Posted 12 April 2010 - 05:31 PM
Iíve had problems with Windows Update being blocked and websites getting redirected the last few days. Iíve tried a batch of fixes with no luck. Below is a summary of what symptoms appeared when and what I ran to try to get rid of whatever it is. Itís long, but Iím hoping the details might be helpful to someone out there.
Problems started late afternoon, Thursay 4/8. I had a bunch of Word and Powerpoint files open, and eventually the system froze. When I rebooted, the Windows loading screen said that the hardware had changed significantly since Windows was first installed and I had to reactivate it within three days. Thinking this was some fluke resulting from overloading the system, I ignored the message. Everything loaded up fine, but after working for a while, a red shield symbol showed up in the system tray and a batch of messages (in callouts from the shield) appeared saying that there was a ďsecurity breachĒ, ďprivacy riskĒ, the system was infected, etc. Soon after a window popped up, supposedly from Windows (I donít remember exactly what the title of the window was Ė something with Windows, security or antivirus, and 2010) saying something along the same lines. I didnít believe it was actually from Windows, and I didnít want to click anything, so I did a hard restart.
The messages were gone after the restart, but system ran incredibly slowly; I couldnít get folders or task manager to open in under a few minutes. I restarted, and got the same activation notice again. I ignored it, and ran a full scan with Symantec (after updating it). It found two files for a Suspicious Vundo 2 (in local settings temp files) and was able to delete or partially quarantine them. Reboot, same notification, ignored it, and then I ran Ad-aware and Spy-bot (after updating them). Ad-aware found Wind32.Trojan.Agent; Spybot just tracking cookies.
After those files were deleted, I rebooted the system and got the same notification about activation and ignored it again. After trying some files and working online for a while, everything seemed fine Ė speed was normal, no pop-ups, no security warnings. The activation request was still in the corner (by now itís the next day), and thinking everything was taken care of, I reactivated the copy of Windows. It looked genuine, but in retrospect I probably should have been more suspicious.
Restarted, everything looked fine, so I thought it would be a good time to clean up my temp files and then defrag. Only got a little way through the defrag when I noticed Windows update kept loading in the corner, but seemed to stall at 1% and then go away for a while, only to come back and stall at 1% again. So I stopped the defrag, and tried to run Windows update separately through the Start menu. It wouldnít load and I got a ďserver was reset messageĒ for the Windows update website through both Firefox (my default browser) and Internet Explorer.
I rebooted to try again, and that when things got worse. Update still wouldnít run, the website was blocked, and when I tried to open an antivirus program, the computer asked what program to use to open the files. Symantec, Ad-aware, Spy-bot, and Windows Security Center were all locked out. I couldnít open anything from the start menu or desktop shortcuts, but I was able to open non-antivirus programs (Word, PPT) in other ways.
After some research online I was able to restore access to the programs through regedit. (HKEY_CLASSES_ROOT\.exe In the Data column for the first value (Default) was secfile. Changed that to exefile and that seemed to fix the problem.) Then I downloaded Malwarebytes and ran a quick scan. It found infections in 2 reg keys, 2 reg values, and 6 reg data files. Ran a quick scan again after the problems were removed and it came back clean.
Windows update was still unavailable. Prior to this, I hadnít had any problems. No redirects, no popups, no increase in spam, no decrease in system performance that I noticed. However, something must have been blocking the Windows updates from loading for a while since I didnít have service pack 3. So I cleared all my Firefox cookies and downloaded SP3, hoping that something in there would fix the problem. It installed fine, but the Windows Update website was still unavailable. I downloaded Windows Defender but it was useless. I was eventually able to get updates using Autopatcher. Downloaded and ran Superantispyware. It only found more cookies (presumably from IE). Rebooted but then Windows wouldnít load normally. Loaded in safe mode, rebooted, same thing. Ended up having to go back to previously working setting Ė which led back to the fake antivirus pop-ups and the start menu problems. Repeated the regedit fix and then ran Symantec (after updating again. this time it found and deleted Trojan Fake AV) and Malwarebytes (after updating again. found 1 reg data infection). This got me got back to where I was before Superantispyware, only now in addition to the old problems, I get popups and am redirected when I click on Google or Yahoo search results. Since then Iíve also ran Combofix and BitDefender. They both found problems (mostly in years-old files or programs I havenít used in months), but none of them seem to be the root cause, because I still canít get Windows Update to run, security-related Windows pages are blocked, and almost every website gets redirected.
And now Iím stuck; I donít know what else to try. Itís so frustrating and at this point Iíd just reformat my hard drive, but whatever this thing is seems so damn tricky, Iím not sure even that would get rid of it. Please help if you can. Iíve got the Combofix and BitDefender logs if you want them.