Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am I still infected by Win 7 Internet Security 2012 virus?


  • This topic is locked This topic is locked
11 replies to this topic

#1 arturdux

arturdux

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:05 PM

Posted 25 January 2012 - 07:24 AM

I hope that someone can help me with my PC problem.

My PC runs Windows 7 Home Premium 64-Bit Service Pack 1 (pre-installed when purchased); and I have the following security and clean-up programs: Norton 360 Online Version 5.1.0.29; Malwarebytes Anti-Malware (free version); Spybot; ccCleaner; and Duplicate Cleaner.

At the end of December 2011, at start-up, a message appeared from Norton - "Error: "5013,3" appears on Norton 360 Version 5.0" - with instructions to turn off Norton Tamper Protection temporarily and enable the Base Filtering Engine (by opening the Services window). I tried to follow the instructions, but could not find the "Base Filtering Engine" under "Services".

Next I tried to do a system restore to the only restore point available, but there seemed to be something wrong - the font on my PC had changed, several folders would not open, - so I decided to "re-restore" to the end-December 2011 settings and deal with the issue from there - this seemed to work without a problem.

Next I searched the net for "Error 5013,3" and found users on several forums - including Norton's forum - having the same problem with the Norton fix. Several threads suggested that the problem was caused by a “Win 7 Internet Security 2012" virus - which might also have affected other Windows features. I checked some of my Windows features: I found that Windows Firewall was disabled, and could not be activated; Windows Update "froze" when I tried to run it; my browser (IE9) was running slowly and unreliably; and as I had already found, System Restore had worked strangely.

Perhaps unwisely, I decided to try to fix the problem on my own, following the fixes suggested in a Bleeping Computer thread dealing with a problem where the virus had taken out the Base Filtering Engine, Windows Firewall, Windows Security Center and System Restore. Specifically, I:

- created a system restore point and backed up the registry.
- downloaded and ran the files mentioned in the thread – i.e.: Base Filtering Engine (bfe.reg), Windows Firewall (mpssvc.reg), Windows Security Center (wscsvc.reg) and System Restore (sdrsvc.reg).
- restarted the PC.
- changed the registry permissions for the files bfe.reg and mpssvc.reg only to „Full Control“ for „Everyone".
- ran the file start_services.bat "As Administrator" to run the fixes.

I have since run all my security programs - finding nothing; and I have also run programs suggested in the BC thread or in the BC guide to removing the "Win 7 Internet Security 2012" virus):

- ESET Online Scanner: a couple of weeks ago, it found a few java-based trojan files; yesterday, nothing found.
- Avast: a couple of weeks ago, it found a few trojan files; yesterday, nothing found.
- RKill: a couple of weeks ago, it found and killed a process called svchost.exe; yesterday, nothing found.
- TDSS Killer: nothing found.

I have also run some programs for diagnostic purposes as suggested in the BC thread or guide - namely Farbar Service Scanner (FSS) and Security Check - see next paragraph.

As at today:

- my PC seems to start up without a problem, and all my software and files seem to be opening and working fine.
- my usual security programs seem to update and run scans fine.
- FSS indicates no problem with Windows Firewall - the Control Panel says this service is controlled by Norton 360.

However, I am still concerned, especially by:

- the internet: FSS indicates no problem under Internet Services, but it seems to work slower and less reliably.
- System Restore: FSS says that the SDRSVC and VSS services are not running. I am not sure what this means and wonder whether this Windows Service is also controlled by Norton 360?
- Windows Update: FSS indicates no problem, but when I click on this, the PC just hangs and does nothing. Again, I am not sure if this Windows service is taken over by Norton 360, but I am concerned that I might be missing out on updates - the last Windows update to my PC was on 16.12.2011.
- Java: Security Check indicates says that my version of Java is out-of-date: but when I tried installing the latest version of Java and de-installing the old version, the installation broke down before it had finished.

I would be very grateful if someone could take a look at what I have done (and maybe should not have done...) and advise me of how to identify and fix any remaining problems, so I can get my PC back to "normal" and secure working.

Thanks!

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:05 PM

Posted 25 January 2012 - 10:08 PM

Hello, we may move you nut first.

Ran RKill: a couple of weeks ago, it found and killed a process called svchost.exe; yesterday, nothing found


RKilll only stops its list of malwares from running so other tools like MBAM and TDSSkiller can be run to remove them. Once you reboot it releases them sgsin if not removed. So you ran Ma;warebytes and Tdsskiller before you rebooted? If noy rerun all three.



Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.



Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
Click the "Scan" button to start scan:
Posted Image

On completion of the scan click "Save log", save it to your desktop and post in your next reply:
Posted Image

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 arturdux

arturdux
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:05 PM

Posted 26 January 2012 - 09:59 AM


Hello and thanks for your reply - I really would be grateful for your help.

I may have been unwise to attempt my own solution first, but I did run the fixes and other programs in the order given by the BC thread or the BC guide – so I am sure I ran rKill and then (without rebooting) MBAM and TDSSkiller - but I have run all three again anyway, and no threats or malicious items were detected.

I have also run MiniToolBox and aswMBR. Some of the text in the MiniToolBox log are in German (PC is in Germany) - I hope the log is still understandable, but if you tell me any areas where you are interested and do not understand the text, I can translate.

Here are the logs you requested:

Log for MiniToolBox:

MiniToolBox by Farbar Version: 18-01-2012
Ran by User (administrator) on 26-01-2012 at 12:05:15
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows-IP-Konfiguration

Der DNS-Aufl”sungscache wurde geleert.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================



========================= IP Configuration: ================================

Speedport W 102 Stick-IEEE 802.11n-USB-2.0-Adapter = Drahtlosnetzwerkverbindung 10 (Connected)
NVIDIA nForce-Netzwerkcontroller = LAN-Verbindung (Media disconnected)
Microsoft Virtual WiFi Miniport Adapter = Drahtlosnetzwerkverbindung 11 (Media disconnected)


# ----------------------------------
# IPv4-Konfiguration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# Ende der IPv4-Konfiguration



Windows-IP-Konfiguration

Hostname . . . . . . . . . . . . : User-PC
Prim„res DNS-Suffix . . . . . . . :
Knotentyp . . . . . . . . . . . . : Hybrid
IP-Routing aktiviert . . . . . . : Nein
WINS-Proxy aktiviert . . . . . . : Nein

Drahtlos-LAN-Adapter Drahtlosnetzwerkverbindung 11:

Medienstatus. . . . . . . . . . . : Medium getrennt
Verbindungsspezifisches DNS-Suffix:
Beschreibung. . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter
Physikalische Adresse . . . . . . : 00-23-08-6C-AB-FE
DHCP aktiviert. . . . . . . . . . : Ja
Autokonfiguration aktiviert . . . : Ja

Drahtlos-LAN-Adapter Drahtlosnetzwerkverbindung 10:

Verbindungsspezifisches DNS-Suffix:
Beschreibung. . . . . . . . . . . : Speedport W 102 Stick-IEEE 802.11n-USB-2.0-Adapter #10
Physikalische Adresse . . . . . . : 00-23-08-6C-AB-FF
DHCP aktiviert. . . . . . . . . . : Ja
Autokonfiguration aktiviert . . . : Ja
Verbindungslokale IPv6-Adresse . : fe80::d5ea:12db:2b9a:f21a%21(Bevorzugt)
IPv4-Adresse . . . . . . . . . . : 192.168.2.106(Bevorzugt)
Subnetzmaske . . . . . . . . . . : 255.255.255.0
Lease erhalten. . . . . . . . . . : Donnerstag, 26. Januar 2012 11:37:19
Lease l„uft ab. . . . . . . . . . : Donnerstag, 16. Februar 2012 11:37:24
Standardgateway . . . . . . . . . : 192.168.2.1
DHCP-Server . . . . . . . . . . . : 192.168.2.1
DHCPv6-IAID . . . . . . . . . . . : 587211528
DHCPv6-Client-DUID. . . . . . . . : 00-01-00-01-12-BE-B5-CF-00-30-67-3B-5D-40
DNS-Server . . . . . . . . . . . : 192.168.2.1
NetBIOS ber TCP/IP . . . . . . . : Aktiviert

Ethernet-Adapter LAN-Verbindung:

Medienstatus. . . . . . . . . . . : Medium getrennt
Verbindungsspezifisches DNS-Suffix:
Beschreibung. . . . . . . . . . . : NVIDIA nForce-Netzwerkcontroller
Physikalische Adresse . . . . . . : 00-30-67-34-65-82
DHCP aktiviert. . . . . . . . . . : Ja
Autokonfiguration aktiviert . . . : Ja

Tunneladapter isatap.{A8A542C0-4138-4FDD-B7D0-BC102ABFAF4D}:

Medienstatus. . . . . . . . . . . : Medium getrennt
Verbindungsspezifisches DNS-Suffix:
Beschreibung. . . . . . . . . . . : Microsoft-ISATAP-Adapter #2
Physikalische Adresse . . . . . . : 00-00-00-00-00-00-00-E0
DHCP aktiviert. . . . . . . . . . : Nein
Autokonfiguration aktiviert . . . : Ja

Tunneladapter LAN-Verbindung* 20:

Medienstatus. . . . . . . . . . . : Medium getrennt
Verbindungsspezifisches DNS-Suffix:
Beschreibung. . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physikalische Adresse . . . . . . : 00-00-00-00-00-00-00-E0
DHCP aktiviert. . . . . . . . . . : Nein
Autokonfiguration aktiviert . . . : Ja

