Virus preventing me from doing an update

  • Thread starter Thread starter Gary Burton
  • Start date Start date
G

Gary Burton

My computer has apparently been infected with a virus that is not caught by the latest versions of Norton Antivirus or AdAware. It may be that one of the recent security updates would fixt this problem. However the virus interferes with some websites -- most noteably it prevents me from logging on to the Windows Update website via IE6. I can log on to it with my other networked computer over the same internet connection. I just performed an update on the second computer, but I am at a loss as to what to do on my main computer.

I downloaded Firefox, but I think the same virus may be preventing me from using it. The installation seemed to go OK, but as soon as I try to open it, I get "The connection was refused when attempting to log on to Mozilla.com". FireFox initializes to the extent that I can type in other URLs, but I get the same message for any URL I try to connect to.

I don't often get this stumped. I need some expert help.
 
Gary Burton said:
My computer has apparently been infected with a virus that is not
caught by the latest versions of Norton Antivirus or AdAware. It may
be that one of the recent security updates would fixt this problem.
However the virus interferes with some websites -- most noteably it
prevents me from logging on to the Windows Update website via IE6. I
can log on to it with my other networked computer over the same
internet connection. I just performed an update on the second
computer, but I am at a loss as to what to do on my main computer.

I downloaded Firefox, but I think the same virus may be
preventing me from using it. The installation seemed to go OK, but
as soon as I try to open it, I get "The connection was refused when
attempting to log on to Mozilla.com". FireFox initializes to the
extent that I can type in other URLs, but I get the same message for
any URL I try to connect to.

I don't often get this stumped. I need some expert help.
Click to expand...

First eliminate any scumware.
See
Dealing with Unwanted Malware, Parasites, Toolbars and Search Engines
http://mvps.org/winhelp2002/unwanted.htm

Note that AdAware and SpyBot S & D will each catch some things the other
won't. Also, each needs to be updated with the program's update function
before every use, even when just downloaded. There's also a lot more to do
than just those two programs. CWShredder is also available here:
http://www.kellys-korner-xp.com/regs_edits/cwshredder.zip
**Post your HijackThis log to
http://forums.spywareinfo.com/ or the Spyware forum at
http://forum.aumha.org/ for expert analysis, not here.**
Alternative download pages for Ad-Aware, Spybot, HijackThis and CWShredder
may be found on this page:
http://aumha.org/a/parasite.htm.
CAUTION!!!!! Before you try to remove spyware using any of the programs
below, download a copy of LSPFIX from any of the following sites:
http://www.cexx.org/lspfix.htm
http://www.spychecker.com/program/winsockxpfix.html
(if your OS is Win2k or XP) The process of removing certain malware may kill
your internet connection. If this should occur, this program, LSPFIX, will
enable you to regain your connection.

Windows Update Fails:
Disable your anti-virus when obtaining the updates.
Make sure that your firewall is allowing the connection to Windows Update .
This would be on ports 80 and 443.
http://v4.windowsupdate.microsoft.com/en/default.asp
If no joy - http://v4.windowsupdate.microsoft.com/troubleshoot/
Windows Update Checklist
http://www3.telus.net/dandemar/updtcl.htm
This newsgroup is read by MS staff:
news://msnews.microsoft.com/microsoft.public.windowsupdate

--
Frank Saunders, MS-MVP, IE/OE
Please respond in Newsgroup only. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com/security/protect/
 
I still have the problem. Please stick with me a little longer. I
really appreciate your help. I got good suggestions from 3 people, of which
you were one. The information in this combined response will be relevant to
all three of you, if you are still willing to help me.

Here is what I have tried:
I have run all of the following scumware scanners. I have updated the
definitions unless otherwise stated. In the cases when I didn't update, it
was because I got a "Can't find server" error when I tried to update.
AdAware
SpyBot S&D
Pest Patrol. (Couldn't update). This was very encouraging because it
found several problems the other programs didn't find a problem with
references to Windowsupd2, but removing all of them did not allow me to log
on to the Windows Update site. A second scan with Pest Patrol found
nothing.
BHO Demon 2.0 (Couldn't update)
CW Shredder (Couldn't update)
HijackThis: I could only muster the courage to attempt to fix the O10
items (Hijacks of Winsock). I had 6 entries, and they were all the same:
"O10-Unknown file in Winsock LSP: c:\Windows\system32\jdmmbc.dll". My
courage was wasted because HijackThis never really deleted the entries. the
first time I tried, I was told that HijackThis could not delete the entries.
I tried it again several times anyway. On the repeat tries I wasn't not
told anything, but a re-scan showed them to still be there. I also had a
hits in the R0, R1, R3, O2, O4, O8, and O16 entries, but I did nothing about
them because the type descriptions did not seem to relate to my problem.

It seems like HijackThis could have been on the right track, but I was
not able to make it work.

I'm stumped again. Can you take me to another step?
 
I just noticed that if I enter the url www.windowsupdate.microsoft.com into my address bar, it gets converted to
http:///? www.windowsupdate.microsoft.com. Note the giberish between "///" and "www". That must be an important clue, but I'm not smart enough to figure it out. I'm hoping that one of you is.

Here are the things I have tried since my original posting:

I have run all of the following scumware scanners. I have updated the definitions unless otherwise stated. In the cases when I didn't update, it was because I got a "Can't find server" error when I tried to update.
AdAware
SpyBot S&D
Pest Patrol. (Couldn't update). This was very encouraging because it found several problems the other programs didn't find a problem with references to Windowsupd2, but removing all of them did not allow me to log on to the Windows Update site. A second scan with Pest Patrol found nothing.
BHO Demon 2.0 (Couldn't update)
CW Shredder (Couldn't update)
HijackThis: I could only muster the courage to attempt to fix the O10 items (Hijacks of Winsock). I had 6 entries, and they were all the same: "O10-Unknown file in Winsock LSP: c:\Windows\system32\jdmmbc.dll". My courage was wasted because HijackThis never really deleted the entries. the first time I tried, I was told that HijackThis could not delete the entries. I tried it again several times anyway. On the repeat tries I wasn't not told anything, but a re-scan showed them to still be there. I also had a hits in the R0, R1, R3, O2, O4, O8, and O16 entries, but I did nothing about them because the type descriptions did not seem to relate to my problem.

It seems like HijackThis could have been on the right track, but I was not able to make it work.

I'm stumped again. Please take me to another step?
 
I just noticed that if I enter the url www.windowsupdate.microsoft.com into my address bar, it gets converted to
http:///? www.windowsupdate.microsoft.com. Note the giberish between "///" and "www". That must be an important clue, but I'm not smart enough to figure it out. I'm hoping that one of you is.
Click to expand...

The %20 is HTML-speak for a space, but the /? is certainly allowed in
HTML; so, I would try searcing the registry for /? as well as for
windowsupdate, there may be some string in there that appends that
garbage to the URL *only* when you try to visit that page.
 
Gary Burton said:
I still have the problem. Please stick with me a little longer. I
really appreciate your help. I got good suggestions from 3 people,
of which you were one. The information in this combined response
will be relevant to all three of you, if you are still willing to
help me.

Here is what I have tried:
I have run all of the following scumware scanners. I have updated
the definitions unless otherwise stated. In the cases when I didn't
update, it was because I got a "Can't find server" error when I tried
to update. AdAware
SpyBot S&D
Pest Patrol. (Couldn't update). This was very encouraging because
it found several problems the other programs didn't find a problem
with references to Windowsupd2, but removing all of them did not
allow me to log on to the Windows Update site. A second scan with
Pest Patrol found nothing.
BHO Demon 2.0 (Couldn't update)
CW Shredder (Couldn't update)
HijackThis: I could only muster the courage to attempt to fix the
O10 items (Hijacks of Winsock). I had 6 entries, and they were all
the same: "O10-Unknown file in Winsock LSP:
c:\Windows\system32\jdmmbc.dll". My courage was wasted because
HijackThis never really deleted the entries. the first time I tried,
I was told that HijackThis could not delete the entries. I tried it
again several times anyway. On the repeat tries I wasn't not told
anything, but a re-scan showed them to still be there. I also had a
hits in the R0, R1, R3, O2, O4, O8, and O16 entries, but I did
nothing about them because the type descriptions did not seem to
relate to my problem.

It seems like HijackThis could have been on the right track, but I
was not able to make it work.

I'm stumped again. Can you take me to another step?
Click to expand...

Did you post your Hijack This log as instructed?

--
Frank Saunders, MS-MVP, IE/OE
Please respond in Newsgroup only. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com/security/protect/
 
The "/?" entries are all burried in large binary data sections, and I
can't really figure out what they do. There are no references to
windowsupdate. Thanks anyway for the suggestion.

"///" and "www". That must be an important clue, but I'm not smart enough
to figure it out. I'm hoping that one of you is.
 
