Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Automatic updates problem after virus removal.


  • Please log in to reply
17 replies to this topic

#1 jbcollins57

jbcollins57

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 15 June 2012 - 03:04 PM

Hello,

I was trying to remove a virus from my nephew's computer. When i thought i had finished i noticed that the automatic update service was not started. If i try to start the service manually i get errors. I tried number of help articles from microsoft's website. Their fixit utility doesn't correct the problem either. The error i get is:

Posted Image

Posted Image

Also i noticed some weird services showing up. I am wondering if i am still infected or if my OS is damaged beyond repair.

Posted Image

Posted Image

Posted Image

My operating system is windows XP professional service pack 3

thanks in advance for any help with this.

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:14 AM

Posted 15 June 2012 - 03:12 PM

I was trying to remove a virus from my nephew's computer.

How did you remove it? Did you run combofix ???

http://www.bleepingcomputer.com/forums/topic457009.html

Edited by narenxp, 15 June 2012 - 03:14 PM.


#3 jbcollins57

jbcollins57
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 15 June 2012 - 03:22 PM

yes i used combofix

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:14 AM

Posted 15 June 2012 - 03:26 PM

There was a bug in combofix which has now been fixed

Download and run the fixit

http://support.microsoft.com/kb/971058

good luck

#5 jbcollins57

jbcollins57
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 15 June 2012 - 03:36 PM

the fixit tool doesn't seem to work. I gives me this:


Posted Image

next it wants to connect to microsoft's help but never authenticates the captcha code and has me in a retry loop.

#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:14 AM

Posted 15 June 2012 - 03:38 PM

Download

FSS

Checkmark all the boxes

Click on "Scan".
Please copy and paste the log to your reply.

#7 jbcollins57

jbcollins57
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 15 June 2012 - 03:41 PM

Here you go:





Farbar Service Scanner Version: 09-06-2012
Ran by Administrator (administrator) on 15-06-2012 at 15:40:52
Running from "C:\Documents and Settings\Administrator\My Documents\Downloads"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINXP\system32\wuauserv.dll".

cryptsvc Service is not running. Checking service configuration:
The start type of cryptsvc service is OK.
The ImagePath of cryptsvc: "%SystemRoot%\system32\svchost.exe -k NetworkService".
The ServiceDll of cryptsvc service is OK.


Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINXP\system32\dhcpcsvc.dll => MD5 is legit
C:\WINXP\system32\Drivers\afd.sys
[2010-09-16 11:11] - [2008-10-16 10:07] - 0138496 ____A (Microsoft Corporation) 38D7B715504DA4741DF35E3594FE2099

C:\WINXP\system32\Drivers\netbt.sys => MD5 is legit
C:\WINXP\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINXP\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINXP\system32\dnsrslvr.dll => MD5 is legit
C:\WINXP\system32\ipnathlp.dll => MD5 is legit
C:\WINXP\system32\netman.dll => MD5 is legit
C:\WINXP\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINXP\system32\srsvc.dll => MD5 is legit
C:\WINXP\system32\Drivers\sr.sys => MD5 is legit
C:\WINXP\system32\wscsvc.dll => MD5 is legit
C:\WINXP\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINXP\system32\wuauserv.dll => MD5 is legit
C:\WINXP\system32\qmgr.dll => MD5 is legit
C:\WINXP\system32\es.dll
[2010-09-16 11:10] - [2010-09-16 11:10] - 0253952 ____A (Microsoft Corporation) F17F6226BDC0CD5F0BEF0DAF84D29BEC

C:\WINXP\system32\cryptsvc.dll => MD5 is legit
C:\WINXP\system32\svchost.exe => MD5 is legit
C:\WINXP\system32\rpcss.dll
[2010-09-16 11:11] - [2010-09-16 11:11] - 0401408 ____A (Microsoft Corporation) 9222562D44021B988B9F9F62207FB6F2

C:\WINXP\system32\services.exe
[2010-09-16 11:11] - [2010-09-16 11:11] - 0110592 ____A (Microsoft Corporation) 020CEAAEDC8EB655B6506B8C70D53BB6