Tunneladapter isatap.{E500829D-A0F4-4E92-9FFB-6B48C7D71BBE}:

Medienstatus. . . . . . . . . . . : Medium getrennt
Verbindungsspezifisches DNS-Suffix:
Beschreibung. . . . . . . . . . . : Microsoft-ISATAP-Adapter #3
Physikalische Adresse . . . . . . : 00-00-00-00-00-00-00-E0
DHCP aktiviert. . . . . . . . . . : Nein
Autokonfiguration aktiviert . . . : Ja

Tunneladapter isatap.{CF550C76-C6D2-4C01-AD31-970DFE844194}:

Medienstatus. . . . . . . . . . . : Medium getrennt
Verbindungsspezifisches DNS-Suffix:
Beschreibung. . . . . . . . . . . : Microsoft-ISATAP-Adapter #4
Physikalische Adresse . . . . . . : 00-00-00-00-00-00-00-E0
DHCP aktiviert. . . . . . . . . . : Nein
Autokonfiguration aktiviert . . . : Ja
Server: speedport.ip
Address: 192.168.2.1

Name: google.com
Addresses: 173.194.69.104
173.194.69.106
173.194.69.105
173.194.69.147
173.194.69.103
173.194.69.99


Ping wird ausgefhrt fr google.com [173.194.69.104] mit 32 Bytes Daten:
Antwort von 173.194.69.104: Bytes=32 Zeit=44ms TTL=50
Antwort von 173.194.69.104: Bytes=32 Zeit=47ms TTL=50

Ping-Statistik fr 173.194.69.104:
Pakete: Gesendet = 2, Empfangen = 2, Verloren = 0
(0% Verlust),
Ca. Zeitangaben in Millisek.:
Minimum = 44ms, Maximum = 47ms, Mittelwert = 45ms
Server: speedport.ip
Address: 192.168.2.1

Name: yahoo.com
Addresses: 98.137.149.56
72.30.2.43
209.191.122.70
98.139.180.149


Ping wird ausgefhrt fr yahoo.com [98.137.149.56] mit 32 Bytes Daten:
Antwort von 98.137.149.56: Bytes=32 Zeit=236ms TTL=55
Antwort von 98.137.149.56: Bytes=32 Zeit=302ms TTL=55

Ping-Statistik fr 98.137.149.56:
Pakete: Gesendet = 2, Empfangen = 2, Verloren = 0
(0% Verlust),
Ca. Zeitangaben in Millisek.:
Minimum = 236ms, Maximum = 302ms, Mittelwert = 269ms
Server: speedport.ip
Address: 192.168.2.1

Name: bleepingcomputer.com
Address: 208.43.87.2


Ping wird ausgefhrt fr bleepingcomputer.com [208.43.87.2] mit 32 Bytes Daten:
Antwort von 208.43.87.2: Zielhost nicht erreichbar.
Antwort von 208.43.87.2: Zielhost nicht erreichbar.

Ping-Statistik fr 208.43.87.2:
Pakete: Gesendet = 2, Empfangen = 2, Verloren = 0
(0% Verlust),

Ping wird ausgefhrt fr 127.0.0.1 mit 32 Bytes Daten:
Antwort von 127.0.0.1: Bytes=32 Zeit<1ms TTL=128
Antwort von 127.0.0.1: Bytes=32 Zeit<1ms TTL=128

Ping-Statistik fr 127.0.0.1:
Pakete: Gesendet = 2, Empfangen = 2, Verloren = 0
(0% Verlust),
Ca. Zeitangaben in Millisek.:
Minimum = 0ms, Maximum = 0ms, Mittelwert = 0ms
===========================================================================
Schnittstellenliste
22...00 23 08 6c ab fe ......Microsoft Virtual WiFi Miniport Adapter
21...00 23 08 6c ab ff ......Speedport W 102 Stick-IEEE 802.11n-USB-2.0-Adapter #10
10...00 30 67 34 65 82 ......NVIDIA nForce-Netzwerkcontroller
1...........................Software Loopback Interface 1
36...00 00 00 00 00 00 00 e0 Microsoft-ISATAP-Adapter #2
33...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
37...00 00 00 00 00 00 00 e0 Microsoft-ISATAP-Adapter #3
35...00 00 00 00 00 00 00 e0 Microsoft-ISATAP-Adapter #4
===========================================================================

IPv4-Routentabelle
===========================================================================
Aktive Routen:
Netzwerkziel Netzwerkmaske Gateway Schnittstelle Metrik
0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.106 20
127.0.0.0 255.0.0.0 Auf Verbindung 127.0.0.1 306
127.0.0.1 255.255.255.255 Auf Verbindung 127.0.0.1 306
127.255.255.255 255.255.255.255 Auf Verbindung 127.0.0.1 306
192.168.2.0 255.255.255.0 Auf Verbindung 192.168.2.106 276
192.168.2.106 255.255.255.255 Auf Verbindung 192.168.2.106 276
192.168.2.255 255.255.255.255 Auf Verbindung 192.168.2.106 276
224.0.0.0 240.0.0.0 Auf Verbindung 127.0.0.1 306
224.0.0.0 240.0.0.0 Auf Verbindung 192.168.2.106 276
255.255.255.255 255.255.255.255 Auf Verbindung 127.0.0.1 306
255.255.255.255 255.255.255.255 Auf Verbindung 192.168.2.106 276
===========================================================================
St„ndige Routen:
Keine

IPv6-Routentabelle
===========================================================================
Aktive Routen:
If Metrik Netzwerkziel Gateway
1 306 ::1/128 Auf Verbindung
21 276 fe80::/64 Auf Verbindung
21 276 fe80::d5ea:12db:2b9a:f21a/128
Auf Verbindung
1 306 ff00::/8 Auf Verbindung
21 276 ff00::/8 Auf Verbindung
===========================================================================
St„ndige Routen:
Keine
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (01/26/2012 11:44:48 AM) (Source: ESENT) (User: )
Description: wuaueng.dll (988) SUS20ClientDataStore: Fehler -1032 (0xfffffbf8) beim Öffnen von Protokolldatei C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log.

Error: (01/26/2012 11:44:48 AM) (Source: ESENT) (User: )
Description: wuaueng.dll (988) SUS20ClientDataStore: Versuch, Datei "C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log" für den Lesezugriff zu öffnen, ist mit Systemfehler 5 (0x00000005): "Zugriff verweigert " fehlgeschlagen. Fehler -1032 (0xfffffbf8) beim Öffnen von Dateien.

Error: (01/26/2012 11:44:38 AM) (Source: ESENT) (User: )
Description: wuaueng.dll (988) SUS20ClientDataStore: Fehler -1032 (0xfffffbf8) beim Öffnen von Protokolldatei C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log.

Error: (01/26/2012 11:44:38 AM) (Source: ESENT) (User: )
Description: wuaueng.dll (988) SUS20ClientDataStore: Versuch, Datei "C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log" für den Lesezugriff zu öffnen, ist mit Systemfehler 5 (0x00000005): "Zugriff verweigert " fehlgeschlagen. Fehler -1032 (0xfffffbf8) beim Öffnen von Dateien.

Error: (01/26/2012 11:44:28 AM) (Source: ESENT) (User: )
Description: wuaueng.dll (988) SUS20ClientDataStore: Versuch, Datei "C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk" für den Lese-/Schreibzugriff zu öffnen, ist mit Systemfehler 5 (0x00000005): "Zugriff verweigert " fehlgeschlagen. Fehler -1032 (0xfffffbf8) beim Öffnen von Dateien.

Error: (01/26/2012 11:44:18 AM) (Source: ESENT) (User: )
Description: wuaueng.dll (988) SUS20ClientDataStore: Fehler -1032 (0xfffffbf8) beim Öffnen von Protokolldatei C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log.

Error: (01/26/2012 11:44:18 AM) (Source: ESENT) (User: )
Description: wuaueng.dll (988) SUS20ClientDataStore: Versuch, Datei "C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log" für den Lesezugriff zu öffnen, ist mit Systemfehler 5 (0x00000005): "Zugriff verweigert " fehlgeschlagen. Fehler -1032 (0xfffffbf8) beim Öffnen von Dateien.

Error: (01/26/2012 11:44:08 AM) (Source: ESENT) (User: )
Description: wuaueng.dll (988) SUS20ClientDataStore: Fehler -1032 (0xfffffbf8) beim Öffnen von Protokolldatei C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log.

Error: (01/26/2012 11:44:08 AM) (Source: ESENT) (User: )
Description: wuaueng.dll (988) SUS20ClientDataStore: Versuch, Datei "C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log" für den Lesezugriff zu öffnen, ist mit Systemfehler 5 (0x00000005): "Zugriff verweigert " fehlgeschlagen. Fehler -1032 (0xfffffbf8) beim Öffnen von Dateien.

Error: (01/26/2012 11:43:58 AM) (Source: ESENT) (User: )
Description: wuaueng.dll (988) SUS20ClientDataStore: Versuch, Datei "C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk" für den Lese-/Schreibzugriff zu öffnen, ist mit Systemfehler 5 (0x00000005): "Zugriff verweigert " fehlgeschlagen. Fehler -1032 (0xfffffbf8) beim Öffnen von Dateien.


