Re: 80072EFD after Download Box shows up and executes. AOL 9 & wi

From: Noel Paton (NoelDPspamless_at_btopenworld.com)
Date: 12/03/04 

Date: Fri, 3 Dec 2004 06:22:47 -0000

Kurt
dak has already posted a detailed 'critique' - so I'll confine myself to a
couple of points....

1) Aluria Spyware Eliminator - Aluria have recently formed a partnership
with WhenU (purveyors of spyware to the masses) - make of that what you
will. (http://www.spywareinfo.com/articles/aluria/delisted.php)

2) Ad-Aware is free for personal use, so you have nothing to lose by trying
it. No one spyware killer removes @everything@ - and the beauty of Ad-aware
is that you can pretty much remove absolutely everything it finds, with very
rare exceptions (unlike SpyBot S&D, which can cripple your PC if you don't
know what you're doing). 

-- 
Noel Paton (MS-MVP 2002-2005, Windows)
Nil Carborundum Illegitemi
http://www.btinternet.com/~winnoel/millsrpch.htm
http://tinyurl.com/6oztj
Please read http://dts-l.org/goodpost.htm on how to post messages to NG's
"Kurt" <Kurt@discussions.microsoft.com> wrote in message 
news:AB0E42BF-6215-4EF4-86C9-EF0DBEFC68F8@microsoft.com...
> Thanks for the message.  See my responses below.  Sorry for the untimely
> response as I can only work on this a little each night.
>
> "Noel Paton" wrote:
>
>> The key here seems to be that you mention a proxy server - AOL doesn't 
>> need
>> one, AFAIK.
>> What is the proxy configuration?
>> It could be the remains of a malware infestation....
>> You may have a virus/spyware hijack
>
> Kurt Says: When I open IE>Tools>Options>Connections>AOL dialer 
> Settings>Use
> Proxy server & Bypass for local are both selected>Advanced>HTTP:=localhost 
> &
> port=8082.
>  When I do the same thing for my Earthlink connection, it is the same
> HTTP:=localhost & port=8082.
>  What does AFAIK mean?
>
>>
>> download the Stinger from here and run it to make sure that A-V-disabling
>> viruses are not present on your PC
>> http://download.nai.com/products/mcafee-avert/stinger.exe
>
> Kurt Says: McAfee's AVERT Stinger found the following.
>     "c:\Windows\system32\cmd.ftp
>           Found the W32/Sasser.worm!ftp virus !!!"
> I guess this gives McAfee a touchdown against my Norton Anti-Virus.
>
>
>>
>> - update your virus scanner and run a full system scan of all files.
>
> Kurt Says: Updated my Norton Anti-virus (which I do weekly) and nothing 
> found.
>
>
>>
>> download AdAware from www.lavasoftusa.com, install, update it, then 
>> reboot
>> to Safe Mode, enable viewing of Hidden and System files in Windows
>> Explorer|Folder options, then run Ad-Aware to remove spyware, adware, and
>> other such nasties from your system.
>
> Kurt Says: Interesting request to run this in safe mode.  What is the
> benefit of doing this??  I have Aluia's Spyware Elminator which I paid $$ 
> for
> and was rated higher than AdAware in internet reviews I read (if one is to
> believe what they read).  I ran it in both full mode and safe mode with 
> the
> same result, nothing found.  In what I read, Spyware Elminator does not
> identify tracking cookies.
>  I also have Spybot.  I ran it in both modes and found the same things.
>     "HITSLINK"    "AVENUE A, INC."    ""DOUBLECLICK"    "HITBOX"
> "MEDIAPLEX"  which were all tracking cookies.  It also found "DSO Exploit"
> (Data Source Object Exploit) which Spybot said that what it found was
> something which had taken advantage of a security hole in Internet 
> Explorer.
> The location of the "something" pointed to IE's trusted sites.
>  Unless there is something more special about AdAware than Spyware
> Eliminator, I am not quick to buy it, but I am open minded and am willing 
> to
> change my mind.
>
>
>>
>> Check for a HOSTS file - if found, then rename it to HOSTS.OLD, reboot 
>> and
>> try again.
>
> Kurt Says: In my Task Manager Window I see several svchost.exe processes
> open.  System = 3; Local Service = 1; Network Service = 2.  I do not 
> recall
> seeing the Network Service svchost.exe before.
>  Doing a search of files I find Hosts files in the following locations
> which I change as directed.
> C:\I386
> C:\WINDOWS\I386
> C:\WINDOWS\system32\drivers\etc
>
> When testing all of this, the following update showed up from Microsoft
> which I loaded.  It appears NOT to have affected my situation.
> Cumulative Security Update for Internet Explorer for Windows XP Service 
> Pack
> 2 (KB834707)
> Date last published: 11/29/2004
> Download size: 2.9 MB
> A security issue has been identified that could allow an attacker to
> compromise a computer running Internet Explorer and gain control over it. 
> You
> can help protect your computer by installing this update from Microsoft.
> After you install this item, you may have to restart your computer.
>
>>
>> See if that helps
>
> Kurt Says: Just on a hunch, before I went to post this response, and after 
> I
> did my testing to see if there had been a net result; I ran Spybot again.
> This time it again came up with the same DSO Exploit problems.  I went to
