7 Replies Latest reply on Mar 4, 2010 9:50 AM by rmetzger

    certain sites blocked including windowsupdate

      hi, my laptop was recently infected by fakealert-ma.gen and since mcafee could not remove it i used another anti-malware.  it removed number of infected objects. the fakealert pop ups stopped. also reinstalled my mcafee since it had stopped working and was giving update errors.

       

      i am not sure whether my laptop is fully cured and when i contacted online technical support they told me to run the free scan which i did but nothing came up. i was asked to go for the virus removal which is a fee based service.

       

      number of sites are blocked saying "server not found" and i am unable to install windows update.  even the microsoftupdate website seems to be blocked and get the error message "connection timed out".  any help on this is much appreciated.

       

      thx

      kaps

        • 1. Re: certain sites blocked including windowsupdate

          You might want to check the host file to see if it's been modified via the typical location of C:\windows\system32\drivers\etc\ then file 'hosts'.  Typically malware will try to block users from accessing certain sites by changing this host file to block access.

           

          Edit the "hosts" file with the Notepad application to see if there are any additional entries beyond the standard template like below:

          # Copyright (c) 1993-1999 Microsoft Corp.
          #
          # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
          #
          # This file contains the mappings of IP addresses to host names. Each
          # entry should be kept on an individual line. The IP address should
          # be placed in the first column followed by the corresponding host name.
          # The IP address and the host name should be separated by at least one
          # space.
          #
          # Additionally, comments (such as these) may be inserted on individual
          # lines or following the machine name denoted by a '#' symbol.
          #
          # For example:
          #
          #      102.54.94.97     rhino.acme.com          # source server
          #       38.25.63.10     x.acme.com              # x client host

           

          If you see entries related to microsoft update website, delete the lines and save the file.

           

          Hope that helps,

          Irene

          • 2. Re: certain sites blocked including windowsupdate

            Thanks Irene,

             

            I checked the host file and it does not have any entries relating to microsoft upate.  i am attaching the screen shot of the same.

             

            what do i do next?

             

            kaps

            • 3. Re: certain sites blocked including windowsupdate

              Mcafee line looks like a redirection!

               

              Try deleting it. Then after a restart update Mcafee DATs and do a full scan.

               

              That does not explain microsoft redirection, though. I'll look for other ideas.

               

              Irene

              • 4. Re: certain sites blocked including windowsupdate

                Mcafee line looks like a redirection!

                 

                77.67.85.58 - Akamai Technologies, so it's probably a legacy entry where someone has manually put it in previously. Agree it shouldn't be there though!

                 

                 

                That does not explain microsoft  redirection, though. I'll look for other ideas.

                 

                I was thinking a Winsock layer issue, but it's not something I want to help diagnose (eg if a VPN is installed or anything else that links into the network stack).

                • 5. Re: certain sites blocked including windowsupdate

                   

                  I'm not qualified to deal with Winsock either.

                   

                  Kaps, I'd like to check whether it's something simpler, on a browser level:

                   

                  in command line window, type > ping windowsupdate.microsoft.com

                  If that works, it's a good sign. Using another browser may help you to reach the updates.

                  Irene

                  1 of 1 people found this helpful
                  • 6. Re: certain sites blocked including windowsupdate

                    Hi,

                     

                    the mcafee entry in the host file was made by me as directed by the online chat technician.  due to the trojen attack my mcafee got disabled and had to reinstall. along with number of other sites the mcafee was also blocked. so during the online chat the technician gave me the entry and after that i was able to reinstall mcafee.

                     

                    i had tried the ping for microsoftupdate but got the error that it cant find.

                     

                    anyways, after hours of searching and reading various posts on different forums i was just now able to solve my problem.

                     

                    As my mcafee was not detecting anything, i downloaded malwarebytes.  it also came up with a error message and could not be updated since along with all other security websites this one also was blocked. so using an unrelated computer i  ping'd got the ip address of malwarebytes added the same to my host file and it worked !!! it updated the malwarebytes and all my infections were removed.  after that my windows update worked perfectly and now i can open all the other websites..... i am so relieved now that my comp is back to normal. i believe this fakealert trojen was interfering with my DNS and redirecting some ip addresses that are a threat to it.  i saw the following registry data items in the log file.