System errors:
=============
Error: (01/26/2012 11:37:11 AM) (Source: Microsoft-Windows-Kernel-General) (User: SYSTEM)
Description: 0x8000002a56\??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT

Error: (01/26/2012 11:37:07 AM) (Source: NetBT) (User: )
Description: Es ist ein Initialisierungsfehler aufgetreten, da der Treiber nicht erstellt werden konnte.
Verwenden Sie die Zeichenfolge "003067346582", um die Schnittstelle zu identifizieren, die nicht initialisiert werden
konnte. Sie stellt die MAC-Adresse der Schnittstelle mit dem Initialisierungsfehler oder die
GUID (Globally Unique Interface Identifier) dar, wenn NetBT keine Zuordnung
von der GUID zur MAC-Adresse herstellen konnte. Wenn weder die MAC-Adresse noch die GUID verfügbar
waren, dann stellt die Zeichenfolge einen Clustergerätenamen dar.

Error: (01/26/2012 11:37:07 AM) (Source: NetBT) (User: )
Description: Es ist ein Initialisierungsfehler aufgetreten, da der Treiber nicht erstellt werden konnte.
Verwenden Sie die Zeichenfolge "003067346582", um die Schnittstelle zu identifizieren, die nicht initialisiert werden
konnte. Sie stellt die MAC-Adresse der Schnittstelle mit dem Initialisierungsfehler oder die
GUID (Globally Unique Interface Identifier) dar, wenn NetBT keine Zuordnung
von der GUID zur MAC-Adresse herstellen konnte. Wenn weder die MAC-Adresse noch die GUID verfügbar
waren, dann stellt die Zeichenfolge einen Clustergerätenamen dar.

Error: (01/26/2012 11:36:20 AM) (Source: Service Control Manager) (User: )
Description: Der Dienst "NVIDIA Display Driver Service" hat einen ungültigen aktuellen Status gemeldet: 32

Error: (01/26/2012 09:06:17 AM) (Source: Microsoft-Windows-Kernel-General) (User: SYSTEM)
Description: 0x8000002a56\??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT

Error: (01/26/2012 09:06:14 AM) (Source: NetBT) (User: )
Description: Es ist ein Initialisierungsfehler aufgetreten, da der Treiber nicht erstellt werden konnte.
Verwenden Sie die Zeichenfolge "003067346582", um die Schnittstelle zu identifizieren, die nicht initialisiert werden
konnte. Sie stellt die MAC-Adresse der Schnittstelle mit dem Initialisierungsfehler oder die
GUID (Globally Unique Interface Identifier) dar, wenn NetBT keine Zuordnung
von der GUID zur MAC-Adresse herstellen konnte. Wenn weder die MAC-Adresse noch die GUID verfügbar
waren, dann stellt die Zeichenfolge einen Clustergerätenamen dar.

Error: (01/26/2012 09:06:14 AM) (Source: NetBT) (User: )
Description: Es ist ein Initialisierungsfehler aufgetreten, da der Treiber nicht erstellt werden konnte.
Verwenden Sie die Zeichenfolge "003067346582", um die Schnittstelle zu identifizieren, die nicht initialisiert werden
konnte. Sie stellt die MAC-Adresse der Schnittstelle mit dem Initialisierungsfehler oder die
GUID (Globally Unique Interface Identifier) dar, wenn NetBT keine Zuordnung
von der GUID zur MAC-Adresse herstellen konnte. Wenn weder die MAC-Adresse noch die GUID verfügbar
waren, dann stellt die Zeichenfolge einen Clustergerätenamen dar.

Error: (01/26/2012 09:05:29 AM) (Source: Service Control Manager) (User: )
Description: Der Dienst "NVIDIA Display Driver Service" hat einen ungültigen aktuellen Status gemeldet: 32

Error: (01/26/2012 07:48:21 AM) (Source: Microsoft-Windows-Kernel-General) (User: SYSTEM)
Description: 0x8000002a56\??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT

Error: (01/26/2012 07:48:18 AM) (Source: NetBT) (User: )
Description: Es ist ein Initialisierungsfehler aufgetreten, da der Treiber nicht erstellt werden konnte.
Verwenden Sie die Zeichenfolge "003067346582", um die Schnittstelle zu identifizieren, die nicht initialisiert werden
konnte. Sie stellt die MAC-Adresse der Schnittstelle mit dem Initialisierungsfehler oder die
GUID (Globally Unique Interface Identifier) dar, wenn NetBT keine Zuordnung
von der GUID zur MAC-Adresse herstellen konnte. Wenn weder die MAC-Adresse noch die GUID verfügbar
waren, dann stellt die Zeichenfolge einen Clustergerätenamen dar.


Microsoft Office Sessions:
=========================
Error: (01/26/2012 11:44:48 AM) (Source: ESENT)(User: )
Description: wuaueng.dll988SUS20ClientDataStore: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log-1032 (0xfffffbf8)

Error: (01/26/2012 11:44:48 AM) (Source: ESENT)(User: )
Description: wuaueng.dll988SUS20ClientDataStore: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log-1032 (0xfffffbf8)5 (0x00000005)Zugriff verweigert

Error: (01/26/2012 11:44:38 AM) (Source: ESENT)(User: )
Description: wuaueng.dll988SUS20ClientDataStore: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log-1032 (0xfffffbf8)

Error: (01/26/2012 11:44:38 AM) (Source: ESENT)(User: )
Description: wuaueng.dll988SUS20ClientDataStore: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log-1032 (0xfffffbf8)5 (0x00000005)Zugriff verweigert

Error: (01/26/2012 11:44:28 AM) (Source: ESENT)(User: )
Description: wuaueng.dll988SUS20ClientDataStore: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk-1032 (0xfffffbf8)5 (0x00000005)Zugriff verweigert

Error: (01/26/2012 11:44:18 AM) (Source: ESENT)(User: )
Description: wuaueng.dll988SUS20ClientDataStore: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log-1032 (0xfffffbf8)

Error: (01/26/2012 11:44:18 AM) (Source: ESENT)(User: )
Description: wuaueng.dll988SUS20ClientDataStore: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log-1032 (0xfffffbf8)5 (0x00000005)Zugriff verweigert

Error: (01/26/2012 11:44:08 AM) (Source: ESENT)(User: )
Description: wuaueng.dll988SUS20ClientDataStore: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log-1032 (0xfffffbf8)

Error: (01/26/2012 11:44:08 AM) (Source: ESENT)(User: )
Description: wuaueng.dll988SUS20ClientDataStore: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log-1032 (0xfffffbf8)5 (0x00000005)Zugriff verweigert

Error: (01/26/2012 11:43:58 AM) (Source: ESENT)(User: )
Description: wuaueng.dll988SUS20ClientDataStore: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk-1032 (0xfffffbf8)5 (0x00000005)Zugriff verweigert


=========================== Installed Programs ============================

64 Bit HP CIO Components Installer (Version: 6.2.1)
AbiWord 2.8.6 (Version: 2.8.6)
Adobe Flash Player 11 ActiveX (Version: 11.1.102.55)
Adobe Reader 7.0.5 (Version: 7.0.5)
Adobe Shockwave Player 11.5 (Version: 11.5.9.620)
Any Video Converter 3.2.1
Avidemux 2.5 (Version: 2.5.0.4944)
Avidemux 2.5 (Version: 2.5.6.7716)
BufferChm (Version: 130.0.331.000)
CCleaner (Version: 3.01)
Copy (Version: 130.0.366.000)
Destinations (Version: 140.0.77.000)
DeviceDiscovery (Version: 130.0.372.000)
DJ_AIO_06_F2400_SW_Min (Version: 130.0.373.000)
Duplicate Cleaner 2.1b (Version: 2.1b)
F2400 (Version: 130.0.373.000)
FormatFactory 2.40 (Version: 2.40)
FreePDF (Remove only)
FreeRIP v3.61 (Version: 3.61)
GEAR driver installer for x86 and x64 (Version: 4.008.5)
Google Advertising Cookie Opt-out (Version: 1.0.0.2)
Google Update Helper (Version: 1.3.21.79)
GPBaseService2 (Version: 130.0.371.000)
GPL Ghostscript 8.71
HP Customer Participation Program 13.0 (Version: 13.0)
HP Deskjet F2400 All-In-One Driver Software 13.0 Rel .6 (Version: 13.0)
HP Imaging Device Functions 13.0 (Version: 13.0)
HP Print Projects 1.0 (Version: 1.0)
HP Smart Web Printing 4.60 (Version: 4.60)
HP Solution Center 13.0 (Version: 13.0)
HP Update (Version: 4.000.011.006)
HPPhotoGadget (Version: 130.0.282.000)
hpPrintProjects (Version: 130.0.303.000)
HPProductAssistant (Version: 130.0.371.000)
hpWLPGInstaller (Version: 130.0.303.000)
Java Auto Updater (Version: 2.0.3.1)
Java™ 6 Update 24 (Version: 6.0.240)
Junk Mail filter update (Version: 14.0.8089.726)
Malwarebytes Anti-Malware version 1.60.0.1800 (Version: 1.60.0.1800)
MarketResearch (Version: 130.0.374.000)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6015.5000)
Microsoft Choice Guard (Version: 2.0.48.0)
Microsoft Search Enhancement Pack (Version: 3.0.127.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Sync Framework Runtime Native v1.0 (x86) (Version: 1.0.1215.0)
Microsoft Sync Framework Services Native v1.0 (x86) (Version: 1.0.1215.0)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x64 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218 (Version: 9.0.21022.218)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
MSVCRT (Version: 14.0.1468.721)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
Norton 360 (Version: 5.1.0.29)
NVIDIA Drivers (Version: 1.3)
OpenOffice.org 3.3 (Version: 3.3.9567)
Orbit Downloader
Paint.NET v3.5.10 (Version: 3.60.0)
PVSonyDll (Version: 1.00.0001)
RedMon - Redirection Port Monitor
Scan (Version: 140.0.80.000)
SmartWebPrinting (Version: 140.0.186.000)
SolutionCenter (Version: 130.0.373.000)
Some PDF to Txt Converter 1.5
Speedport W 102 Stick (Version: 1.0.0.18)
Spybot - Search & Destroy (Version: 1.6.2)
Status (Version: 130.0.373.000)
T-Home Dialerschutz-Software
Toolbox (Version: 130.0.648.000)
TrayApp (Version: 130.0.376.000)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
WebReg (Version: 130.0.132.017)
Windows Live-Uploadtool (Version: 14.0.8014.1029)
Windows Live Anmelde-Assistent (Version: 5.000.818.5)
Windows Live Communications Platform (Version: 14.0.8098.930)
Windows Live Essentials (Version: 14.0.8089.0726)
Windows Live Essentials (Version: 14.0.8089.726)
Windows Live Fotogalerie (Version: 14.0.8081.709)
Windows Live Mail (Version: 14.0.8089.0726)
Windows Live Movie Maker (Version: 14.0.8091.0730)
Windows Live Sync (Version: 14.0.8089.726)
Windows Live Toolbar (Version: 14.0.8064.206)
WinRAR archiver

