Windows XP Pro machine can't access Microsoft Update website after virus cleanup
Hello all! I've got an XP pro machine that picked up an infection (bogus software scanner). After a relatively painless cleanup, things are mostly back to normal. The virus had removed the ability to run executibles (which other postings on E-E helped me to resolve), but the last remaining issue that I'm seeing is not being able to access the website: update.microsoft.com Every attempt simply yields Internet Explorer Cannot Display the Web Page. The machine can browse other sites, and I've confirmed that the MS update site is up on neighboring machines. I've restored all IE settings to defaults, and reloaded SP3 in an attempt to repair the damage. No luck though.
THanks in advance for the help!
THanks in advance for the help!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ran the winsock repair, but no improvement. Running the scans now.
Make sure the proxy setting isn't selected, unless it is supposed to be.
Tools>Internet options>Connections>Lan settings.
Tools>Internet options>Connections>Lan settings.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Have you checked to make sure the hosts file was not modified? If a bogus entry exists for ms update site it could block access.
Check c:\windows\drivers\etc\hos
take care.
Check c:\windows\drivers\etc\hos
take care.
Run malwarebytes as well if you have not done that yet....
ASKER
Ok, back at it this morning. Before I left I ran the scans requested by optoma (Hitman & Tdsskiller), I've attached the results as screenshots. The four ECCO375... files that were found in Hitman were canceled by me as I know that those files are legit installation files.
I'm am carrying on with other experts' comments, will report as I go. Thanks everyone!
hitman-report.bmp
tdsskiller.bmp
I'm am carrying on with other experts' comments, will report as I go. Thanks everyone!
hitman-report.bmp
tdsskiller.bmp
Tdsskiller shows atapi.sys as infected. Did you select "yes" and let Tdsskiller restart machine??
ASKER
I ran Malwarebites early on during the cleaning. Detected and removed a few objects. I also checked for any proxy configuration, which was nill. I also had a look for any strange DNS settings for both network adapters (copper & wireless), but all are default settings w/DHCP.
ASKER
Yes exactly optoma, continued with the cleaning and restarted the machine. I will run the utility again to confirm that it was cleaned.
Best to run it now. If you get the same infected result run gmer as suggested>>
Make sure anti virus and any other security programs shields/real time scanners are disabled before running Gmer
Have no other programs open
http://www.gmer.net/download.php
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then uncheck the following:
> IAT/EAT
> Drives/Partitions other than OS Systemdrive (typically C:\)
> Show All (don't miss this one)
Then hit scan and leave machine idle to run Gmer scan
When completed, hit save button and attach its logfile
Make sure anti virus and any other security programs shields/real time scanners are disabled before running Gmer
Have no other programs open
http://www.gmer.net/download.php
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then uncheck the following:
> IAT/EAT
> Drives/Partitions other than OS Systemdrive (typically C:\)
> Show All (don't miss this one)
Then hit scan and leave machine idle to run Gmer scan
When completed, hit save button and attach its logfile
ASKER
Ok, confirmed that the only security software on the machine is AVG and its resident shield (realtime protection) has been disabled. I re-ran Tdsskiller which showed that the cleaning was not successful. I am now running Gmer which seems to SERIOUSLY bog down the machine. Has been running for atleast an hour now. First couple attempts caused system instability, one of which resulted in me restarting the machine after it locked up, and the other ended with the machine restarting itself. After disabling the screen-saver to keep a better eye on the process it continues to run, but attempting to do anything else with the machine at the same time is impossible. I will post the log file once the scan completes.
Yes as i mentioned above :)
"leave machine idle to run Gmer scan"
"leave machine idle to run Gmer scan"
ASKER
Ok, not the answer we're all after, but the problem was due to patched/corrupted atapi.sys & serial.sys files. Copied new files from another XP pro machine and all is well. Well actually, one of them (serial.sys I believe) had to be copied in safe mode as it was being loaded into memory during normal startup and would simply over-write the newly copied file under normal operation. Indicators of corrupted files were the HDD not showing up in the device manager, and not being able to access advanced settings for the network adapters (to set binding priority etc.). Also, AVG identified one of them as being patched and indicated possible tampering with the others. Never did get a complete scan from Gmer (was running for about 2.5hrs) so I can't post a full report from that for referance.
Anyway, thank you all for your assistance in troubleshooting. Have a good one!
Anyway, thank you all for your assistance in troubleshooting. Have a good one!
ASKER
3rd party administrator for the company joined the battle and discovered the corrupted files.
Serial.sys was the culpruit >tdss rootkit.
No harm to run Gmer when machine idle for few hours>along with the above mentioned "sections" to uncheck, also uncheck "files". May speed it up :)
No harm to run Gmer when machine idle for few hours>along with the above mentioned "sections" to uncheck, also uncheck "files". May speed it up :)
http://www.snapfiles.com/get/winsockxpfix.html