Just peeking at this thread.. have you logged in under safe mode? If
you have broadband and use safe mode with networking.. you should be
able to update these programs

What is in the registry when under local users.. software..
Microsoft.. windows.. current version.. run

usually the culprits are there.. save a copy of the registry before ya
do anything there

also a sfc /scannow may restore some of your corrupted system files

I would try most in safe mode
Good luck

Jim
 
1. All browser (IE), OE, Word and OL windows should be closed before running
HijackThis (HT). Better yet, run HT in Safe Mode (with 'Show Hidden Files'
enabled).

2. Have HT "fix" this entry:

O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} -
http://toolbar.isearch.com/general/initial.cab

It's iSearch toolbar hijacker.
http://computercops.biz/clsid-134.html
http://www.kephyr.com/spywarescanner/library/isearch/index.phtml

Properly updated and run, just about all of the anti-malware apps you have
installed (Ad-aware SE, NAV), as well as the free online scans you ran,
/should/ have been able to nail this sucker. Make sure Ad-aware is
configured per this post http://aumha.org/forum/viewtopic.php?t=5877 and
that you *always* seek updated reference files before running it. (There
have been two reference file updates in the past 3 days alone, one of 'em
today.)

3. Run a full system scan with NAV per this post:
http://aumha.org/forum/viewtopic.php?t=5878 (Steps 1-3).

4. Use the form on this page to contact Aumha.org about your account log-on
problems: http://aumha.org/feedback.htm

5. Due do DDoS attacks, the Spywareinfo forums are indeed not available
currently.
 
I have LspFix. Winsock XP fix looks like it functions very similar. Is
that correct? If so, is there some reason to prefer Winsock XP Fix?
 
Thanks!

I removed the toolbar hijacker, and got online with aumha.org. I need
to do more homework, then get back to you on some of the other things.
 
Gary Burton said:
I just noticed that if I enter the url
www.windowsupdate.microsoft.com into my address bar, it gets
converted to
http:///? www.windowsupdate.microsoft.com. Note the giberish
between "///" and "www". That must be an important clue, but I'm not
smart enough to figure it out. I'm hoping that one of you is.

Here are the things I have tried since my original posting:

I have run all of the following scumware scanners. I have updated
the definitions unless otherwise stated. In the cases when I didn't
update, it was because I got a "Can't find server" error when I tried
to update.
AdAware
SpyBot S&D
Pest Patrol. (Couldn't update). This was very encouraging
because it found several problems the other programs didn't find a
problem with references to Windowsupd2, but removing all of them did
not allow me to log on to the Windows Update site. A second scan
with Pest Patrol found nothing.
BHO Demon 2.0 (Couldn't update)
CW Shredder (Couldn't update)
HijackThis: I could only muster the courage to attempt to fix
the O10 items (Hijacks of Winsock). I had 6 entries, and they were
all the same: "O10-Unknown file in Winsock LSP:
c:\Windows\system32\jdmmbc.dll". My courage was wasted because
HijackThis never really deleted the entries. the first time I tried,
I was told that HijackThis could not delete the entries. I tried it
again several times anyway. On the repeat tries I wasn't not told
anything, but a re-scan showed them to still be there. I also had a
hits in the R0, R1, R3, O2, O4, O8, and O16 entries, but I did
nothing about them because the type descriptions did not seem to
relate to my problem.

It seems like HijackThis could have been on the right track, but
I was not able to make it work.

I'm stumped again. Please take me to another step?
Click to expand...

http:///?20 definitely indicates a hijacker, but I can't find my notes about
it.

--
Frank Saunders, MS-MVP, IE/OE
Please respond in Newsgroup only. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com/security/protect/
 
Can you provide a URL for your thread at Aumha.org?
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE)

Gary said:
I think I've now done everything you suggested, and I still have the
problem. If you can still hang in there with me, please do.
Click to expand...
<snip>
 
If you need or are instructed to post back with another HT log about the
same problem/machine, don't begin a new thread but post back to the original
thread, just like you do here.

I, for one, haven't looked at either of your threads cos I assumed they were
about two separate problems/machines. I'll see if I can drop in on the
threads later.
 
Thanks!

PA Bear said:
If you need or are instructed to post back with another HT log about the
same problem/machine, don't begin a new thread but post back to the
original thread, just like you do here.

I, for one, haven't looked at either of your threads cos I assumed they
were about two separate problems/machines. I'll see if I can drop in on
the threads later.
Click to expand...
 
Back
Top