                    "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServe r (Trojan.DNSChanger) -> Data: 93.188.163.100,93.188.166.47 -> Quarantined and deleted successfully.
                    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces \{bc0da059-edf8-4042-8fd6-d10e2073854b}\NameServer (Trojan.DNSChanger) -> Data: 93.188.163.100,93.188.166.47 -> Quarantined and deleted successfully."

                     

                    for those who may be visting this post...... mcafee neither blocked this trojen  nor detected it.  it was unable to remove the same and the scanning comes up clean even though the other malwarebytes' antimalware i used came up with atleast 100 infected objects. the mcafee online help was not useful and the online free scan also could not find any problem with my comp. they wanted me to pay another $89 so that their technician can remove this trojen from my system.  if that is the case why do we pay for the mcafee subscription at all which supposed to include malware/spyware protection ???? my problem was solved by an antimalware programme which i downloaded for free !!!  i am not an expert and may be number of experts visiting this post may disagree with me but from this experience of mine one thing i realised, you can have your antivirus protection from mcafee but it would also be wise to have another anti-spyware/malware programme which can detect what mcafee failes to do.

                     

                    thanks to both of irene and Mal09 for their assistance.

                     

                    br

                     

                    kaps

                    • 7. Re: certain sites blocked including windowsupdate
                      rmetzger

                      kaps2003 wrote:

                      ...

                      I saw the following registry data items in the log file.

                      "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServe r (Trojan.DNSChanger) -> Data: 93.188.163.100,93.188.166.47 -> Quarantined and deleted successfully.
                      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces \{bc0da059-edf8-4042-8fd6-d10e2073854b}\NameServer (Trojan.DNSChanger) -> Data: 93.188.163.100,93.188.166.47 -> Quarantined and deleted successfully."

                       

                      for those who may be visting this post...... mcafee neither blocked this trojen  nor detected it.  it was unable to remove the same and the scanning comes up clean even though the other malwarebytes' antimalware i used came up with atleast 100 infected objects. the mcafee online help was not useful and the online free scan also could not find any problem with my comp. they wanted me to pay another $89 so that their technician can remove this trojen from my system.  if that is the case why do we pay for the mcafee subscription at all which supposed to include malware/spyware protection ???? my problem was solved by an antimalware programme which i downloaded for free !!!  i am not an expert and may be number of experts visiting this post may disagree with me but from this experience of mine one thing i realised, you can have your antivirus protection from mcafee but it would also be wise to have another anti-spyware/malware programme which can detect what mcafee failes to do.

                       

                      thanks to both of irene and Mal09 for their assistance.

                       

                      br

                       

                      kaps

                       

                       

                      Hi Kaps,

                       

                      I have seen this malware Trojan.DNSChanger before.

                       

                      Something else you may want to check. DNSChanger has the capability of attacking your router and changing the DNS server entries that the router doles out from the DHCP server within. So, cleaning up the PC is good, but re-infection can take place again, because every DNS query may be redirecting you back to an infected site instead of the correct site.

                       

                      Check your router and ensure that the DNS entries it has are correct as what your ISP wants you to use. Alternatively, you could use OpenDNS DNS entries. (See OpenDNS.com).

                       

                      To ensure that DNSChanger will not change your router's DNS settings, make sure to change the router's initial login screen password to something other than the default. This should block DNSChanger's ability to hack your router. Choose a reasonably secure password.

                       

                      If your router's initial ID and password were already changed, then it is very likely that DNSChanger has not and probably cannot attack your router.

                       

                      As for having multiple levels of anti-malware in place: This is always a good idea. Good Security is having multiple levels of protection where each level must be bypassed before the unfortunate infection can take place. No one level is perfect and no one product does it all. Products such as McAfee focus on a large array of malware. As such they must also balance protection against performance and reliability. Products like Malwarebytes Anti-Malware (MBAM) are highly focused  on a much smaller list of malware that is currently prevelent in the wild. Having both products scanning your system can find things the other misses.

                       

                      McAfee is more like a General Practitioner and MBAM is a Specialist (you pick the field). Choosing a specialist (MBAM or a McAfee technician) is your choice. In this case MBAM helped, without the need of the McAfee technician. However, it is also possible that MBAM (or any other clean up program) could have caused subsequent damage that the McAfee technician might have not allowed to take place. So, is $89 worth it? To some, it is. Others? You? It is a choice.

                       

                      Good luck and Safe Computing

                      Ron Metzger