Microsoft Update Error - 0x80072EFF & IP attacks from 213.163.89.xxx

[Kalishnakov]

My problem consists of mainly the Windows Update website. When I try to access http://update.microsoft.com, IE or FireFox says it cannot display the page. However, I've managed to access http://www.update.microsoft.com/microsoftu...v6/default.aspx and upon checking my computer, it gives me the error number: 0x80072EFF. I had thought the problem lied within the activeX component of my browser (since Windows Update requires an activeX installation), but I have managed to get www.pcpitstop.com/testax.asp working whereas previously I was unable to even see the site because IE 8 would close the tab, recover it multiple times and then state that I was unable to access the site.

My system runs on Windows XP PRO 32bit version with service pack 3. I'm not sure as to when this has started happening, but it must have been within the last couple months? I noticed that some of my auto updates were not being installed so I tried to go to the Windows Update website to do so. I run plenty of programs on my system and have Norton Internet Security 2010 (all features turn on including firewall, antivirus, various browser protections, etc), MBAM, Spybot (w/ SDHelper). I recently ran the TFC.exe application I found here to get rid of temp files and have begun scanning some more in safe mode as I write this.

I have seen some of the responses from your technicians and I am highly impressed. Please let me know how I should proceed to fixing this dilemma. I have found this on the web: http://social.answers.microsoft.com/Forums...c6-fee774ca52b5 which seems very similar to my problem. I hope to not resort to formatting my computer, 'cause I have too many files that need to be backed up.

UPDATE: I have noticed this IP 213.163.89.xxx, xxx ranging from 105 to 107, keeps trying to access my computer and is triggered from IE activity. It attacks consistently for a couple minutes and gives up. I believe it redirects me to sites such as: http://corporationinformation.com/search.php. Also, I'm unable to click on any picture links on IE, but that's probably associated with my IE settings? For example, the only way to post a new reply or post, is to click on the icon before it finishes loading. If it's already loaded, then there appears to be no link, but I can still see the reply button. This has just started happening.

 

[Bobbye]

If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

When you have finished, leave the logs for review in your next reply .

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

The IP range 213.163.89.xxx is for a site in the Netherlands. Your browser has been hijacked. I can help you deal with that when I see the logs.

As for the Windows Update site: the problem can be because of the malware or it can be due to heavy traffic on the site. Many have problems accessing it- once we get the malware out, you can see if it's accessible then.

 

[Kalishnakov]

I failed to mention that not too long ago I had removed ANTIMALWARE DOCTOR which somehow got into my system.

 

[Kalishnakov]

All logs have now been attached.

 

[Kalishnakov]

Let me know if i should include any other logs (hijackthis, OTL, etc)

Thanks.

 

[Bobbye]

I'm working on it now. I took the weekend off to play.

 

[Kalishnakov]

1. I did not install recovery console, because my system was unable to get an internet connection. Although I am unfamiliar with it, should I install the console?
2. While running DDS and GMER, I had killed many startup processes like MSN, Skype, ATI Tool Tray, MBAM, deactivated Norton, etc. so DDS may not have seen all running processes in my typical bootup.
3. I do not recall having System Restore enabled, but I believe ComboFix enabled it.
4. I was previously infected with ANTIMALWARE DOCTOR, but I think I got rid of it.
5. Is there a big security difference between Firefox and IE8?
6. When I access msconfig, I get the following message: "An Access Denied error was returned while attempting to change a service. You may need to log on using an Administrator account to make the specified changes."
7. Microsoft Update works now.
8. No more IP attacks so far.

Interestingly enough, after running TDSSKiller and CombatFix, I just scanned with Malwarebytes' and there appears to be a trojan:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4222

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

21/06/2010 7:50:24 PM
mbam-log-2010-06-21 (19-50-24).txt

Scan type: Full scan (C:\|F:\|)
Objects scanned: 322912
Time elapsed: 1 hour(s), 25 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{19987cee-dee8-49dc-98ec-f21380aa9e68} (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{19987cee-dee8-49dc-98ec-f21380aa9e6a} (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{19987cee-dee8-49dc-98ec-f21380aa9e6b} (Trojan.Dropper) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\DivX\DivX Plus DirectShow Filters\daac.ax (Trojan.Dropper) -> Quarantined and deleted successfully.



Okay, so a couple new things I've noticed:
My start menu icons display as links instead of menus (menu was my standard).

 

[Bobbye]

Did you go out and download every program you could find, thinking that would make a problem better? It is puzzling why you would get>>2010-06-18 08:11> c:\program files\muBlinder
The purpose of this program is to allow you to put Microsoft Updates (mu) on a system that can't pass validation.updates.

muBlinder ( Microsoft Update Blinder ) is a program that enables you to download Microsoft updates even if your copy of Windows does not pass the Microsoft Update's Genuine Windows Validation test. Though at times this utility may have legitimate uses, the fact that is typically is being used to bypass copyrighted material restrictions forces to me designate this as an unwanted program.

I guess it would be prudent to ask if you have a legitimate copy of the Window operating system?

I recommend that you reformat and reinstall. When you do that, don't put back the driver programs you recently installed. You have so many bad entries that cleaning the system is not an option.