> www.greymagic.com as spybot suggested and they linked me to a free 
> download
> of NoAdAware.exe v3.0 which I ran both in full mode and safe mode.
>    * In full mode NoAdAware found 34 non-critical tracking cookies which I
> did not pay to remove.
>    * In safe mode NoAdAware found 22 non-critical tracking cookies which I
> did not pay to remove.
>  I ran Spybot again and "fixed" the DSO Exploit problems (5).  Then I
> exited Spybot and then ran Spybot again.  This time I found the same DSO
> Exploit problems as before.  At this point I figured it was time to post 
> my
> results for more expert input.
>
> The end result of all of the above actions is;
> [No Change]: IE will not work through AOL.
> [No Change]: AOL browser will not download updates from Microsoft Windows
> update.
> [No Change]: To use IE through Earthlink; I have to first turn-off Proxy
> server setting.
> [No Change]: IE through Earthlink; Can not download from Windows update 
> site.
>
>>
>>
>> -- 
>> Noel Paton (MS-MVP 2002-2005, Windows)
>>
>> Nil Carborundum Illegitemi
>> http://www.btinternet.com/~winnoel/millsrpch.htm
>> http://tinyurl.com/6oztj
>>
>> Please read http://dts-l.org/goodpost.htm on how to post messages to NG's
>>
>> "Kurt" <Kurt@discussions.microsoft.com> wrote in message
>> news:682AB056-CB67-4F1C-995C-09BDFBA9A442@microsoft.com...
>> > Here is my Story.  I have two problems which I suspect are related to 
>> > each
>> > other as they seemed to have started to appear at the same time. 
>> > Problem
>> > #1:
>> > Internet Explorer comes back with a "The page cannot be displayed ...
>> > Cannot
>> > find server or DNS Error" when I am logged into AOL. My AOL Browser 
>> > works
>> > ok.
>> > Problem #2: Using my AOL browser, I am able to log into the Windows 
>> > Update
>> > site and get through everything until it comes to download the update.
>> > The
>> > download status box appears and the progress bar zips across in a split
>> > second and I get an error message stating that the "updates were unable 
>> > to
>> > be
>> > successfully installed" when I look at the installation log I have an
>> > error
>> > which turns out to be 80072EFD.
>> > I have:
>> > - HP m300Y Media Center PC 2004 version 2002 (build 2600) with Service
>> > Pack
>> > 2.  (These problems started happening before I added SP2.)
>> > - Microsoft IE Build 6.0.2900.2180
>> > - AOL 9.0 version 16.4156.5001 US (a)
>> >
>> > This all started to happen around late August 2004.  The last two 
>> > updates
>> > from the Windows update site were "Cumulative Security Update for 
>> > Internet
>> > Explorer 6 Service Pack 1 (KB867801)" and one for Agre Win Modem. 
>> > Since I
>> > was on vacation, I also did some other updates.  Unfortunately I did 
>> > not
>> > see
>> > a black and white "now it works and now it doesn't".  I was hoping that
>> > SP2
>> > would take care of it and since I had days off for Thanksgiving, I was
>> > able
>> > to install SP2.  There has been no change in behavior after SP2.
>> > Update: Now that I think about it more, I remember thinking that this
>> > update
>> > might have been the source of my problems "Update for Background
>> > Intelligent
>> > Transfer Service (BITS) 2.0 and WinHTTP 5.1 (KB842773)", but it was not 
>> > a
>> > black and white observation on my part as to when this problem started 
>> > to
>> > happen.  I had made the decision that if this update had screwed up the
>> > Windows update site, that Microsoft would be on it fast and furious so 
>> > I
>> > decided to let time pass.
>> >
>> > I started to study the community help and try things and here is a 
>> > summary
>> > of where I am.
>> >
>> > - I do not have Norton Firewall.
>> > - I completed all of the tasks in
>> > http://support.microsoft.com/?kbid=836941
>> > - When I am unsuccessful at downloaded from the Windows update site, I 
>> > can
>> > get the Windows service bulletin number from the error message and 
>> > track
>> > down
>> > the download from another microsoft web page and I am able to 
>> > successfully
>> > download my update in that manner using my AOL Browser.
>> > - I am able to telenet into a web site using port 80 from the start/run
>> > screen as one person asked in another thread.
>> > - I am able to ping an IP address from the start/run screen but not
>> > connect
>> > with IE.
>> > - From IE, I can log into websites by changing the http: to an https: 
>> > if
>> > they have an https:.This is also true if I do the same thing from the
>> > Windows
>> > Explorer screen.
>> > - From the Windows Explorer screen I was able to get into 
>> > ftp.windows.com,
>> > but I can not from IE.  From IE, I do not get the "cannot find server"
>> > error,
>> > I get a permission denied.
>> > - I have Norton Anti-virus software.  I have Spybot & Spy Eliminator & 
>> > AOL
>> > Spy search software.
>> > - Internet Explorer worked briefly when I had just completed the scan
>> > using
>> > Spy Eliminator, but before I had actually "cleaned" the WildTangent
>> > spyware
>> > it had found.  When I clicked on Spy eliminator's online help link, IE
