: 71457
Time elapsed: 21 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.25 192.168.0.1 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{12dc2ef2-3019-4671-b4d7-bc16c478fbd5}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.25 192.168.0.1 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.25 192.168.0.1 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{12dc2ef2-3019-4671-b4d7-bc16c478fbd5}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.25 192.168.0.1 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.25 192.168.0.1 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{12dc2ef2-3019-4671-b4d7-bc16c478fbd5}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.25 192.168.0.1 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:08:58 AM

Posted 02 November 2008 - 03:03 PM

I'm still not sure. Go through thr process one more time please
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#9 zw2042

zw2042
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Location:Birmingham, England
  • Local time:01:58 PM

Posted 02 November 2008 - 04:09 PM

Scan run again with similar results - 6 baddies found. Rebooted PC after scan - able to access internet first time in order to post Mbam scan results.

Malwarebytes' Anti-Malware 1.30
Database version: 1357
Windows 5.1.2600 Service Pack 3

02/11/2008 21:00:39
mbam-log-2008-11-02 (21-00-39).txt

Scan type: Quick Scan
Objects scanned: 70186
Time elapsed: 21 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.25 192.168.0.1 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{12dc2ef2-3019-4671-b4d7-bc16c478fbd5}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.25 192.168.0.1 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.25 192.168.0.1 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{12dc2ef2-3019-4671-b4d7-bc16c478fbd5}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.25 192.168.0.1 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.25 192.168.0.1 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{12dc2ef2-3019-4671-b4d7-bc16c478fbd5}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.25 192.168.0.1 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:08:58 AM

Posted 02 November 2008 - 04:49 PM

I'm far from a malware expert. I would read the HJT preparation guide:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Then post the log in this forum:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#11 Spiegy

Spiegy

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 02 November 2008 - 09:10 PM

I've followed the same directions with Malwarebytes' Anti-Malware and come up with the same 6 baddies, as you call them. After rebooting and running a scan again, the same 6 baddies are back. It's my feeling that it's loaded into the registry each time the PC is rebooted. I still think it's in the Bios somewhere.

How do you clean this nasty trouble-maker out of the BIOS?

#12 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:08:58 AM

Posted 03 November 2008 - 08:40 AM

I still think it's in the Bios somewhere.

Although possible , it's highly unlikely a BIOS will get infected
Viruses bury themselves in the registry. You need to follow the directions that I gave the original poster in the last post
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#13 yossarian23

yossarian23

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 03 November 2008 - 11:03 AM

I am a novice here just trying to understand. How would the malware return if the user reformatted the hard drive and started with a clean install of Windows XP with SP2? Shouldn't the registry be clean?

I am assuming that it came from programs he may have re-installed, or perhaps the install CDs were infected.

#14 zw2042

zw2042
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Location:Birmingham, England
  • Local time:01:58 PM

Posted 03 November 2008 - 03:34 PM

I'm far from a malware expert. I would read the HJT preparation guide:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Then post the log in this forum:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

Preparation guide for production of HJT log followed and log posted to HJT forum.

#15 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:08:58 AM

Posted 03 November 2008 - 03:56 PM

This thread is closed
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users