**** End of log ****

#8 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:14 AM

Posted 15 June 2012 - 04:04 PM

Press Windows +R key and type

notepad and click ok

Copy the following script in the notepad


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters]
"ServiceDll"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6D,00,\
72,00,6F,00,6F,00,74,00,25,00,5C,00,73,00,79,00,73,00,74,00,65,00,6D,00,\
33,00,32,00,5C,00,77,00,75,00,61,00,75,00,73,00,65,00,72,00,76,00,2E,00,\
64,00,6C,00,6C,00,00,00

Click on File>>save as

Filename:update.reg
Save as type:All types


Similarly ,open a notepad and copy this script

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CryptSvc]
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00


Click on File>>save as

Filename:crypt.reg
Save as type:All types

Launch both the registry files,restart the PC and post the new FSS log

Edited by narenxp, 15 June 2012 - 04:12 PM.


#9 jbcollins57

jbcollins57
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 15 June 2012 - 04:22 PM

Farbar Service Scanner Version: 09-06-2012
Ran by Administrator (administrator) on 15-06-2012 at 16:21:40
Running from "C:\Documents and Settings\Administrator\My Documents\Downloads"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo IP returned error: Yahoo IP is unreachable
Attempt to access Yahoo.com returned error: Other errors


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc: "%SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted".
The ServiceDll of wscsvc service is OK.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

cryptsvc Service is not running. Checking service configuration:
The start type of cryptsvc service is OK.
The ImagePath of cryptsvc service is OK.
The ServiceDll of cryptsvc service is OK.


Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINXP\system32\dhcpcsvc.dll => MD5 is legit
C:\WINXP\system32\Drivers\afd.sys
[2010-09-16 11:11] - [2008-10-16 10:07] - 0138496 ____A (Microsoft Corporation) 38D7B715504DA4741DF35E3594FE2099

C:\WINXP\system32\Drivers\netbt.sys => MD5 is legit
C:\WINXP\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINXP\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINXP\system32\dnsrslvr.dll => MD5 is legit
C:\WINXP\system32\ipnathlp.dll => MD5 is legit
C:\WINXP\system32\netman.dll => MD5 is legit
C:\WINXP\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINXP\system32\srsvc.dll => MD5 is legit
C:\WINXP\system32\Drivers\sr.sys => MD5 is legit
C:\WINXP\system32\wscsvc.dll => MD5 is legit
C:\WINXP\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINXP\system32\wuauserv.dll => MD5 is legit
C:\WINXP\system32\qmgr.dll => MD5 is legit
C:\WINXP\system32\es.dll
[2010-09-16 11:10] - [2010-09-16 11:10] - 0253952 ____A (Microsoft Corporation) F17F6226BDC0CD5F0BEF0DAF84D29BEC

C:\WINXP\system32\cryptsvc.dll => MD5 is legit
C:\WINXP\system32\svchost.exe => MD5 is legit
C:\WINXP\system32\rpcss.dll
[2010-09-16 11:11] - [2010-09-16 11:11] - 0401408 ____A (Microsoft Corporation) 9222562D44021B988B9F9F62207FB6F2

C:\WINXP\system32\services.exe
[2010-09-16 11:11] - [2010-09-16 11:11] - 0110592 ____A (Microsoft Corporation) 020CEAAEDC8EB655B6506B8C70D53BB6



**** End of log ****

#10 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:14 AM

Posted 15 June 2012 - 04:24 PM

Press Windows+R key and type

cmd and click ok and run this command

net start cryptsvc
net start wuauserv


can you check if your update works now.

Look like your security center doesnt work too

Edited by narenxp, 15 June 2012 - 04:25 PM.


#11 jbcollins57

jbcollins57
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 15 June 2012 - 04:30 PM

i get errors from running those commands:

Posted Image

Edit: Also the computer can't seem to get an IP address now.

Edited by jbcollins57, 15 June 2012 - 04:31 PM.


#12 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:14 AM

Posted 15 June 2012 - 06:03 PM

Can you try a system restore to a point before you ran combofix?

#13 jbcollins57

jbcollins57
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 15 June 2012 - 07:01 PM

Successfully restored to june 09 2012

#14 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:14 AM

Posted 15 June 2012 - 07:03 PM

Do not run combofix without an expert guidance.

NOTE:Combofix bug has been fixed

#15 jbcollins57

jbcollins57
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 15 June 2012 - 07:24 PM

automatic updates service seems to be missing all together now. Tried the SFC /scannow command but that didn't work




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users