Windows XP Pro machine can't access Microsoft Update website after virus cleanup

Hello all! I've got an XP pro machine that picked up an infection (bogus software scanner). After a relatively painless cleanup, things are mostly back to normal. The virus had removed the ability to run executibles (which other postings on E-E helped me to resolve), but the last remaining issue that I'm seeing is not being able to access the website: update.microsoft.com  Every attempt simply yields Internet Explorer Cannot Display the Web Page. The machine can browse other sites, and I've confirmed that the MS update site is up on neighboring machines. I've restored all IE settings to defaults, and reloaded SP3 in an attempt to repair the damage. No luck though.

THanks in advance for the help!
LVL 3
jostafewSystems AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

optomaCommented:
Run Hitman Pro http://www.surfright.nl/en/hitmanpro
Run Tdsskiller.exe http://support.kaspersky.com/viruses/solutions?qid=208280684

Post logfiles afterwards if anything detected :)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
edbedbCommented:
Run Winsock Xp Fix, you can get it here.
http://www.snapfiles.com/get/winsockxpfix.html 
0
jostafewSystems AdministratorAuthor Commented:
Ran the winsock repair, but no improvement. Running the scans now.
0
Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

edbedbCommented:
Make sure the proxy setting isn't selected, unless it is supposed to be.
Tools>Internet options>Connections>Lan settings.
0
B HCommented:
you still have a rootkit you need to get rid of... that and check your dns settings, make sure they're not hardcoded to some foreign country

fix the rootkit: www.gmer.net
fix the dns:  control panel > network > local area connection > properties > tcpip > get automatically
0
mrcannonCommented:
Have you checked to make sure the hosts file was not modified?  If a bogus entry exists for ms update site it could block access.

Check c:\windows\drivers\etc\hosts file with notepad to see if any erroneous entries exist.  Delete anything related to MS update.  Or for that matter it is unlikely you need any hosts file entries,, but make a backup if you are unsure before deleting stuff.

take care.
0
mrcannonCommented:
Run malwarebytes as well if you have not done that yet....
0
jostafewSystems AdministratorAuthor Commented:
Ok, back at it this morning. Before I left I ran the scans requested by optoma (Hitman & Tdsskiller), I've attached the results as screenshots. The four ECCO375... files that were found in Hitman were canceled by me as I know that those files are legit installation files.

I'm am carrying on with other experts' comments, will report as I go. Thanks everyone!
hitman-report.bmp
tdsskiller.bmp
0
optomaCommented:
Tdsskiller shows atapi.sys as infected. Did you select "yes" and let Tdsskiller restart machine??
0
jostafewSystems AdministratorAuthor Commented:
I ran Malwarebites early on during the cleaning. Detected and removed a few objects. I also checked for any proxy configuration, which was nill. I also had a look for any strange DNS settings for both network adapters (copper & wireless), but all are default settings w/DHCP.
0
jostafewSystems AdministratorAuthor Commented:
Yes exactly optoma, continued with the cleaning and restarted the machine. I will run the utility again to confirm that it was cleaned.
0
optomaCommented:
Best to run it now. If you get the same infected result run gmer as suggested>>

Make sure anti virus and any other security programs shields/real time scanners are disabled before running Gmer
Have no other programs open
http://www.gmer.net/download.php

If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then uncheck the following:
    >  IAT/EAT
    > Drives/Partitions other than OS Systemdrive (typically C:\)
    > Show All (don't miss this one)

Then hit scan and leave machine idle to run Gmer scan
When completed, hit save button and attach its logfile
0
jostafewSystems AdministratorAuthor Commented:
Ok, confirmed that the only security software on the machine is AVG and its resident shield (realtime protection) has been disabled. I re-ran Tdsskiller which showed that the cleaning was not successful. I am now running Gmer which seems to SERIOUSLY bog down the machine. Has been running for atleast an hour now. First couple attempts caused system instability, one of which resulted in me restarting the machine after it locked up, and the other ended with the machine restarting itself. After disabling the screen-saver to keep a better eye on the process it continues to run, but attempting to do anything else with the machine at the same time is impossible. I will post the log file once the scan completes.
0
optomaCommented:
Yes as i mentioned above :)

"leave machine idle to run Gmer scan"
0
jostafewSystems AdministratorAuthor Commented:
Ok, not the answer we're all after, but the problem was due to patched/corrupted atapi.sys & serial.sys files. Copied new files from another XP pro machine and all is well. Well actually, one of them (serial.sys I believe) had to be copied in safe mode as it was being loaded into memory during normal startup and would simply over-write the newly copied file under normal operation. Indicators of corrupted files were the HDD not showing up in the device manager, and not being able to access advanced settings for the network adapters (to set binding priority etc.). Also, AVG identified one of them as being patched and indicated possible tampering with the others. Never did get a complete scan from Gmer (was running for about 2.5hrs) so I can't post a full report from that for referance.

Anyway, thank you all for your assistance in troubleshooting. Have a good one!
0
jostafewSystems AdministratorAuthor Commented:
3rd party administrator for the company joined the battle and discovered the corrupted files.
0
optomaCommented:
Serial.sys was the culpruit >tdss rootkit.

No harm to run Gmer when machine idle for few hours>along with the above mentioned "sections" to uncheck, also uncheck "files". May speed it up :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.