Virus has blocked access To Windows Update! Please help!

[jebus197]

Hi I have been infected (due to the activity of a young guest in my home) with a very unplesant and persistant virus.

Among other things it has done the following:

1) It has prevented acess to Windows Update service by blocking acess to all Microsoft Update Servers.

The update service still reports itself to be fully functioning - but it can not download any updates.

2) It has blocked access to a large array of virus and spyware protection vendors signature update sites, so that no signature updates for the majority of most popular virus and spyware protection software can be downloaded. So no updates for Windows Defender, Mcafee Total protection 2009, AVG Free, Norton AV, Tend Micro, Hijackthis, Adaware, Spyware Doctor etc...

3) It has removed access to system restore, so that the option is no longer available to enable/disable this feature via Control Panel\System\system protection. (The tab for this simply no longer exists. It is not geyed out, there are no checkboxes to check or uncheck, it simply does not exist).

4) It has hijacked my browser (Firefox) so that now perhaps 50% of the web pages I visit are misdirected to advertisment sites.

While it seems evident - although hugely (hugely) frustrating that my only viable option may be a reinstall of Vista and while I am aware of all of the standard advice about running a virus scan/spyware clean up in safe mode, etc what I'm most interested in is how this virus has achieved this feat?

I looked at my hosts file in C:\Windows\System32\Drivers\etc and I can't see anything there at all that would block access to microsoft update and also to virus protection update vendor's servers.

My impression is however that my entire internet connection may have been compromised, so that all of my activity is now being routed through some kind of proxy. (This is just a suspicion though, as there is now a distinct delay of a few seconds between each web page I visit).

To be clear there is no point simply saying 'install the latest spyware removal software (such as ad aware, spybot search and destroy, spyware doctor, hijackthis and so on) and then run a scan, as access to the update servers for all of these applications has been completely blocked, so no new signatures/definitions can be obtained. I would prefer to defeat this virus if I can and save what has been months of work in configuring my system just the way I want it, which is why I would like first to work out how it is blocking acess to these update servers?

When I figure that out and fix it, then maybe I can run a bunch of scans.

Can anyone help?

Edited March 21, 2009 by jebus197

[Olemus]

Dear oh Dear, with a virus this severe your only option is to reinstall really, even if we were able to seemingly remove it for you theres no way of telling if its still there just hidden and waiting or if it will just materialise again.

As for your settings etc... my only advice can be to do a backup in future of critical settings/work etc. and when you have kids come around make them use a guest account!

[danisflying527]

If that virus were a real person (and a she) I would rape her, burn her and leave her to die in a hole

:devil:

Only option would be reinstall mate

or find a way to remove through antivirus somehow

[+devHead Subscriber²]

I have a couple questions:

1. How could it be that you were infected with a virus if you have anti-virus software and anti-spyware software running in the background? Has your guest given you any indication as to what he was doing that would result in such a virus/trojan to run on your PC?

2. Have you tried to go into Vista's Local Group Policy Editor (gpedit.msc) and see if some of the things you described have been turned off there? I can understand web pages opening to redirected sites, but removing a tab from a Windows component sounds like quite a big thing for a virus or trojan to do without some major hacking into the OS. But such things could possibly disabled from the Group Policy Editor. I would check that out. For example, the Local Group Policy Management Editor under User Configuration > Administrative Templates > Windows Components > Windows Update, there is an option to 'Remove access to all Windows Update Features'. It says this regarding this setting:

If you enable this setting, all Windows Update features are removed. This includes blocking access to the Windows Update Web site at http://windowsupdate.microsoft.com, from the Windows Update hyperlink on the Start menu, and also on the Tools menu in Internet Explorer. Windows automatic updating is also disabled; you will neither be notified about nor will you receive critical updates from Windows Update. This setting also prevents Device Manager from automatically installing driver updates from the Windows Update Web site.

I would check in there and see if any of those services/features have been disabled before reformatting and reinstalling. However, in the end, that might be the only way to guarantee that whatever damage was done is removed.

[Argi]

Sounds like Conflicker?

[jebus197]

I agree it looks bad. But I would like to at least take a crack at beating the miserable SOB's who did this. The one and only way I can think to do this is to first figure out how they are blocking access to Windows Update and also Virus and Spyware protection update servers?

I'm (almost) pretty sure my internet traffic is being route somehow through some kind of external proxy as (for example) Google searches now take the format:

http://www.google.co.uk/click?sa=T&ct=...amp;u=&xr=0

In this case I have simply searched for the word 'test', and copied the first link in the list.

I don't recall Google searches ever taking this format before - as all returned search retults now have a similar format - and this looks like a browser redirect to me.

I don't want to get too sidetracked by this, suffice to say that it looks likemy browser and my internet conection in general has been seriously compromised.

If I can figure out how the virus is blocking updates, I might have half the battle won.

Oh and BTW my young guest didn't have permission to access the system - and has had a very svere telling off by his dad for doing so. It doesn't compensate me much for my inconvienience, but there we are...

[08993]

http://www.malwarebytes.org/mbam.php will get rid of it.

The virus you have is probably w32/cryptor - it spoofs dns's so you can't do anything, even if you get your anti-virus to identify the virus name, the dns spoofing will block all attempts to find out any further information about it.

Once you've ran mbam you'll want to open a command prompt and

ipconfig /flushdns

to get your internet connection working again, good luck.

[jebus197]

I have a couple questions:

1. How could it be that you were infected with a virus if you have anti-virus software and anti-spyware software running in the background? Has your guest given you any indication as to what he was doing that would result in such a virus/trojan to run on your PC?

2. Have you tried to go into Vista's Local Group Policy Editor (gpedit.msc) and see if some of the things you described have been turned off there? I can understand web pages opening to redirected sites, but removing a tab from a Windows component sounds like quite a big thing for a virus or trojan to do without some major hacking into the OS. But such things could possibly disabled from the Group Policy Editor. I would check that out. For example, the Local Group Policy Management Editor under User Configuration > Administrative Templates > Windows Components > Windows Update, there is an option to 'Remove access to all Windows Update Features'. It says this regarding this setting:

I would check in there and see if any of those services/features have been disabled before reformatting and reinstalling. However, in the end, that might be the only way to guarantee that whatever damage was done is removed.

I don't have access to gpedit.msc on Vista Home Premium (which is a crime in my point of view, since it might help a lot in situations like this)

Yes it whatever it did, it did bypass an actively running and valid Mcafee Total Protection 2009 install - which didn't detect it. I didn't run an aditional spyware ap. as one, too many active scanning processes can be a real resource hog - and two, Mcafee claims to have it's own Spyware protection component. So Both the virus scan and the spyware protection appear to be a POS in this case.

Let me firgure out how to get some updates tho then I can fight with the stupid darn thing (those aren't the words I would normally use - but neowin's swear filter is rather strict).

Edited March 21, 2009 by jebus197

[jebus197]

http://www.malwarebytes.org/mbam.php will get rid of it.

The virus you have is probably w32/cryptor - it spoofs dns's so you can't do anything, even if you get your anti-virus to identify the virus name, the dns spoofing will block all attempts to find out any further information about it.

Once you've ran mbam you'll want to open a command prompt and

ipconfig /flushdns

to get your internet connection working again, good luck.

I think you might be right. The reason that makes me think this is that the virus author has blocked acess to this site too in his list of blocked sites.

He sure as hell doesn't want anyone accessing that site at all - as not even the web page can be viewed, let alone download anything from it.

[08993]

Yeah it's a bugger - dns spoofing is evil. Another way around it is to /flushdns and disable the DNS service (if your router handles the DNS no need to have it running on your machine) but that won't get rid of the infection, afaik only mbam can get rid of it (even the trial version will get rid of it).

[jebus197]

Yeah except the fekin virus won't let mbam run!

I downloaded it via a web proxy, but now that's it's installed the virus won't let it run at all.

[jebus197]

I guess I'm screwed then.

[Knightwolf20024]

i had something like this before i was able to cleaned it out with super anti-spyware. you could also try running it in safemode

[08993]

You could try booting into safe mode and/or running mbam as administrator - other than that mate get your vista disk out I guess!

[tinyavengerva]

If you have access to another PC you could take the HDD out, hook it up and scan it on that.

[jebus197]

I don't have access to another PC - and it's a laptop. Short of running it in a Virtual Machine (which is a bit of an obscure option I suppose), I think I might be stuffed. I have a few options left maybe. He hasn't been completely thourough in his list of blocked AV applications. Panda Online Scan and Avast still seem to be working... but they are my last hope.

I guess Windows reinstalls are just a simple fact of life.

Edited March 21, 2009 by jebus197

[Olemus]

Backups are the new fact of life!, you should do a weekly back up of any important data and settings that you dont want to lose, onto a dvd or an external hard drive or whatever, and then if you do ever have to reinstall again you can just pop the disc in and get alll your important stuff back. Its a win win situation.