Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware prevents Windows and other security updates


  • This topic is locked This topic is locked
16 replies to this topic

#1 Frustrated Updater

Frustrated Updater

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 27 December 2012 - 08:30 AM

Hi,

I have been unable to use Windows Update for a while (it keeps checking for updates and then eventually fails with error code 8024402F). I first thought that it was a Windows Update issue and tried a bunch of fixes but to no avail. However, I figured something was amiss when I couldn't download security tools like Trend House Call or Microsoft Malicious Tool Remover. To cut a long story short, Malwarebytes detected three items (Malware.Packer.Gen, Trojan.Downloader,and Trojan.Bancos) and removed them. These items were found in keygen installer files that were put on our computer without authorization (ours is a public computer in a non-profit organization). Luckily the programs that these files were for were not installed. We do not use or condone the use of pirated software and I deleted these installer files immediately. However, I still could not get Windows Updates. I then tried to reset the hosts files but this didn't help either and I am not sure if it worked. I tried to create a HiJack This log but error message stating that "the system denied write access to the Hosts file" and is unable to create a logfile. I am attaching the logs that I have run below and would really appreciate help in resolving the issue. Thanks!

DDS Logs

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16448
Run by Sangeet Kendra at 18:25:43 on 2012-12-27
Microsoft Windows 7 Professional 6.1.7601.1.1252.91.1033.18.4011.2447 [GMT 5.5:30]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\IProsetMonitor.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Windows\SysWOW64\CtHelper.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\system32\taskhost.exe
C:\Users\Sangeet Kendra\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Sangeet Kendra\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Sangeet Kendra\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Sangeet Kendra\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Sangeet Kendra\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Sangeet Kendra\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Sangeet Kendra\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
uRun: [RemoteControl] <no file>
mRun: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun: [AsioThk32Reg] REGSVR32.EXE /S CTASIO.DLL
mRun: [CTHelper] CTHELPER.EXE
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
dRun: [DevconDefaultDB] C:\Windows\System32\READREG /SILENT /FAIL=1
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~2\Office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
TCP: Interfaces\{0DE5166A-5969-42FC-B8F6-0E0E77FD58AA} : NameServer = 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
SSODL: WebCheck - <orphaned>
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2011-4-18 189440]
R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;C:\Windows\System32\IPROSetMonitor.exe [2011-8-23 133800]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-26 399432]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-8-23 2655768]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2011-8-23 317440]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2012-12-26 25928]
R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\System32\drivers\MpNWMon.sys [2011-4-18 40832]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2011-4-27 84864]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2011-2-10 83080]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2011-2-10 184968]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-26 676936]
S3 COMMONFX.SYS;COMMONFX.SYS;C:\Windows\System32\drivers\COMMONFX.sys [2009-6-23 158744]
S3 COMMONFX;COMMONFX;C:\Windows\System32\drivers\COMMONFX.sys [2009-6-23 158744]
S3 CTAUDFX.SYS;CTAUDFX.SYS;C:\Windows\System32\drivers\CTAUDFX.sys [2009-6-23 706584]
S3 CTAUDFX;CTAUDFX;C:\Windows\System32\drivers\CTAUDFX.sys [2009-6-23 706584]
S3 CTERFXFX.SYS;CTERFXFX.SYS;C:\Windows\System32\drivers\CTERFXFX.sys [2009-6-23 141848]
S3 CTERFXFX;CTERFXFX;C:\Windows\System32\drivers\CTERFXFX.sys [2009-6-23 141848]
S3 CTSBLFX.SYS;CTSBLFX.SYS;C:\Windows\System32\drivers\CTSBLFX.sys [2009-6-23 680984]
S3 CTSBLFX;CTSBLFX;C:\Windows\System32\drivers\CTSBLFX.sys [2009-6-23 680984]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 27136]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-11-21 59392]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-8-24 1255736]
.
=============== Created Last 30 ================
.
2012-12-27 10:19:50 9125352 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{D7A7FFC4-1CE9-4E5D-9659-D51CB52F0A00}\mpengine.dll
2012-12-27 09:52:36 388096 ----a-r- C:\Users\Sangeet Kendra\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-12-27 09:52:35 -------- d-----w- C:\Program Files (x86)\Trend Micro
2012-12-26 17:32:02 -------- d-----w- C:\Windows\CheckSur
2012-12-26 15:28:42 -------- d-----w- C:\Windows\SoftwareDistribution.older
2012-12-26 15:27:46 -------- d-----w- C:\Windows\softwaredistribution.bak6
2012-12-26 15:26:48 -------- d-----w- C:\Windows\softwaredistribution.bak5
2012-12-26 13:22:17 -------- d-----w- C:\Windows\softwaredistribution.bak4
2012-12-26 10:20:15 -------- d-----w- C:\Windows\softwaredistribution.bak3
2012-12-26 10:14:00 -------- d-----w- C:\Windows\softwaredistribution.bak2
2012-12-26 08:05:59 -------- d-----w- C:\Windows\softwaredistribution.bak1
2012-12-26 07:54:11 -------- d-----w- C:\Windows\softwaredistribution.bak
2012-12-26 06:21:28 -------- d-----w- C:\Users\Sangeet Kendra\AppData\Roaming\Malwarebytes
2012-12-26 06:21:16 -------- d-----w- C:\ProgramData\Malwarebytes
2012-12-26 06:21:15 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-12-26 06:21:15 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-12-04 11:52:28 972264 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{943700CC-1B3B-4C44-A18B-54C5A2222CBD}\gapaengine.dll
.
==================== Find3M ====================
.
.
============= FINISH: 18:25:54.92 ===============


