Sign in with
Sign up | Sign in
Your question

Windows update

Last response: in Windows XP
Share
July 7, 2009 10:00:23 AM

When I try to go to windows update page, I am sent to Google.com, whether I go through a link, or type in an address myself. I also cannot download anything from download.windows.com, always get "page not found", no matter what I am trying to download from windows. I'm running xp pro v5.1 sp2 All this happens whether I use IE, or Firefox, whether my win xp firewall is enabled or disabled, ditto for my router's firewall.

More about : windows update

July 7, 2009 3:01:34 PM

A couple of things to try,

1st - Flush your DNS resolver cache.

Click Start button then Run, copy and paste the bolded text below and hit enter:

cmd /c ipconfig /flushdns > "%userprofile%\desktop\flushdns.txt

A text document named flushdns should appear on your desktop. Open it and the contents should read:

"Windows IP Configuration

Successfully flushed the DNS Resolver Cache."



2nd - Check your hosts file.

If your hosts file has been altered, it can redirect any webpage / link requested to anywehere on the internet. If redirects are happening when you are trying to perform security updates, the most common cause is malware infection.

There are a few applications that will alter the hosts file to protect you. For example Spybot search and destroy. If you have an application that alters or guards the hosts file you may need to uninstall it, reset your hosts file then reinstall the application.

I have provided a link below to help you examine the hosts file for evidence of "bad redirects". What you need to look for is anything related to security e.g. example microsoftupdate.com and a random ip address or one that google owns.

http://support.microsoft.com/kb/972034

If you find suspicious entries it is adviseable that you run an antimalware application.
A very good free one is Malwarebytes' Anti-Malware linked below:

http://www.malwarebytes.org/mbam.php

If you are still unsure, run HiJackThis and post a logfile back here so it can be determined if your pc has been hijacked or not:

http://www.trendsecure.com/portal/en-US/tools/security_...

Perform the scan and save the logfile.

IMPORTANT!!! DO NOT have HiJackThis fix anything as it will list alot of legitimate running processes.
a b 8 Security
July 7, 2009 9:03:42 PM

Sounds like malware for sure.

+1 for malwarebytes. Very good/free program.
Related resources
July 8, 2009 12:58:44 AM

First of all, thank you very much for your help.
I was able to flush dns, then did as http://support.microsoft.com/kb/972034 instructed, but instructions seemed unclear as to specifics of what I enter into the hosts file. Didn't work. I cannot get to the Malwarebytes malware download sites, always get the "page not found. I ran Hijack This, here's the log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:50:56 AM, on 7/8/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\WINDOWS\System32\MAFWTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\cFosSpeed\spd.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spider.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=10615&gct...
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=10615&gct...
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirect?o=10615&gct...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\MAFWTray.exe
O4 - HKLM\..\Run: [MAFWTaskbarApp] C:\WINDOWS\system32\MAFWTray.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F33DA93-4046-4EA3-9521-0F909D8A413B}: NameServer = 85.255.116.94,85.255.112.88
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.94,85.255.112.88
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.94,85.255.112.88
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.94,85.255.112.88
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Marvell RAID Event Agent (Marvell RAID) - Unknown owner - C:\Program Files\Marvell\61xx\svc\mvraidsvc.exe
O23 - Service: MRU Web Service (MRUWebService) - Apache Software Foundation - C:\Program Files\Marvell\61xx\Apache2\bin\Apache.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 6173 bytes



btk1w1 said:
A couple of things to try,

1st - Flush your DNS resolver cache.

Click Start button then Run, copy and paste the bolded text below and hit enter:

cmd /c ipconfig /flushdns > "%userprofile%\desktop\flushdns.txt

A text document named flushdns should appear on your desktop. Open it and the contents should read:

"Windows IP Configuration

Successfully flushed the DNS Resolver Cache."



2nd - Check your hosts file.

If your hosts file has been altered, it can redirect any webpage / link requested to anywehere on the internet. If redirects are happening when you are trying to perform security updates, the most common cause is malware infection.

There are a few applications that will alter the hosts file to protect you. For example Spybot search and destroy. If you have an application that alters or guards the hosts file you may need to uninstall it, reset your hosts file then reinstall the application.

I have provided a link below to help you examine the hosts file for evidence of "bad redirects". What you need to look for is anything related to security e.g. example microsoftupdate.com and a random ip address or one that google owns.

http://support.microsoft.com/kb/972034

If you find suspicious entries it is adviseable that you run an antimalware application.
A very good free one is Malwarebytes' Anti-Malware linked below:

http://www.malwarebytes.org/mbam.php

If you are still unsure, run HiJackThis and post a logfile back here so it can be determined if your pc has been hijacked or not:

http://www.trendsecure.com/portal/en-US/tools/security_...

Perform the scan and save the logfile.

IMPORTANT!!! DO NOT have HiJackThis fix anything as it will list alot of legitimate running processes.

a b 8 Security
July 8, 2009 1:15:24 AM

Looks like you got some redirects in there. It's trying to send you to a toolbar, which appears to be causing the timeout.
July 8, 2009 1:26:58 AM

I found a link to the Malwarebytes program, have dloaded and run it. It found 8 reg files, and 25 other files, that were all infected. I had it quarantine them first, everything seemed fine, so then I had it delete them all, rebooted, and VOILA- windows started updating for the first time in a long time. Thank you all again for your help, you're shining lights in a dark, selfish world. Aloha
July 8, 2009 1:28:59 AM

That's great news.

Well done!
!