Malware Problems Redirects to fake Microsoft Site

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by oldwhiz, Nov 20, 2006.

  1. oldwhiz

    oldwhiz Private E-2

    Here are the SPECIFIC things that are happening with my computer.

    ***When I connect to the internet, sometimes when I just turn on my computer, I have a yellow update shield waiting. Installs or downloads are waiting in the task bar, Sometimes it dissappears quickly. There is no way to shut it down that I can figure. I finally disabled windows automatic updates for now so I don't have that problem.

    ***A few weeks ago after I got a new hard drive installed on my computer I thought I had to re-download the windows updates for XP SP2. I think I may have been redirected to a bogus site and received SPYWARE downloads instead tagged as windows updates. The windows update function from the toolbar gets directed to the following: url:http://update.microsoft.com/microso...update.microsoft.com/microsoftupdate&ln=en-us
    When I try to go to : http://windowsupdate.microsoft.com/ to download updates my computer browser freezes or is redirected to the same link I get from the toolbar. I have tried to backdoor into the updates through Microsoft but am always redirected to the ???IMPOSTER/BOGUS??? address above.

    ****Some programs are marked with UNKNOWN user profiles that cannot be removed even after you edit the inherited details.

    *** MY connection, dial up ;o( , sometimes goes off with no warnings...

    **** I have noticed alot of duplicate dll files when I did a search for dll. Some of my file names are in blue.

    ****I have lost my favorites menu..I have a backup file but I really don't know how to install it.

    ****I can no longer create folders in favorites/organize favorites. The create button has blue around it and I get this error mnessage, " error 306 Object does not support this property or method". THIS IS RECENT..as of today this began to happen.,

    *****When I log into hotmail I am redirected to account services. That also just began happening today.

    *****The calclator is gone from my accessories menu. I did a search for it. It's gone. That just started happening today as well.


    HERE IS WHAT I DID before I read the READ THIS FIRST post.

    ****I have disabled automatic updates.


    ***I have done alot of scans and followed removal instructions without much luck. Things keep reappearring. I have used them in safe mode and in normal mode.

    ****I have uninstalled all windows updates now, uninstalled both AVG Spy and Virus programs, Registry Mechanic, Spybot Search and Destroy ( I have since downloaded that again and installed in safe mode), ZONE ALARM, ATF Cleaner, and Registry Mechanic. I have downloaded the suggested installs from your sites "Read and Run me First lists".

    HERE IS WHAT I HAVE DONE SINCE READING THE POST.

    1) checked MSCONFIG. it was already on the normal mode.
    A. Used add remove programs to look for programs you suggested. None found.
    B. Used windows explorer to check that all file extensions and hidden files were viewable. It was already correct.
    2) Used cleanup and CC cleaner to remove temp. recycle,and log files.
    3) Found this file while looking for logs:
    C:\Program Files\Common Files\InstallShield\engine\6\Intel 32
    Is that a valid file and path?
    4) Found several files that are in blue in view lists. InCluding this one: C:\WINDOWS\SoftwareDistribution\DataStore\Logs What is that for?
    5) Downloaded : CC cleaner, getrunkey &ShowNewKey,Spybot s&D, Windows Malicious removal tool and Hijack this,
    6) Couldn't download Windows Defender ( error message said I didn't have windows installer..although I do run WIN XP home w/SP2) so I did download Counter Spy.
    7)After MSCONFIG. I did a CC cleaner (safe mode), ran Windows Malicious tool ( regular mode). WIN MALICIOUS found no infected files.
    8)Installed Counter Spy, installed updates, and ran Counter Spy. I attempted to get updates. Not sure if I did. Said it was updating but never finished and screen didn't change. Ran it as it was. Nothing found. BUT the active Counter Spy does seem to be curbing some redirects when I am on the net. Although it still couldn't stop the windows update redirect to the site: url:http://update.microsoft.com/microso...update.microsoft.com/microsoftupdate&ln=en-us
    9) Smit was downloaded/ran and I have a couple of logs from that attached. I think it found a couple of infections.
    10)Ran/Updated Bit Defender scan. I have attached log but it said it found no virus or spyware.
    11)Ran Panda Actice Scan. Log Attached
    12)Run/Show keys installed and ran. I got a log from showkey but not from runkey. Runkey command box said.. "ltime is not recognized as an internal or external commmand, operable program, or batch file. Repeats that for the following commands, LOCATE, grep,
    13) Downloaded/ Installed /renamed HJT..Scan attached.


    I tried to follow all instructions exactly..I think I did.
    GOOD LUCK and thank you!
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sounds like it may just be for Windows Update!

    The site you list is the correct site for Windows Updates! It has change from what it used to be. This change is not new. It has been like this for quite sometime. And to get many Windows Updates (especially for Win XP) your license needs to be authenticated or you will not be able to get various updates.

    Both are valid folders use for updating your software.

    You need to follow the directions in the READ & RUN ME and attach all logs that are requested; however I'm not sure you are having malware problems.
     
  3. oldwhiz

    oldwhiz Private E-2

    Chaslang:

    Thank you for your help. The reason I thought the Windows update was a re-direct was when my computer came back with a new hard drive it had all the most current updates. Glad to hear that is the correct url. I did attach 3 logs last post (PANDA, SMIT, HIJACK). This post has the additional ones requested. You are the expert so hope you are correct and I do not have a malware issue.

    Please note : getrunkey scan is blank. I didn't attach it because of the issues I told you about earlier.
    Also. Counterspy has found no malware so there no report from that either.



    Thank you :)
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You are not following the directions for running GetRunKey and ShowNew. That is why you are getting that message. You did not extract ALL the files from the ZIP file and then run the .bat files from a Windows Explorer prompt. You are running them from inside the ZIP file.

    I still don't expect to see any malware problems.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds