SEARCH

The How-To Geek Forums Have Migrated to Discourse

How-To Geek Forums / Windows Vista

Cannot connect to Windows Update

(16 posts)
  • Started 5 years ago by grounger
  • Latest reply from raphoenix
  • Topic Viewed 54189 times

grounger
Posts: 8

For several days I've not been able to connect to Windows Update ('Server Not Found'), nor to Microsoft Support nor download any security-related software from Microsoft. Also, Windows Firewall is turned off and cannot be turned on. At the same time this happened a "Your Computer is Infected" box began to pop up. Ran Ad-Aware, CCleaner, AVG 8, and Spybot. All of them removed some infected files and Spybot got rid of the pop-ups. I finally installed Sygate Firewall. Still cannot connect to Update or turn on Windows Firewall. Any suggestions?

Posted 5 years ago
Top
 
grounger
Posts: 8

I'm running xp.

Posted 5 years ago
Top
 
whs
whs
Posts: 17584

You caught yourself a nice virus/trojan with some scamware. You obviously were not able to totally remove it. Try running SuperAntiSpyware That is a pretty good malware remover. If that does not help, you should reset to a restore point from before the trouble started - if you still have a restore point from that time.

Posted 5 years ago
Top
 
raphoenix
raphoenix
Posts: 14920

grounger,

I'm going to take a pure GUESS that you have encountered Antivirus 2008 XP Rogue Malware.
Some of the program will not be detected as a virus.
Check link below for manual removal instructions.
This is a tough malware program to deal with (IF) you have it on your machine.
http://www.xp-vista.com/spywar.....virus-2008
(whs) probably has the best idea.
Kindest Regards,
Rick P.♦ :)

Posted 5 years ago
Top
 
grounger
Posts: 8

Thanks for the suggestions. I did run Super AntiSpyWare but had to stop it 3/4 way through. It removed 18 infected files but not the problem. Will run it again tonight all the way through.

Posted 5 years ago
Top
 
grounger
Posts: 8

ps. The xp-vista link from raphoenix is also blocked. No problems with the internet except for any site that may have a solution. I think it knows what I'm trying to do.

Posted 5 years ago
Top
 
whs
whs
Posts: 17584

It would also help if you had more information from when you get the message "Your Computer is Infected". If there is any name associated with it, we could look whether there is a specific procedure to remove this bugger.

Posted 5 years ago
Top
 
grounger
Posts: 8

Well, I ran SuperAntiSpyware all the way through. It quarantined 40 some tracking cookies and one file named Trojan.Dluca-I in C:\WINDOWS\SYSTEM32\SNCNTR.EXE and one unclassified file in SYSTEM32\PSOF1.EXE. Problems still exist. Still can't turn Windows Firewall on or update any security related programs. Whenever I try to update AVG, Spybot, SuperAntiSpyware, or AdAware I get "SSL download failed" or "Server not Found". As far as info on the pop-up boxes, the first time I ran Spybot, it took care of them and I can't remember exactly what they said. I looked up the xp-vista spyware site on an uninfected computer but not sure I understand the instructions well enough not to make mistakes. I'll guess I'll just have to try to find a restore point and hope this thing won't follow it.

Posted 5 years ago
Top
 
whs
whs
Posts: 17584

The name helped. I found the removal procedure http://www.sophos.com/security.....lucai.html

Posted 5 years ago
Top
 
grounger
Posts: 8

Thanks. Can't connect to the site on this computer, but will try later at home and keep you informed.

Posted 5 years ago
Top
 
raphoenix
raphoenix
Posts: 14920

grounger,

Copy of Manual Removal Instructions since your computer is blocking my posted link.
================================================
Manual Antivirus XP 2008 Removal Instructions:

Unregister XP Antivirus 2008 DLL Files:
(Use command Mode)(regsvr32 /u filename.dll)
%ProgramFiles%\[RANDOM NAME]\MFC71.dll
%ProgramFiles%\[RANDOM NAME]\MFC71ENU.DLL
%ProgramFiles%\[RANDOM NAME]\msvcp71.dll
%ProgramFiles%\[RANDOM NAME]\msvcr71.dll
%ProgramFiles%\[RANDOM NAME]\shlwapi.dll
%ProgramFiles%\[RANDOM NAME]\wininet.dll

Stop Antivirus XP 2008 Processes:
(Use Task Manager STOP Process)
vav.exe
XPAntivirus.exe
XPAntivirusUpdate.exe
xpa.exe
xpa2008.exe
braviax.exe

Find and Delete these Antivirus XP 2008:
(Use Search in Windows)
xpa.exe
vav.exe
xpa2008.exe
xpa_2008.exe
XPAntivirus.exe
braviax.exe
XPAntivirusUpdate.exe
XPAntivirus.lnk
Uninstall XPAntivirus.lnk
XPAntivirus on the Web.lnk
XP Antivirus 2008.lnk
Uninstall XP Antivirus 2008.lnk
%ProgramFiles%\[RANDOM NAME]\MFC71.dll
%ProgramFiles%\[RANDOM NAME]\MFC71ENU.DLL
%ProgramFiles%\[RANDOM NAME]\msvcp71.dll
%ProgramFiles%\[RANDOM NAME]\msvcr71.dll
%ProgramFiles%\[RANDOM NAME]\shlwapi.dll
%ProgramFiles%\[RANDOM NAME]\wininet.dll
%program_files%\rhc7nsj0e57c\mfc71.dll
%program_files%\rhc7nsj0e57c\mfc71enu.dll
%program_files%\rhc7nsj0e57c\msvcp71.dll
antivirusxp2008installer.exe
rhc7nsj0e57c.exe
%common_desktopdirectory%\antivirus xp 2008.lnk
%common_programs%\antivirus xp 2008.lnk
%common_programs%\antivirus xp 2008\antivirus xp 2008.lnk
%common_programs%\antivirus xp 2008\how to register antivirus xp 2008.lnk
%common_programs%\antivirus xp 2008\license agreement.lnk
%common_programs%\antivirus xp 2008\register antivirus xp 2008.lnk
%common_programs%\antivirus xp 2008\uninstall.lnk
%profile%\application data\microsoft\internet explorer\quick launch\antivirus xp 2008.lnk
%program_files%\rhc7nsj0e57c\database.dat
%program_files%\rhc7nsj0e57c\license.txt
%program_files%\rhc7nsj0e57c\uninstall.exe
%program_files%\rhc7nsj0e57c\msvcr71.dll
%program_files%\rhc7nsj0e57c\rhc7nsj0e57c.exe
%program_files%\rhc7nsj0e57c\rhc7nsj0e57c.exe.local
antivirusxp2008installer.exe
%program_files%\rhc7nsj0e57c\uninstall.exe
%program_files%\rhc7nsj0e57c\rhc7nsj0e57c.exe
%program_files%\rhc7nsj0e57c\mfc71.dll
%program_files%\rhc7nsj0e57c\msvcr71.dll
%program_files%\rhc7nsj0e57c\msvcp71.dll
%program_files%\rhc7nsj0e57c\mfc71enu.dll

Remove Antivirus XP 2008 Registry Values:
(Use Regedit)
HKEY_USERS\Software\XP antivirus
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run smrhc7nsj0e57c
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\rhc7nsj0e57c
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\rhc7nsj0e57c displayname
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\rhc7nsj0e57c uninstallstring
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c advid
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c automaticallyupdates
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c backgroundscan
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c backgroundscantimeout
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c databaseversion
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c daysinterval
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c domain
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c engineversion
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c guiversion
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c installdir
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c minimizeonstart
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c programversion
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c proxyname
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c proxyport
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c registrationdiscurl
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run smrhc7nsj0e57c
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c registrationurl
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c scandepth
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c scanpriority
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c scansystemonstartup
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c softid
==============
Told you this is a "Bear" Rogue Ware Program to deal with.
Kindest Regards,
Rick P.♦ :)

Posted 5 years ago
Top
 
grounger
Posts: 8

OK. Spybot ran an automatic scan this morning and came up with two registry entries called "Microsoft.WindowsSecurityCenter.FirewallBypass". They're called (SBI $D80580B5)Settings and (SBI $B067B5B7)Settings. The paths are "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\explorer.exe" and "ControlSet002". They were removed but update and firewall issues still there.

Posted 5 years ago
Top
 
raphoenix
raphoenix
Posts: 14920

grounger,

If the site I gave you is blocked along with others, believe your machine is infected with (Antivirus XP 2008) or a variation.
You can see from the manual clean up instructions I posted that your Files and Registry will be a complete "MESS" even if you succeed in getting the infection stopped.
Strongly Suggest you Clean Install the machine O/S from scratch as you will (NEVER) get the machine back to its original state. Too many changes have been made.
Sorry to be the "Bearer of Bad News" but tis my lot on HTG.
Kindest Regards,
Rick P.♦

Posted 5 years ago
Top
 
grounger
Posts: 8

Raphoenix,

I don't know. I tried to run down the files in the manual instructions you gave me and can't find any of them in search, task manager, or Regedit.

Posted 5 years ago
Top
 
whs
whs
Posts: 17584

When first run, Troj/Dluca-I copies itself to the Windows system folder as sncntr.exe and creates the following registry entry, so that sncntr.exe is run automatically on startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
sncntr = %SYSTEM%\sncntr.exe /nocomm

Registry entries are also created under:

HKCU\Software\sncntr\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\sncntr\

Troj/Dluca-I can be uninstalled via the Add or Remove Programs dialog in the Windows Control Panel (Start - Settings - Control Panel - Add/Remove Programs by selecting "sncntr" from the list.

Posted 5 years ago
Top
 
raphoenix
raphoenix
Posts: 14920

grounger,

The Fact is that your machine has been infected by (SOMETHING) which has made many, many changes to your system.
I always advocate a System Clean Install in such cases as you have NO way of knowing what has been changed in the thousands of files and registry keys.
The odds of finding and fixing all the "bad" items and entries are in the millions because of the complexity and the dependencies in the O/S.
I can only speak for myself as to how I would solve the issue quickly and move on.
Kindest Regards,
Rick P.♦ :)

Posted 5 years ago
Top
 



Topic Closed

This topic has been closed to new replies.