>> > launched and worked until I rebooted the next time.  I could not 
>> > recreate
>> > this.
>> > - In addition to AOL, I have Earthlink total Access 2004.  When I am 
>> > using
>> > Earthlink, Internet explorer works just fine after I have to change the 
>> > IE
>> > connections setting to no proxy server.  I have to do this every time,
>> > even
>> > after launching earthlink twice in a row.  I originally thought I was
>> > having
>> > to do this because I was using Earthlink after using AOL.
>> >     * I am also able to use IE through Earthlink to successfully access
>> > the
>> > Windows Update web site and download and install an update.  I usually 
>> > use
>> > my
>> > AOL 9 browser, but just to put my IE through Earthlink a workout, I am
>> > using
>> > it to make this update.
>> > - When I try to use Internet Explorer through AOL, and I put in
>> > http://www.java.com and I watch the status bar at the bottom of the IE
>> > window, I see;
>> >     * "Connecting to http://www.java.com/
>> >     * 127.0.0.1
>> >     * "DONE" (with the cannot find server error).
>> >  # If I turn this into an https://www.java.com address, IE goes right 
>> > to
>> > it.
>> >  # If I type in http://symantec.com/, I get 127.0.0.1 and then the 
>> > cannot
>> > find server.
>> >  # If I click the refresh button, I see;
>> >     * Connecting to http://symantec.com/
>> >     * 127.0.0.1
>> >     * DONE, but no "Cannot find Server" error.  It is like it is locked 
>> > up
>> > with the windows flag waving and my cursor turns into an hour glass 
>> > when
>> > over
>> > the toolbars.
>> >     * I get it unlocked by clicking the home page (about;blank).  Then 
>> > I
>> > can do all of the above again.
>> > -  Thinking of the Agre Win Modem update I did.  I rolled back my 
>> > driver
>> > and
>> > no change.  Then I downloaded the latest driver from the Agre website 
>> > and
>> > still not change in behavior.
>> >     * Since I used the OEM driver 8.30; The Windows update site 
>> > recognized
>> > that I did not have the xp approved 8.31 version.  This is the update 
>> > that
>> > I
>> > successfully downloaded using IE through Earthlink.
>> >
>> > Update2: Using IE through Earthlink, I just went back to the Windows
>> > Update
>> > page to get another update.  Now IE through Earthlink is acting the 
>> > same
>> > way
>> > as AOL in that I get all of the way through everything until it comes 
>> > to
>> > download the update.  The download status box appears and the progress 
>> > bar
>> > zips across in a split second and I get an error message stating that 
>> > the
>> > "updates were unable to be successfully installed" when I look at the
>> > installation log I have an error which turns out to be 80072EFD.  This 
>> > is
>> > most likely the first time I have used IE through Earthlink at the 
>> > Windows
>> > Update Site since the problem started.  It sounds as if the Windows 
>> > update
>> > site is the common denominator??
>> >     * After rebooting and launching Earthlink, I again have to change 
>> > the
>> > Tools> Options> Connections setting for no proxy server.  (I delete my
>> > Earthlink connection from the control panel all of the time and let
>> > earthlink
>> > rebuild it when I launch the TotalAccess.)
>> >     * Using IE Through Earthlink; I am able to access a random web 
>> > site.
>> >     * Using IE through Earthlink; I am now having the same problem with
>> > the
>> > Windows Update site.  IE. Get all the way through to the download box 
>> > and
>> > no
>> > success.
>> >
>> > - On all of the above, I have been using the original Administrator's
>> > account or my personal computer administrator's account.  Just on a 
>> > hunch,
>> > I
>> > created a new computer administrator's account.  In this user account I
>> > had
>> > to let Earthlink rebuild a dialin account.  With this new XP Computer
>> > Administrator account, I did the following;
>> >     * Launched IE through Earthlink, accessed websites OK.
>> >     * Went to the Windows Update site and experienced same problem. IE.
>> > Get
>> > all the way through to the download box and no success.
>> >     * Launched AOL and then Internet Explorer.  IE works like it should
>> > !!!!!!
>> >     * Used IE through AOL to go to the windows update site and 
>> > experienced
>> > the same problem.
>> >  # After Rebooting, I tried to recreate the above using my new XP 
>> > Computer
>> > Administrator Account.
>> >     * Launched AOL and then Internet Explorer.  IE works like it should
>> > !!!!!!
>> >     * Used IE through AOL to go to the windows update site and 
>> > experienced
>> > the same problem.
>> >  # After rebooting again; I logged onto the original Administrator
>> > account.
>> >     * Launched AOL and then Internet Explorer.  IE gets "Cannot find
>> > Server." error.
>> >  # I logged onto my personal Computer Administrator account.
>> >     * Launched AOL and then Internet Explorer.  IE gets "Cannot find
>> > Server." error.
>> >
>> > -- 
>> > Wishing Us All A Better Tomorrow - Kurt
>>
>>
>>