Malwarebytes Logs

Malwarebytes Anti-Malware (Trial) 1.65.1.1000
www.malwarebytes.org

Database version: v2012.12.26.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Sangeet Kendra :: SANGEETKENDRA [administrator]

Protection: Enabled

26-12-2012 11:57:17 AM
mbam-log-2012-12-26 (11-57-17).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 326960
Time elapsed: 31 minute(s), 36 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
D:\Sangeet Kendra\Documents\Software\Software 2\Software\plug in\vremover.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
D:\Sangeet Kendra\Documents\Software\Software 2\un-scf22\keygen\keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Sangeet Kendra\Documents\Software\Tally7.2\working patch\Patch.exe (Trojan.Bancos) -> Quarantined and deleted successfully.

(end)



Roguekiller Logs

RogueKiller V8.4.1 _x64_ [Dec 24 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Sangeet Kendra [Admin rights]
Mode : Scan -- Date : 12/27/2012 15:45:04

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts



¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST2000DL003-9VT166 ATA Device +++++
--- User ---
[MBR] 899155a74f9e935886b3b09b9692c877
[BSP] 41cef29871781a1f7533e3e8809344de : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 99899 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 204800000 | Size: 1807728 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_12272012_02d1545.txt >>
RKreport[1]_S_12272012_02d1545.txt

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 37,297 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:43 AM

Posted 29 December 2012 - 09:22 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Lets start with this.

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html


Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).

Please post the logs for my review.

#3 Frustrated Updater

Frustrated Updater
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 29 December 2012 - 02:55 PM

Hi nasdaq,

Great to here from you! Here are the logs that you asked for. Thanks a ton for your help.

