Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

keep getting Windows Defender error 0x800106ba at startup


  • This topic is locked This topic is locked
18 replies to this topic

#1 nl18612

nl18612

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:55 AM

Posted 21 June 2012 - 03:24 PM

Hello

On a windows vista Home edition computer we receive a message that windows defender can not start and error code 0x800106ba.

Other programs like msconfig and services.msc and manage computer can not be starten.

I run the required diagnostics tools in Safe Mode.

Please assist on the next step to get this resolved.

.
DDS (Ver_2011-08-26.01) - NTFSx86 MINIMAL
Internet Explorer: 7.0.6001.18000
Run by Beheerder at 22:08:46 on 2012-06-21
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.31.1043.18.1919.1535 [GMT 2:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT3176986
uURLSearchHooks: Ashampoo NL Toolbar: {0734d757-fea6-4637-a7e4-2bd40a7fd8da} - c:\program files\ashampoo_nl\prxtbAsha.dll
uURLSearchHooks: Game Master 2.2 Toolbar: {d8215d9c-81ed-4e53-b420-bfcdbac4734d} - c:\program files\game_master_2.2\prxtbGame.dll
mURLSearchHooks: Ashampoo NL Toolbar: {0734d757-fea6-4637-a7e4-2bd40a7fd8da} - c:\program files\ashampoo_nl\prxtbAsha.dll
mURLSearchHooks: Game Master 2.2 Toolbar: {d8215d9c-81ed-4e53-b420-bfcdbac4734d} - c:\program files\game_master_2.2\prxtbGame.dll
BHO: Adobe PDF Reader Help bij koppelingen: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Ashampoo NL Toolbar: {0734d757-fea6-4637-a7e4-2bd40a7fd8da} - c:\program files\ashampoo_nl\prxtbAsha.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Game Master 2.2 Toolbar: {d8215d9c-81ed-4e53-b420-bfcdbac4734d} - c:\program files\game_master_2.2\prxtbGame.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Ashampoo NL Toolbar: {0734d757-fea6-4637-a7e4-2bd40a7fd8da} - c:\program files\ashampoo_nl\prxtbAsha.dll
TB: Game Master 2.2 Toolbar: {d8215d9c-81ed-4e53-b420-bfcdbac4734d} - c:\program files\game_master_2.2\prxtbGame.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NPCTray] c:\program files\norman\npc\bin\npc_tray.exe /LOAD
mRun: [Ulead AutoDetector v2] c:\program files\common files\ulead systems\autodetector\monitor.exe
mRun: [DataLayer] c:\progra~1\common~1\pcsuite\datala~1\DATALA~1.EXE
mRun: [PCSuiteTrayApplication] c:\progra~1\nokia\nokiap~1\TRAYAP~1.EXE
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\programdata\scansoft\paperport\11\config\ereg\Ereg.ini"
mRun: [PMBVolumeWatcher] c:\program files\sony\pmb\PMBVolumeWatcher.exe
mRun: [Olympus ib] "c:\program files\olympus\ib\olycamdetect.exe" /Startup
mRun: [MDS_Menu] "c:\program files\olympus\ib\muitransfer\muistartmenu.exe" "c:\program files\olympus\ib" updatewithcreateonce "software\olympus\ib\1.0"
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [fsc-reg] c:\fsc-reg\fscreg.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {888078C6-70B2-4F88-8EE7-1F50DDEA6120} - hxxps://as.photoprintit.de/ips-opdata/activex/ImageUploader6.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAC677B6-4963-4305-9066-0BD135CD9233} - hxxp://as.photoprintit.de/ips-opdata/layout/default01/activex/IPSUploader4.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://oce.webex.com/client/T26L/support/ieatgpc1.cab
TCP: DhcpNameServer = 212.54.40.25 212.54.35.25
TCP: Interfaces\{B005CF7E-C0A0-4397-B138-61BC20A8953D} : DhcpNameServer = 212.54.40.25 212.54.35.25
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-12 116608]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-7-11 104000]
S2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2009-6-8 144704]
S2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2009-6-8 54608]
S2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\sony\pmb\PMBDeviceInfoProvider.exe [2009-10-24 360224]
S3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2009-7-11 73512]
S3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2009-7-11 34408]
S3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2009-7-11 177864]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-06-21 19:51:39 -------- d-----w- c:\programdata\Malwarebytes
2012-06-21 19:51:38 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-21 19:51:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-06-21 19:19:26 -------- d-----w- c:\users\beheerder\appdata\roaming\SUPERAntiSpyware.com
2012-06-21 19:19:19 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-06-21 19:19:19 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-06-21 19:16:37 98816 ----a-w- c:\windows\sed.exe
2012-06-21 19:16:37 518144 ----a-w- c:\windows\SWREG.exe
2012-06-21 19:16:37 256000 ----a-w- c:\windows\PEV.exe
2012-06-21 19:16:37 208896 ----a-w- c:\windows\MBR.exe
2012-06-21 19:16:32 -------- d-s---w- C:\ComboFix
2012-06-19 15:39:19 6762896 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{177f72be-6234-4416-9812-32155eb38903}\mpengine.dll
.
==================== Find3M ====================
.
.
============= FINISH: 22:09:22,19 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 nl18612

nl18612
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:55 AM

Posted 25 June 2012 - 02:07 PM

Addition: The Gmer log did not find any issue, so the logfile is empty.

