Cannot Access Windows Update, Symantec; Search Engine Results Redirect

[madmatt]

Okay, I'm stuck.

A computer was brought in with all sorts of problems, the biggest problem appeared to be Anti Virus XP 2008 (which was removed).

However, after removing the virus I noticed I could not get to Windows Update or Microsoft Update. I checked the hosts file, nothing. I also noticed all of the usernames missing from task manager.

I started working on diagnosing this problem and noticed I could not get to anything security related (Symantec, McAfee, CA, Microsoft Support, etc.).

Search engines are redirecting to unknown sites. Again, I checked the hosts file.

I reset all settings in IE 7, uninstalled IE 7, scrubbed the registry, cleaned up all temp files, etc. Nothing worked.

I found oembios.exe and removed it (after removing this file all of the usernames returned to task manager).

So yeah, I'm stuck. Any help? Serious posts only. Thanks.

 

[bmclaughlin807]

Check the hosts file... it may have been hijacked... Fairly common trick for malware to put malicious entries into the hosts file to redirect commonly used sites.

Spybot S&D and HijackThis! if you haven't already.

 

[madmatt]

Did you read my post before responding? I said I checked hosts file (I actually said it twice). Spybot is worthless and HiJackThis revealed oembios.exe and nothing else.

 

[Dark Atheist]

matt check here http://carpo.osnn.net/cleaners - a few tools i have collected over the years that help from time to time in situations like this.

I would suggest running LSPFix.exe as this will fix any winsock issues that might have been cause with the nasties installing themselves and the tools not removing them properly.

But if any of those things dont help you can always refer back to the pc repairers mantra

"fresh install cures all"

 

[madmatt]

Problem is, the computer belongs to a CPA and he has every version of accounting and tax software known to man. It would take hours to reinstall all of those.

I will give those two suggestions a go. Thanks Carp.

 

[Dark Atheist]

some things still uploading almost done

edit: now they are all there

 

[bush dogg]

Hey Matt;
I know you said that IE was reinstalled but I wonder if this problem has to do with cookies that are blocked and/or maybe Proxy settings? That are for some reason not getting reset when you Reset defaults within the browser?

I would Head to internet options under security tab/restricted sites then privacy tab check for blocked cookies and also the connections tab Lan settings and take a look at the Proxy settings there. Pretty much just a see for yourself thing.

One other thing what about similar settings within firewall software if any firewall is used also you said that the temp files were dealt with but what about deleting cookies have you done that?

I would also be curious to know if another browser was installed (for testing only) would you then be able to reach security related sites? I tend to believe after all you’ve done the problem may be browser related.

 

[bmclaughlin]

Did you read my post before responding? I said I checked hosts file (I actually said it twice). Spybot is worthless and HiJackThis revealed oembios.exe and nothing else.

Doh. Evidently didn't read it carefully enough. I'll be quiet now. :crosseyed:

 

[bush dogg]

Just thought of something else that may have happened?

The malware might have been smart enough to change the path to the host file in the registry to a different file of a different name so the system may not be using the original Host file?

To find out open the registry and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ Click on Parameters folder,look to right at “DataBasePath” see if it leads the system to look where the host file should be
“system drive letter here/system32/drivers/etc” OR someplace else on the system where a bogus host file has been placed.

It would be easy to overlook this if it’s what has happened.

 

[madmatt]

bush dogg, I deleted all temp files inluding IE's. I checked all settings, including proxy settings. Everything is correct.

iexplore.exe is starting with Windows, but I've gone through the registry and looked at the run keys and policy keys. Nothing.

Firefox was installed and tested. Same thing happens. Can't get to WU, MU, Symantec, McAfee, etc. Search results are redirected.

 

[madmatt]

bush dogg,

Just checked, everything is normal. Good idea, too bad.

 

[Dark Atheist]

did adaware or spybot find anything, i know you dont like them but some times they do find things, and could you run hijackthis and give a log just in case

 

[madmatt]

I ran them all. Trust me, there is nothing in the HJT log besides the obvious stuff.

 

[bush dogg]

I guess the system could be checking old cashed DNS entries have you tried the “ipconfig /flushdns” command without the quotes.

If I remember right the system will check Cashed DNS entries before it checks the Host file.

 

[Dark Atheist]

sounds like something is using ie to either check for something (update to a program maybe) i would check the add/remove section for anything that may look suspect (which i believe you have already done) and check the services under admin tools just in case.

New nasties are coming out all the time so might be something new that all the scanners are missing.

Did lspfix find anything? I know with bonjour it doesnt pick it up as an issue till after you uninstall it

 

[Admiral Michael]

A shot in the dark but maybe a DNS server is specified and that server is setup to block those sites by providing either no or false IPs.

 

[Dark Atheist]

stupid question but im guessing you have tried using the direct ip to windows update ?

65.55.25.93

 

[LordOfLA]

I let curiosity get the better of me a few months back and bumped into the same issue. Turned out that DLL's had been hacked directly to prevent certain sites/actions.

I had to do a full reload -non of the utils I use, AV suites I ran over my pc or repair installs did any good.

In the end I had no choice but flormat and reload.

 

[Johnny]

What I would do is reinstall the antivirus and reset everything to default settings, then uninstall it again. I had to that numerous times with older Zone Alarms.

Also when you uninstalled it; did you take it completely out? the registry, temp files, app data folder, etc. ?

 

[Dark Atheist]

is he using avg 8? i know that has a little quirk with its dns checking, did while i was doing my placement at pc world.

kept saying that it couldnt find dns server, and the customer was trying to say it was the laptop he bought, disabled avg 8 completly and showed him it was working so it wasnt the laptop