========================= Devices: ================================


========================= Memory info: ===================================

Percentage of memory in use: 45%
Total physical RAM: 3839.24 MB
Available physical RAM: 2099.05 MB
Total Pagefile: 7676.67 MB
Available Pagefile: 5827.01 MB
Total Virtual: 4095.88 MB
Available Virtual: 3954.14 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:465.66 GB) (Free:376.11 GB) NTFS

========================= Users: ========================================

Benutzerkonten fr \\USER-PC

Administrator Gast User
Der Befehl wurde erfolgreich ausgefhrt.

========================= Minidump Files ==================================

No minidump file found

**** End of log ****

Log for awsMBR:

aswMBR version 0.9.9.1509 Copyright© 2011 AVAST Software
Run date: 2012-01-26 10:25:03
-----------------------------
10:25:03.645 OS Version: Windows x64 6.1.7601 Service Pack 1
10:25:03.645 Number of processors: 2 586 0x602
10:25:03.646 ComputerName: USER-PC UserName: User
10:25:05.369 Initialize success
10:26:33.525 AVAST engine defs: 12012600
10:26:46.104 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
10:26:46.109 Disk 0 Vendor: WDC_WD5000AAJS-55A8B2 01.03B01 Size: 476940MB BusType: 11
10:26:46.119 Disk 0 MBR read successfully
10:26:46.125 Disk 0 MBR scan
10:26:46.138 Disk 0 Windows 7 default MBR code
10:26:46.145 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
10:26:46.159 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 476838 MB offset 206848
10:26:46.171 Service scanning
10:26:47.859 Modules scanning
10:26:47.868 Disk 0 trace - called modules:
10:26:47.885 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
10:26:47.894 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004268060]
10:26:47.904 3 CLASSPNP.SYS[fffff8800185143f] -> nt!IofCallDriver -> [0xfffffa80040fc520]
10:26:48.239 5 ACPI.sys[fffff88000ecf7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80040ef680]
10:26:49.941 AVAST engine scan C:\Windows
10:26:52.926 AVAST engine scan C:\Windows\system32
10:29:16.129 AVAST engine scan C:\Windows\system32\drivers
10:29:36.311 AVAST engine scan C:\Users\User
10:36:10.344 AVAST engine scan C:\ProgramData
10:38:45.095 Scan finished successfully
10:58:57.678 Disk 0 MBR has been saved successfully to "C:\Users\User\Desktop\MBR.dat"
10:58:57.683 The log file has been saved successfully to "C:\Users\User\Desktop\aswMBR.txt"


I hope this is OK - look forward to hearing from you!

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:05 PM

Posted 26 January 2012 - 11:50 AM

Hi, thats OK with the German. I've seen enough of these logs to know what they are saying now in all languages.. LOL

I see no malware other then a possible hosts file, so we'll Reset the HOSTS file
As this infection also changes your Windows HOSTS file, we want to replace this file with the default version for your operating system.
Some types of malware will alter the HOSTS file as part of its infection. Please follow the instructions provided in How do I reset the hosts file back to the default?

To reset the hosts file automatically,go HERE click the Posted Image button. Then just follow the prompts in the Fix it wizard.



