TechSpot

Microsoft Update Error - 0x80072EFF & IP attacks from 213.163.89.xxx

By Kalishnakov
Jun 19, 2010
  1. My problem consists of mainly the Windows Update website. When I try to access http://update.microsoft.com, IE or FireFox says it cannot display the page. However, I've managed to access http://www.update.microsoft.com/microsoftu...v6/default.aspx and upon checking my computer, it gives me the error number: 0x80072EFF. I had thought the problem lied within the activeX component of my browser (since Windows Update requires an activeX installation), but I have managed to get www.pcpitstop.com/testax.asp working whereas previously I was unable to even see the site because IE 8 would close the tab, recover it multiple times and then state that I was unable to access the site.

    My system runs on Windows XP PRO 32bit version with service pack 3. I'm not sure as to when this has started happening, but it must have been within the last couple months? I noticed that some of my auto updates were not being installed so I tried to go to the Windows Update website to do so. I run plenty of programs on my system and have Norton Internet Security 2010 (all features turn on including firewall, antivirus, various browser protections, etc), MBAM, Spybot (w/ SDHelper). I recently ran the TFC.exe application I found here to get rid of temp files and have begun scanning some more in safe mode as I write this.

    I have seen some of the responses from your technicians and I am highly impressed. Please let me know how I should proceed to fixing this dilemma. I have found this on the web: http://social.answers.microsoft.com/Forums...c6-fee774ca52b5 which seems very similar to my problem. I hope to not resort to formatting my computer, 'cause I have too many files that need to be backed up.

    UPDATE: I have noticed this IP 213.163.89.xxx, xxx ranging from 105 to 107, keeps trying to access my computer and is triggered from IE activity. It attacks consistently for a couple minutes and gives up. I believe it redirects me to sites such as: http://corporationinformation.com/search.php. Also, I'm unable to click on any picture links on IE, but that's probably associated with my IE settings? For example, the only way to post a new reply or post, is to click on the icon before it finishes loading. If it's already loaded, then there appears to be no link, but I can still see the reply button. This has just started happening.
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

    The IP range 213.163.89.xxx is for a site in the Netherlands. Your browser has been hijacked. I can help you deal with that when I see the logs.

    As for the Windows Update site: the problem can be because of the malware or it can be due to heavy traffic on the site. Many have problems accessing it- once we get the malware out, you can see if it's accessible then.
     
  3. Kalishnakov

    Kalishnakov TS Rookie Topic Starter

    I failed to mention that not too long ago I had removed ANTIMALWARE DOCTOR which somehow got into my system.
     
  4. Kalishnakov

    Kalishnakov TS Rookie Topic Starter

    All logs have now been attached.
     

    Attached Files:

  5. Kalishnakov

    Kalishnakov TS Rookie Topic Starter

    Let me know if i should include any other logs (hijackthis, OTL, etc)

    Thanks.
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'm working on it now. I took the weekend off to play.
     
  7. Kalishnakov

    Kalishnakov TS Rookie Topic Starter

    1. I did not install recovery console, because my system was unable to get an internet connection. Although I am unfamiliar with it, should I install the console?
    2. While running DDS and GMER, I had killed many startup processes like MSN, Skype, ATI Tool Tray, MBAM, deactivated Norton, etc. so DDS may not have seen all running processes in my typical bootup.
    3. I do not recall having System Restore enabled, but I believe ComboFix enabled it.
    4. I was previously infected with ANTIMALWARE DOCTOR, but I think I got rid of it.
    5. Is there a big security difference between Firefox and IE8?
    6. When I access msconfig, I get the following message: "An Access Denied error was returned while attempting to change a service. You may need to log on using an Administrator account to make the specified changes."
    7. Microsoft Update works now.
    8. No more IP attacks so far.

    Interestingly enough, after running TDSSKiller and CombatFix, I just scanned with Malwarebytes' and there appears to be a trojan:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4222

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    21/06/2010 7:50:24 PM
    mbam-log-2010-06-21 (19-50-24).txt

    Scan type: Full scan (C:\|F:\|)
    Objects scanned: 322912
    Time elapsed: 1 hour(s), 25 minute(s), 47 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 3
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\{19987cee-dee8-49dc-98ec-f21380aa9e68} (Trojan.Dropper) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{19987cee-dee8-49dc-98ec-f21380aa9e6a} (Trojan.Dropper) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{19987cee-dee8-49dc-98ec-f21380aa9e6b} (Trojan.Dropper) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Program Files\DivX\DivX Plus DirectShow Filters\daac.ax (Trojan.Dropper) -> Quarantined and deleted successfully.



    Okay, so a couple new things I've noticed:
    My start menu icons display as links instead of menus (menu was my standard).
     

    Attached Files:

  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Did you go out and download every program you could find, thinking that would make a problem better? It is puzzling why you would get>>2010-06-18 08:11> c:\program files\muBlinder
    The purpose of this program is to allow you to put Microsoft Updates (mu) on a system that can't pass validation.updates.
    I guess it would be prudent to ask if you have a legitimate copy of the Window operating system?

    I recommend that you reformat and reinstall. When you do that, don't put back the driver programs you recently installed. You have so many bad entries that cleaning the system is not an option.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...