Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

windowsupdate in url blocked


  • This topic is locked This topic is locked
4 replies to this topic

#1 PuzzleScot

PuzzleScot

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 11 June 2010 - 03:22 PM

Hi,

I've been the primary IT person at my company for 15+ years, so I'm a 'jack of all trades', but I have a problem that won't go away on my home pc.

It may be more than one problem - can't be sure, but in order of importance (I think)

I have a Windows XP Professional (Version 2002) SP3 runing on a Dell Vostro 200 2.33GHz with 2GB Ram.

Firstly, whenever I have a URL that contains the word 'windowsupdate' (in ANY browser), I get "The connection to the server was reset while the page was loading." (in Firefox 3.6.3, or 'Internet Explorer cannot display the webpage -> Diagnose Problem button' in IE)

Secondly, in Firefox (at least), whenever I click on a Google search result, I get redirected to a couple of sites (not pr0n!) unrelated to the link I clicked.

Thirdly, attempting to reboot to safe mode (never tried before on this PC) results in a nasty blue screen.

I have a 3Com OfficeConnect wireless router that I use as my firewall (Windows firewall disabled)
I have NOD ESET permanently running and up to date as my AV.
SpyBot S&D found a few trojans (can't remember which)
I've recently installed Lavasoft Ad-Aware, that found nothing wrong.
MalwareBytes detected the following:

Scan type: Quick scan
Objects scanned: 187188
Time elapsed: 27 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8a149074-a7a8-47c2-a24d-d6f60724bff1} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8a149074-a7a8-47c2-a24d-d6f60724bff1} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prnet (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\pavuppad.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

... finally, referring to an ms forum post that had a similar problem with windowsupdate (http://social.answers.microsoft.com/Forums/en-US/vistanetworking/thread/41396c41-deb7-4198-9ebb-a9dd098b8c5a), I VERY CAREFULLY ran ComboFix.

ComboFix declared early on that I had a 'RootKit infection' and rebooted my machine, but otherwise ran smoothly. I have the log if it is of any help.

HijackThis lists a ton of items, most of which look ok, but I'm not familiar with the machinations of XP, so can't say for sure.

Any advice much appreciated. Thanks in advance....

..ADDENDUM... My home PC won't let me post thsi message (possibly because it includes the word 'windowsupdate', so I'm doing ti from my office PC, which I connect to using RDP over VPN)

EDIT: Moved from XP to Am I Infected forum ~ Hamluis.

Edited by hamluis, 11 June 2010 - 03:31 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:53 PM

Posted 11 June 2010 - 03:31 PM

Hello.. I recommend you run DDS,GMER and start a new topic as We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
Include the ComboFix and GMER logs.
Let me know if that went well.

EDIT: moved to the Am I Infected forum from XP for now.

Edited by boopme, 11 June 2010 - 03:32 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 dittoits

dittoits

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 13 June 2010 - 05:53 AM

I have been running my own IT business for 14 years and I have never come across anything this frustrating.

It's difficult to even search for this issue, but I found this page. I have a client PC with the same issue.

The machine is one I built several years ago. It has Windows XP Home on it SP3.

I cleaned a bunch of stuff off it - client said he got a pop-up that said he was infected, so he clicked as instructed to scan his machine... it told him he had infections and that he had to pay to clean it. He then paid for this trojan thing I guess. His information was spotty - you know how clients are...

Anyway - this machine won't allow me to access anything that says "windowsupdate" - I can search for "windows update" just fine, but when it's all one word, the browsers won't even try. Firefox doesn't even refresh the page when I attempt to search and IE just displays a "Page not Found" as though it isn't even connected to the internet.

Other issues were that anti-spyware programs weren't able to update because they used IE settings and it was set to use Proxy 127.0.0.1. I resolved that one, so now IE works and so does Spybot and Malwarebytes.

I've scanned using Spybot, Malwarebytes, Panda Cloud, Stinger, and Hijackthis... The machine is clean as far as I can tell. I searched the registry for "windowsupdate" and I searched for all files containing text "windowsupdate" and came up with nothing relevant. Hosts file was clean. There weren't any odd network settings.

I know it's something corrupt in windows because I can search the term just fine when I boot into Windows Safe Mode with Networking. However, I can't update in Safe Mode (thanks Microsoft). I managed to create a new user in safe mode and then boot into it and run SFC /SCANNOW to see if I could fix the issue that way. Didn't work.

Another symptom is that IE 7 behaves as though it's a new install every time I run it - it gives me the runonce.msn page asking me to choose my settings. Chrome crashes every time I run it. Firefox works fine, but still can't search "windowsupdate".

Everything else works just fine and I can't see anything suspicious looking manually in the system32 folder by date or the other usual places. Nothing in services running that looks out of place. It's not a separate program I don't think - it's like some sort of hidden setting somewhere deep. Very clever virus that is driving me nuts. Whoever made it can go ahead and die in a fire.

#4 dittoits

dittoits

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 13 June 2010 - 03:36 PM

Okay, well I spent many hours on this one, but I finally was able to get it. It was dug in - no scanners were picking up all the infections - I kept having to manually delete stuff by searching the usual places and cleaning the startup log. I got pretty much all of it, but then it was still not letting me go to windowsupdate - I ended up then using Combo-Fix (instructions available everywhere), and it cleaned the rest of it and restored update functionality. A file called serial.sys was infected and removed. Machine is humming along now and I'm updating as we speak.

I'm not supposed to post here or whatever because the internet is serious business and all, but I found this thread by searching "windowsupdate blocked" and I imagine someone else will too and I thought I would share my story even though I didn't go through the proper procedures as outlined by this forum. I think this particular AV Security Suite virus was another variant as none of the manual removal instructions I found yielded the things I was supposed to remove. I'm glad this forum exists... anti-malware vigilance has been getting more and more sophisticated. Keep it up.

#5 tgreer

tgreer

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 23 June 2010 - 11:18 AM

Same problem... weird - can't even search for the string "windowsupdate" (one word), in any browser. Used MSSE, Malwarebytes, and trojan remover, so far with no luck. Will try combo fix and report back.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users