These are old and have to go...
Java™ 6 Update 24 (Version: 6.0.240)
Adobe Reader 7.0.5 (Version: 7.0.5)

Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 7 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select your OS and Platform (32-bit or 64-bit).
  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7u2-windows-i586.exe (or jre-7u2-windows-x64.exe for 64-bit) to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.
Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.



Similarly Update to Adobe Reader X (10.1.0)
Note UN check the box so you do not install the toolbar,unless you really want it..

Free! Google Toolbar search Google from any web page, block pop-ups

Yes, install Google Toolbar - optional




Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Posted Image > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Posted Image > Run... and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista and Windows 7 users can refer to these links:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 arturdux

arturdux
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:05 PM

Posted 27 January 2012 - 11:02 AM


Hello again,

Thanks for these instructions. Here's what I did:

Ran Fixit. At the end of running, I was prompted to re-boot the PC. After re-start, the IE browser opened automatically and a box appeared (my translation - original in German): "Windows Security Alert. Windows Firewall has blocked some features of this program". It specified Internet Explorer, and the path C:\program files (x86)\internet explorer\iexplore.exe. There were 2 options to allow Internet Explorer to communicate on the following networks: private networks and public networks. It said that the Firewall was already configured for private networks; the tick box next to public networks was pre-ticked, and I left the tick there and clicked "Allow access" - if I was wrong to do so, presumably I can go back and do it again, or does it make any difference?

De-installed old versions and installed latest versions of Java and Adobe. This went without a problem. (During installation of Java, I was not asked about a toolbar or McAfee; and the JQS was not enabled).

Created New Restore Point. This went without a problem.

Disk Cleanup: This went without a problem, leaving the one restore point (the one created before Disk Cleanup).

Is there anything more I must or should do? I will see how the browser performs over the next few days, and it seems I can create restore points (I just hope I don't need to use one...); but I am still bothered by Windows Update, where I am concerned that I might be missing out on updates. Do you suggest any further diagnostic tests and remedial work?

Thanks again - looking forward to hearing from you.


You can safely run MINI..

Edited by boopme, 27 January 2012 - 04:36 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:05 PM

Posted 27 January 2012 - 09:08 PM

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 arturdux

arturdux
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:05 PM

Posted 28 January 2012 - 06:56 AM


Hello once more,

I have run Farbar Service Scanner and here is the log:

Farbar Service Scanner Version: 18-01-2012 01
Ran by User (administrator) on 28-01-2012 at 12:01:46
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.

Windows Firewall:
=============
Firewall Disabled Policy:
==================

System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.

System Restore Disabled Policy:
========================

Security Center:
============

Windows Update:
===========

File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****


I don't know if this helps, but after doing the last set of fixes, I checked whether Windows Update was running again. I went to the Control Panel and clicked to search for updates, and as before the PC just seemed to hang for a couple of minutes, but then to my surprise a screen appeared which said (I translate from the original German):

"Windows Update
Check for updates for the computer"

...and next to that a button labelled "Check for updates".

To the left of this text was a red shield and a white cross, and under this message there was more text: "More information about free software from (null) Click here to receive details."

Anyway, I clicked the "Check for updates" button, and a message box appeared which said:

"Windows Update Cannot Currently Check For Updates, Because The Service Is Not Running. You May Need To Restart Your Computer".

I restarted the PC and nothing had changed - still no updates...

Anyway, maybe this is useful to further diagnosing the problem - and I look forward to hearing your views and further advice!

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:05 PM

Posted 28 January 2012 - 09:49 PM

Looks like we need to run SFC System File Checker
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 arturdux

arturdux
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:05 PM

Posted 29 January 2012 - 05:46 AM


Hello,

I have now run SFC System File Checker (as Administrator) and the result was "Windows Resource Protection did not find any integrity violations." I suppose that is a good result, but it does not seem to be the solution to the Windows Update problem... Looking forward to hearing your further views and suggestions!

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:05 PM

Posted 29 January 2012 - 09:03 PM

Rats!! we need a deeper look to see whay is preventing the update.

Please go here....Preparation Guide ,do steps 6-9.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
Name it Cannot run Windows Update
If GMER won't run skip it and move on.

Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 arturdux

arturdux
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:05 PM

Posted 30 January 2012 - 09:05 AM

Hello again Boopme,

I haven't seen any rats around here, so we can probably rule them out as the cause... :unsure:

I have opened a new topic Cannot run Windows Update - I wasn't sure what I should include as a description or text, so it is just a response to your last post.

Thanks again - and see you over there...

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:05 PM

Posted 30 January 2012 - 08:23 PM

Thank you!.
Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRL Team member is already assisting you and not open the thread to respond.

The current wait time is 1 - 5 days and ALL logs are amswered.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users