For several days I've not been able to connect to Windows Update ('Server Not Found'), nor to Microsoft Support nor download any security-related software from Microsoft. Also, Windows Firewall is turned off and cannot be turned on. At the same time this happened a "Your Computer is Infected" box began to pop up. Ran Ad-Aware, CCleaner, AVG 8, and Spybot. All of them removed some infected files and Spybot got rid of the pop-ups. I finally installed Sygate Firewall. Still cannot connect to Update or turn on Windows Firewall. Any suggestions?
Cannot connect to Windows Update(16 posts)
You caught yourself a nice virus/trojan with some scamware. You obviously were not able to totally remove it. Try running SuperAntiSpyware That is a pretty good malware remover. If that does not help, you should reset to a restore point from before the trouble started - if you still have a restore point from that time.
I'm going to take a pure GUESS that you have encountered Antivirus 2008 XP Rogue Malware.
Some of the program will not be detected as a virus.
Check link below for manual removal instructions.
This is a tough malware program to deal with (IF) you have it on your machine.
(whs) probably has the best idea.
Rick P.♦ :)
Thanks for the suggestions. I did run Super AntiSpyWare but had to stop it 3/4 way through. It removed 18 infected files but not the problem. Will run it again tonight all the way through.
It would also help if you had more information from when you get the message "Your Computer is Infected". If there is any name associated with it, we could look whether there is a specific procedure to remove this bugger.
Well, I ran SuperAntiSpyware all the way through. It quarantined 40 some tracking cookies and one file named Trojan.Dluca-I in C:\WINDOWS\SYSTEM32\SNCNTR.EXE and one unclassified file in SYSTEM32\PSOF1.EXE. Problems still exist. Still can't turn Windows Firewall on or update any security related programs. Whenever I try to update AVG, Spybot, SuperAntiSpyware, or AdAware I get "SSL download failed" or "Server not Found". As far as info on the pop-up boxes, the first time I ran Spybot, it took care of them and I can't remember exactly what they said. I looked up the xp-vista spyware site on an uninfected computer but not sure I understand the instructions well enough not to make mistakes. I'll guess I'll just have to try to find a restore point and hope this thing won't follow it.
Copy of Manual Removal Instructions since your computer is blocking my posted link.
Manual Antivirus XP 2008 Removal Instructions:
Unregister XP Antivirus 2008 DLL Files:
(Use command Mode)(regsvr32 /u filename.dll)
Stop Antivirus XP 2008 Processes:
(Use Task Manager STOP Process)
Find and Delete these Antivirus XP 2008:
(Use Search in Windows)
XPAntivirus on the Web.lnk
XP Antivirus 2008.lnk
Uninstall XP Antivirus 2008.lnk
%common_desktopdirectory%\antivirus xp 2008.lnk
%common_programs%\antivirus xp 2008.lnk
%common_programs%\antivirus xp 2008\antivirus xp 2008.lnk
%common_programs%\antivirus xp 2008\how to register antivirus xp 2008.lnk
%common_programs%\antivirus xp 2008\license agreement.lnk
%common_programs%\antivirus xp 2008\register antivirus xp 2008.lnk
%common_programs%\antivirus xp 2008\uninstall.lnk
%profile%\application data\microsoft\internet explorer\quick launch\antivirus xp 2008.lnk
Remove Antivirus XP 2008 Registry Values:
Told you this is a "Bear" Rogue Ware Program to deal with.
Rick P.♦ :)
OK. Spybot ran an automatic scan this morning and came up with two registry entries called "Microsoft.WindowsSecurityCenter.FirewallBypass". They're called (SBI $D80580B5)Settings and (SBI $B067B5B7)Settings. The paths are "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\explorer.exe" and "ControlSet002". They were removed but update and firewall issues still there.
If the site I gave you is blocked along with others, believe your machine is infected with (Antivirus XP 2008) or a variation.
You can see from the manual clean up instructions I posted that your Files and Registry will be a complete "MESS" even if you succeed in getting the infection stopped.
Strongly Suggest you Clean Install the machine O/S from scratch as you will (NEVER) get the machine back to its original state. Too many changes have been made.
Sorry to be the "Bearer of Bad News" but tis my lot on HTG.
When first run, Troj/Dluca-I copies itself to the Windows system folder as sncntr.exe and creates the following registry entry, so that sncntr.exe is run automatically on startup:
sncntr = %SYSTEM%\sncntr.exe /nocomm
Registry entries are also created under:
Troj/Dluca-I can be uninstalled via the Add or Remove Programs dialog in the Windows Control Panel (Start - Settings - Control Panel - Add/Remove Programs by selecting "sncntr" from the list.
The Fact is that your machine has been infected by (SOMETHING) which has made many, many changes to your system.
I always advocate a System Clean Install in such cases as you have NO way of knowing what has been changed in the thousands of files and registry keys.
The odds of finding and fixing all the "bad" items and entries are in the millions because of the complexity and the dependencies in the O/S.
I can only speak for myself as to how I would solve the issue quickly and move on.
Rick P.♦ :)
This topic has been closed to new replies.