Possible malware causing IE and automatic updates to not connect to internet. Network connection is fine, however, other programs and browsers are just fine.
<Edit> Whew, things sure got confusing since the last time I've been here, ;)...
Anyway...Some new and interesting info...
Been having probs with gmer, and is running at this moment...
Had IE opened for some time, so don't know if this is related or whatnot, but a Norten Security Scan download window had popped up after about 30 minutes. Closed it and "end task" on IE. Ran an error report just to test to see if the error report might return any errors, it did not.
I had left for about an hour and when I returned, gmer was still running (this is now), no apps will load now. Still gmer and firefox, which were left running, are just fine.
Got a baloon popup, second popup just now,
The file or directory C:\$Mft is corrupt and unreadable. Please run the Chkdsk utility.
Don't know how long this balloon has been coming up. The owners don't know if it's popped up before either.
(Note, just popped up a third time).
Once gmer is finished I'll reboot (to be able to load cmd) and check ipconfig /all (if there might be anything in there).
OS crashed after gmer finished so couldn't add the info. Did a chkdsk though, since I had to hard boot, and got several errors, don't think it has anything to do with this issue, though.
after running ipconfig, nothing out of the ordinary...Don't see how this could be problematic, but here's two lines from ipconfig.
WINS Proxy Enabled. . . . . . . . : No
Ok, went the road less traveled and created a new user account, this time "limited", and voila IE works. So the problem is definitely a user problem and not a system wide problem.
So if anyone is willing to help figure this out, at least point to the configuration files that is loaded from user startup and I could start disabling from there to test certain things...Or better yet, just delete that user...Either way, since this user does not have administrative priviledges could there be any problem that could arrise if I ran autoupdates from this user while entering password for the administrator from this user could the infection attack this user as well?
Logged back into the affected user, now have a Resident Shield alert that pops up, overlaps all windows, can be moved back only with task manager. Task manager does not show any application for it, though.
Threat name: Trojan horse Agent2.BCCZ
Process name C:\WINDOWS\system32\rundll32.exe
Process ID: 2556
Searches turn up 0 for wuscofe.dll.
HKEY_CURRENT_USER\Microsoft\Windows\CurrentVersion\Run\Osoxec rundll32.exe "C:\WINDOWS\wuscofe.dll",Startup
HKEY_USERS as well.
Now to check this against the other user.
Edited by Mol_Bolom, 30 July 2010 - 06:04 PM.