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:55 AM

Posted 25 June 2012 - 07:29 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#4 nl18612

nl18612
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:55 AM

Posted 28 June 2012 - 07:01 AM

Hi m0le,

I am still stuck, can you help me on this issue?

Best regards, nl18612

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:55 AM

Posted 28 June 2012 - 05:51 PM

Let's try a few scans to see if we can pinpoint the issue

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\


Then aswMBR

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Finally FSS


Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Posted Image
m0le is a proud member of UNITE

#6 nl18612

nl18612
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:55 AM

Posted 29 June 2012 - 02:26 AM

I run these scans in windows Save Mode.
In normal mode Every program gives the error "De opgegeven service is geen geinstalleerde service", which is dutch.
Translated it means "The started service is no installed service".
I am not able to start any program in normal mode

Attached the collected scan files.

Attached Files



#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:55 AM

Posted 29 June 2012 - 06:50 PM

There's nothing showing in these logs so we had better see if you can fix this problem with Microsoft's troubleshooting for this error message. Try the instructions here (Please make sure you backup your registry if you try the seconde fix)
Posted Image
m0le is a proud member of UNITE

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:55 AM

Posted 04 July 2012 - 06:19 PM

How is that going?
Posted Image
m0le is a proud member of UNITE

#9 nl18612

nl18612
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:55 AM

Posted 05 July 2012 - 04:14 AM

Hi M0le,

Sorry that I did not update you. My holiday started today and had a lot of work to do.

But the good news is, that your suggestion to the website answers.microsoft.com helped.

I manage to get enough access to the computer to disable UAC.
I used Mbam to scan the computer. It removed 5 viruses and also
PWS-Zbot.gen.ma!2F988E1C1A1F
and
Generic PWS.xw

After that (july 2nd late in the evening) the computer behaved "normal" and enabled UAC again.

Thats for you support.

BEst regards, nl18612

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:55 AM

Posted 05 July 2012 - 05:45 PM

Good news. Can you run ESET to do a clean-up

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • Copy and paste the resulting log in your next reply
If no log is generated that means nothing was found. Please let me know if this happens.

If you think a log should have been generated then go to C:\Program Files\ESET\ESET Online Scanner\log.txt to find it.
Posted Image
m0le is a proud member of UNITE

#11 nl18612

nl18612
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:55 AM

Posted 06 July 2012 - 01:34 AM

I am on the comming 2 weeks not at home.

I will run the scan after I am back.

thanks for the advice.

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:55 AM

Posted 06 July 2012 - 06:21 PM

Thanks for letting me know.

I will bump the topic in 16 days time. :thumbup2:
Posted Image
m0le is a proud member of UNITE

#13 nl18612

nl18612
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:55 AM

Posted 21 July 2012 - 09:05 AM

The eset scan is performed.

He found the following thing and put them in quarantine

C:\Program Files\Zbani\zbani.exe Win32/Agent.TGD trojan cleaned by deleting - quarantined
C:\Users\Beheerder\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\953LSHES\zbango[1].exe Win32/Agent.TGD trojan cleaned by deleting - quarantined
C:\Users\Buggenum\AppData\Local\Temp\ICReinstall_PDFConverterSetup.exe Win32/InstallCore.P application cleaned by deleting - quarantined
C:\Users\Buggenum\AppData\Local\Temp\ICReinstall_PDFCreatorSetup.exe a variant of Win32/InstallCore.P application cleaned by deleting - quarantined
C:\Users\Buggenum\AppData\Local\Temp\is1590112554\MyBabylonTB.exe Win32/Toolbar.Babylon application cleaned by deleting - quarantined
C:\Users\Buggenum\Documents\PDFConverterSetup.exe Win32/InstallCore.P application cleaned by deleting - quarantined
C:\Users\Buggenum\Documents\PDFCreatorSetup.exe a variant of Win32/InstallCore.P application cleaned by deleting - quarantined

I choose to delete the Quarantined files.
Additional I deleted the C:\Program Files\Zbani folder and files.
I also checked if the C:\Users\Beheerder\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\953LSHES\zbango[1].exe was deleted.
And it is deleted.

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:55 AM

Posted 21 July 2012 - 07:04 PM

Good to have you back. Please rerun FSS and post the log (no attachment here please)
Posted Image
m0le is a proud member of UNITE

#15 nl18612

nl18612
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:55 AM

Posted 25 July 2012 - 03:18 AM

The FSS log.

Farbar Service Scanner Version: 22-07-2012
Ran by Beheerder (administrator) on 25-07-2012 at 10:03:21
Running from "G:\"
Microsoft® Windows Vista™ Home Basic Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Other Services:
==============

sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Demand
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2012-07-03 01:18] - [2012-03-30 14:39] - 0905600 ____A (Microsoft Corporation) 27D470DABC77BC60D0A3B0E4DEB6CB91

C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users