Cannot Access Windows Update, Symantec; Search Engine Results Redirect


Awesome is as awesome does.
Political Access
5 Apr 2002
Okay, I'm stuck.

A computer was brought in with all sorts of problems, the biggest problem appeared to be Anti Virus XP 2008 (which was removed).

However, after removing the virus I noticed I could not get to Windows Update or Microsoft Update. I checked the hosts file, nothing. I also noticed all of the usernames missing from task manager.

I started working on diagnosing this problem and noticed I could not get to anything security related (Symantec, McAfee, CA, Microsoft Support, etc.).

Search engines are redirecting to unknown sites. Again, I checked the hosts file.

I reset all settings in IE 7, uninstalled IE 7, scrubbed the registry, cleaned up all temp files, etc. Nothing worked.

I found oembios.exe and removed it (after removing this file all of the usernames returned to task manager).

So yeah, I'm stuck. Any help? Serious posts only. Thanks.
Check the hosts file... it may have been hijacked... Fairly common trick for malware to put malicious entries into the hosts file to redirect commonly used sites.

Spybot S&D and HijackThis! if you haven't already.
Did you read my post before responding? I said I checked hosts file (I actually said it twice). Spybot is worthless and HiJackThis revealed oembios.exe and nothing else.
matt check here - a few tools i have collected over the years that help from time to time in situations like this.

I would suggest running LSPFix.exe as this will fix any winsock issues that might have been cause with the nasties installing themselves and the tools not removing them properly.

But if any of those things dont help you can always refer back to the pc repairers mantra

"fresh install cures all" :p
Problem is, the computer belongs to a CPA and he has every version of accounting and tax software known to man. It would take hours to reinstall all of those.

I will give those two suggestions a go. Thanks Carp.
some things still uploading ;) almost done

edit: now they are all there
Hey Matt;
I know you said that IE was reinstalled but I wonder if this problem has to do with cookies that are blocked and/or maybe Proxy settings? That are for some reason not getting reset when you Reset defaults within the browser?

I would Head to internet options under security tab/restricted sites then privacy tab check for blocked cookies and also the connections tab Lan settings and take a look at the Proxy settings there. Pretty much just a see for yourself thing.

One other thing what about similar settings within firewall software if any firewall is used also you said that the temp files were dealt with but what about deleting cookies have you done that?

I would also be curious to know if another browser was installed (for testing only) would you then be able to reach security related sites? I tend to believe after all you’ve done the problem may be browser related.
Did you read my post before responding? I said I checked hosts file (I actually said it twice). Spybot is worthless and HiJackThis revealed oembios.exe and nothing else.

Doh. Evidently didn't read it carefully enough. I'll be quiet now. :crosseyed:
Just thought of something else that may have happened?

The malware might have been smart enough to change the path to the host file in the registry to a different file of a different name so the system may not be using the original Host file?

To find out open the registry and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ Click on Parameters folder,look to right at “DataBasePath” see if it leads the system to look where the host file should be
“system drive letter here/system32/drivers/etc” OR someplace else on the system where a bogus host file has been placed.

It would be easy to overlook this if it’s what has happened.
bush dogg, I deleted all temp files inluding IE's. I checked all settings, including proxy settings. Everything is correct.

iexplore.exe is starting with Windows, but I've gone through the registry and looked at the run keys and policy keys. Nothing.

Firefox was installed and tested. Same thing happens. Can't get to WU, MU, Symantec, McAfee, etc. Search results are redirected.
bush dogg,

Just checked, everything is normal. Good idea, too bad.
did adaware or spybot find anything, i know you dont like them but some times they do find things, and could you run hijackthis and give a log just in case :)
I ran them all. Trust me, there is nothing in the HJT log besides the obvious stuff.
I guess the system could be checking old cashed DNS entries have you tried the “ipconfig /flushdns” command without the quotes.

If I remember right the system will check Cashed DNS entries before it checks the Host file.
sounds like something is using ie to either check for something (update to a program maybe) i would check the add/remove section for anything that may look suspect (which i believe you have already done) and check the services under admin tools just in case.

New nasties are coming out all the time so might be something new that all the scanners are missing.

Did lspfix find anything? I know with bonjour it doesnt pick it up as an issue till after you uninstall it
A shot in the dark but maybe a DNS server is specified and that server is setup to block those sites by providing either no or false IPs.
stupid question but im guessing you have tried using the direct ip to windows update ?
I let curiosity get the better of me a few months back and bumped into the same issue. Turned out that DLL's had been hacked directly to prevent certain sites/actions.

I had to do a full reload -non of the utils I use, AV suites I ran over my pc or repair installs did any good.

In the end I had no choice but flormat and reload.
What I would do is reinstall the antivirus and reset everything to default settings, then uninstall it again. I had to that numerous times with older Zone Alarms.

Also when you uninstalled it; did you take it completely out? the registry, temp files, app data folder, etc. ?
is he using avg 8? i know that has a little quirk with its dns checking, did while i was doing my placement at pc world.

kept saying that it couldnt find dns server, and the customer was trying to say it was the laptop he bought, disabled avg 8 completly and showed him it was working so it wasnt the laptop

Members online

Latest profile posts

Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
Any of the SP crew still out there?
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
hello peeps... is been some time since i last came here.
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.

Forum statistics

Latest member