Unable to view certain bank sites?

[Tremulant]

Hey everyone... I hope this is in the right forum, I'm not really sure.

Anywho, a friend of mine asked me to take a look at her laptop because she couldn't access bankofamerica.com.

I am able to ping the website just fine, but attempting to open a page gives me a lovely "The page cannot be displayed" error.

Here's what I've tried:

ipconfig /flushdns & /registerdns
Reset web settings in IE
netsh int ip reset c:\resetlog.txt
Ran Spybot & AVG (though, the AVG definitions are OLD, as I'm unable to update them)
Turned Windows Firewall OFF and did all of the above again.

I also noticed that I'm able to PING bankofamerica.com without problem and that I can get to bankofamerica.com/help without a problem. It's just the homepage and sign in pages that're FUBAR'd.

On a whim, I also attempted to get to americanexpress.com and that didn't work either.

I can't run Windows Update... it returns error number: 0x80072EFD. I followed the instructions given by Microsoft (which were to add the windows update site to trusted sites and then run proxycfg -d).

I was unable to run the Spybot updates through the program and had to manually download them.
I'm also unable to update AVG. It immediately says "The update server connection failed; no additional information is available"

I also created another profile on the machine and the same thing happens.

The machine is a dell inspiron 1150 w/ XP SP2 & IE6 SP2. The last install date for a Windows update was 7/11/07.

Any advice/ideas/fixes?

Let me know if anything else needs to be answered. (I'm a little woozy and tired right now, so some of the post may be fuzzy)

Thanks..


EDIT: Firefox doesn't work either, I've tried...

 

[mechBgon]

To start with, is the system's time, date, and year correct?

 

[Tremulant]

Yes.

Also, just tried logging in to newegg, and that instantly gave the page cannot be displayed page.

I'm so lost... I mean, I do tech support/help desk and this thing has me stumped. (though I could just be tired)

Edit: the main newegg page loaded fine, but clicking login or my account is where it failed.

Could it be something to do with .asp files?

 

[Rottie]

Can you give me her bank of america account number so I can look at it if it works or not?

 

[mechBgon]

If it were me, and there were a suspicion of infection targetting banking sites, I'd verify that I had my Windows CD and license, back up important stuff to an external location, then DBAN the hard drive and reinstall Windows securely. Sorry if that isn't much help. If you want to try some additional scanning, try rootkit scanners and online antivirus scanners: http://www.mechbgon.com/build/resources.html and a couple rootkit scanners are listed down the page a ways, as well as a few online antivirus scanners.

 

[corkyg]

Sounds to me like an Internet connection problem. I use BAC regularly - and the only time I get such a failure is when I need to disconnect my cable modem power - let it sit for a while, then reconnect so it finds the new IP address (Comcast changes them periodically.)

 

[Tremulant]

Thanks for all the replies.

Secunia's scanner didn't work, kept giving an error (forgot what it said exactly)
F-Secure scan found some stuff and got rid of it. (1 virus, some spyware)
The Panda scan found a ton of cookies and two rootkits, but they want $$ to repair. I'll see if I can remove it another way before paying though.
I'm running the Trend Micro scanner now.


corkyg: the problem is occurring at both my house and hers, so I don't think it's that.

I have noticed that I get the page cannot be displayed error whenever it seems to need encrpytion. IE: bank login pages, newegg login page.
Myspace, facebook, etc are all fine.

There's also an extra security group in internet explorer named "This zone contains all Web sites." However, I can't make any changes to it (all buttons are greyed out).

I wish I had her Windows CD so I could rebuild this thing (and I won't see her until next week, she's out of town for a few days) /sigh.

 

[bruceb]

Some programs like SPYBOT or SPYWARE BLASTER can be used to lock the IE settings.
I would suggest first, you check the browser is set to SSL 3.0
What browser are you running ? ? ... IE6 ? ?

Did you try with Firefox or Opera and see if they work ok ? ?

Did you run the WINSOCK FIX ? ? ? (google it)

Do you know how to use REGEDIT ? ?

Check this key:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Win dows\CurrentVersion\Internet Settings

If it's found, select (highlight) the key then look in the right pane: Is

there a DWORD value of "Security_Zones_Map_Edit" or "Security_HKLM_only"

If it is there delete the key and reboot

You can also get some utilties here: http://www.malwarehelp.org/usi...cy.html#uninstallation

That can reset the IE6 security zones back to the defaults

It sure sounds like a spyware or hijack .. you may want to run Hijack This and post the log
at the Hijack This forums for analysis

Also, clear out all the Temp Files for all Users, including Cookies and Prefetch folders.

You can also try the following:

Try this in a dos box

regsvr32 softpub.dll
regsvr32 wintrust.dll
regsvr32 initpki.dll
regsvr32 dssenh.dll
regsvr32 rsaenh.dll
regsvr32 gpkcsp.dll
regsvr32 sccbase.dll
regsvr32 slbcsp.dll
regsvr32 cryptdlg.dll

Good luck and keep us posted

 

[mechBgon]

Originally posted by: Tremulant
Thanks for all the replies.

Secunia's scanner didn't work, kept giving an error (forgot what it said exactly)
F-Secure scan found some stuff and got rid of it. (1 virus, some spyware)
The Panda scan found a ton of cookies and two rootkits, but they want $$ to repair. I'll see if I can remove it another way before paying though.
I'm running the Trend Micro scanner now.

Try the standalone Panda AntiRootkit or F-Secure Blacklight (links are on this page, a few boxes down the page). They can remove/rename rootkits for free. There are various trains of thought about what to do (clean it, or just nuke from high orbit) and I favor the "nuke it" approach so you don't have to wonder. Assuming she has the necessary restoration discs and stuff, that is.

There's also an extra security group in internet explorer named "This zone contains all Web sites." However, I can't make any changes to it (all buttons are greyed out).

Freaky What is the name of the malwares that the scanners have detected, did you note them down?

 

[bruceb]

It would be good to know the names of the Virus and Rootkits the programs thought they found.
And to remove any of them properly you need to be in SAFE MODE

Did you try any of the steps I listed above to see if it will help ? ?

Failing to remove the virus or rootkits properly, then indeed, the best method is to do a full clean install
of the OS .. time consuming and you will need to reinstall all your apps and keep a copy of Personal Data
Files and License Codes as you will need them. Same for all the Drivers installed on the system.

Everest Home Edition or Belarc Advisor will give you the License Codes & Product Keys

Driver Genius Pro can make a backup copy of all the software drivers currently installed.
Or you can do it the hard way and download them from the pc makers or accessory makers website.

 

[lxskllr]

If it were me, I'd do a reinstall. I don't like playing around with virus' and crap because it's hard to be sure everything is definitely ok. I wouldn't feel good about submitting financial information into a computer that had been compromised. A fresh start is always nice too. Get rid of the unused crap, and modify future computing practices to prevent another infection.

 

[Tremulant]

Originally posted by: bruceb
Some programs like SPYBOT or SPYWARE BLASTER can be used to lock the IE settings.
I would suggest first, you check the browser is set to SSL 3.0
What browser are you running ? ? ... IE6 ? ?

Did you try with Firefox or Opera and see if they work ok ? ?

Firefox is broken as well, didn't try with Opera since it's not already installled

Did you run the WINSOCK FIX ? ? ? (google it)

I ran winsockxpfix, problem still occurs

Do you know how to use REGEDIT ? ?

Check this key:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Win dows\CurrentVersion\Internet Settings

If it's found, select (highlight) the key then look in the right pane: Is

there a DWORD value of "Security_Zones_Map_Edit" or "Security_HKLM_only"

If it is there delete the key and reboot

There's no CurrentVersion\Internet Settings\ key under HKLM\Software\Policies

You can also get some utilties here: http://www.malwarehelp.org/usi...cy.html#uninstallation

That can reset the IE6 security zones back to the defaults

I'll try that next... (was busy yesterday and at a party last night and busy all day today, so I haven't really had a chance to work on it)

It sure sounds like a spyware or hijack .. you may want to run Hijack This and post the log
at the Hijack This forums for analysis

Also, clear out all the Temp Files for all Users, including Cookies and Prefetch folders.

I hadn't tried clearing out all the normal temp folders, I did clear the temp internet files though, but that didn't help. I'll try that after I try the suggestion above.

You can also try the following:

Try this in a dos box

regsvr32 softpub.dll
regsvr32 wintrust.dll
regsvr32 initpki.dll
regsvr32 dssenh.dll
regsvr32 rsaenh.dll
regsvr32 gpkcsp.dll
regsvr32 sccbase.dll
regsvr32 slbcsp.dll
regsvr32 cryptdlg.dll

Good luck and keep us posted

I'll try that as well.

Thanks.

 

[Tremulant]

Originally posted by: mechBgon
Try the standalone Panda AntiRootkit or F-Secure Blacklight (links are on this page, a few boxes down the page). They can remove/rename rootkits for free. There are various trains of thought about what to do (clean it, or just nuke from high orbit) and I favor the "nuke it" approach so you don't have to wonder. Assuming she has the necessary restoration discs and stuff, that is.

I did try the standalone Panda AntiRootkit and it didn't find anything. The F-Secure blacklight I couldn't download, so I'll have to download it on my computer and transfer it over. I'll have to talk to her and see if she has the resto discs. I wouldn't mind blowing it all away, and I don't think she'd have too much trouble with it either.

Freaky What is the name of the malwares that the scanners have detected, did you note them down?

I didn't write it down, but I did save the activescan log..
Hacktool:Hacktool/KillProcwin.A
Hacktool:Hacktool/KillProcwin.A

I'll see if I can find a way to get rid of it.

Thanks again..


EDIT:
Here's something amazing. I loaded up safe mode w/ networking, and I'm able to download the update from AVG. It doesn't let me install it (can't start the update service in safe mode), but it's something.

BofA main page loads also.. in safe mode.

I'm following the instructions at the swi forums now (running avg antispyware)