ComboFix

ComboFix 12-12-29.02 - Sangeet Kendra 30-12-2012 1:10.1.4 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.91.1033.18.4011.2989 [GMT 5.5:30]
Running from: c:\users\Sangeet Kendra\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Sangeet Kendra\AppData\Local\Microsoft\Windows\Temporary Internet Files\{850BBC27-34A5-4CD6-839F-106C39AAEBD1}.xps
c:\users\Sangeet Kendra\AppData\Local\Microsoft\Windows\Temporary Internet Files\{8D938753-C305-4389-B290-A782E7422969}.xps
c:\users\Sangeet Kendra\AppData\Local\Microsoft\Windows\Temporary Internet Files\{D103F1AD-35A1-4FE2-BB55-B64BDD7CC8FC}.xps
.
.
((((((((((((((((((((((((( Files Created from 2012-11-28 to 2012-12-29 )))))))))))))))))))))))))))))))
.
.
2012-12-29 19:43 . 2012-12-29 19:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-12-27 10:19 . 2012-11-08 03:54 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D7A7FFC4-1CE9-4E5D-9659-D51CB52F0A00}\mpengine.dll
2012-12-27 09:52 . 2012-12-27 09:52 388096 ----a-r- c:\users\Sangeet Kendra\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-12-27 09:52 . 2012-12-27 09:52 -------- d-----w- c:\program files (x86)\Trend Micro
2012-12-26 17:32 . 2012-12-26 17:32 -------- d-----w- c:\windows\CheckSur
2012-12-26 15:28 . 2012-12-26 17:31 -------- d-----w- c:\windows\SoftwareDistribution.older
2012-12-26 07:54 . 2012-12-26 07:54 -------- d-----w- c:\windows\softwaredistribution.bak
2012-12-26 06:21 . 2012-12-26 06:21 -------- d-----w- c:\users\Sangeet Kendra\AppData\Roaming\Malwarebytes
2012-12-26 06:21 . 2012-12-26 06:21 -------- d-----w- c:\programdata\Malwarebytes
2012-12-26 06:21 . 2012-12-26 06:21 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-12-26 06:21 . 2012-09-29 14:24 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-12-04 11:52 . 2012-12-04 11:52 972264 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{943700CC-1B3B-4C44-A18B-54C5A2222CBD}\gapaengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-28 10:28 . 2011-08-24 11:38 67413224 ----a-w- c:\windows\system32\MRT.exe
2012-11-08 03:54 . 2011-08-31 10:25 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-02-10 113288]
"AsioThk32Reg"="CTASIO.DLL" [2009-06-23 47104]
"CTHelper"="CTHELPER.EXE" [2009-06-23 19456]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DevconDefaultDB"="c:\windows\system32\READREG" [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-09-29 676936]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\System32\drivers\COMMONFX.SYS [2009-06-23 158744]
R3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS [2009-06-23 158744]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\System32\drivers\CTAUDFX.SYS [2009-06-23 706584]
R3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS [2009-06-23 706584]
R3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\System32\drivers\CTERFXFX.SYS [2009-06-23 141848]
R3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS [2009-06-23 141848]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\System32\drivers\CTSBLFX.SYS [2009-06-23 680984]
R3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS [2009-06-23 680984]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 40832]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 84864]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-08-24 1255736]
S2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2010-08-12 133800]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-09-29 399432]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-02-10 2655768]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2011-02-10 317440]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-09-29 25928]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2011-02-10 83080]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2011-02-10 184968]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2346707946-2888811190-2265011833-1000Core.job
- c:\users\Sangeet Kendra\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-09 12:07]
.
2012-12-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2346707946-2888811190-2265011833-1000UA.job
- c:\users\Sangeet Kendra\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-09 12:07]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-02-10 11474024]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-03-19 170264]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-03-19 398616]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-03-19 439064]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~2\Office14\ONBttnIE.dll/105
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\update
Trusted Zone: windowsupdate.com\download
TCP: Interfaces\{0DE5166A-5969-42FC-B8F6-0E0E77FD58AA}: NameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-RemoteControl - (no file)
SafeBoot-47551408.sys
HKLM-Run-AsioReg - CTASIO.DLL
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-12-30 01:14:35
ComboFix-quarantined-files.txt 2012-12-29 19:44
.
Pre-Run: 72,270,041,088 bytes free
Post-Run: 72,654,528,512 bytes free
.
- - End Of File - - 79002154CDE9F6922CB728AAD47081C4


Security Check

Results of screen317's Security Check version 0.99.56
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Windows Firewall Disabled!
Microsoft Security Essentials
(On Access scanning disabled!)
Error obtaining update status for antivirus!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.65.1.1000
Adobe Reader 9 Adobe Reader out of Date!
Google Chrome 21.0.1180.83
Google Chrome 21.0.1180.89
Google Chrome 22.0.1229.79
Google Chrome 23.0.1271.97
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials msseces.exe
Windows Defender MSMpEng.exe
Microsoft Security Client Antimalware MsMpEng.exe
Malwarebytes' Anti-Malware mbamscheduler.exe
Microsoft Security Client Antimalware MpCmdRun.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````


AdwCleaner

# AdwCleaner v2.104 - Logfile created 12/30/2012 at 01:17:57
# Updated 29/12/2012 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (64 bits)
# User : Sangeet Kendra - SANGEETKENDRA
# Boot Mode : Normal
# Running from : C:\Users\Sangeet Kendra\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16448

[OK] Registry is clean.

-\\ Google Chrome v23.0.1271.97

File : C:\Users\Sangeet Kendra\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [688 octets] - [30/12/2012 01:17:57]

########## EOF - C:\AdwCleaner[R1].txt - [747 octets] ##########

#4 nasdaq

nasdaq

  • Malware Response Team
  • 37,297 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:43 AM

Posted 30 December 2012 - 08:28 AM

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
===

If still having a problem with your updates please run this tool.

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


#5 Frustrated Updater

Frustrated Updater
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 04 January 2013 - 02:11 PM

Hi nasdaq,

Sorry for taking so long to respond but I was away on vacation and just got back! I tried to download the latest version of Adobe Reader but the update stalled (as many other updates have been) and so I went ahead and uninstalled the old version of Reader. This doesn't seem to have fixed anything as Windows Update and various installers still won't download. I then got the Farbar Service Scanner from another computer as it wouldn't download either and ran it. The scan log is attached below. Just as a side note, both Google Drive and Chrome flagged FSS as virus infected but I guessed this was in error and so ran it anyways. Thanks for your help!

Farbar Service Scanner Log

Farbar Service Scanner Version: 23-12-2012
Ran by Sangeet Kendra (administrator) on 05-01-2013 at 00:30:33
Running from "C:\Users\Sangeet Kendra\Desktop"
Windows 7 Professional Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

#6 nasdaq

nasdaq

  • Malware Response Team
  • 37,297 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:43 AM

Posted 05 January 2013 - 08:12 AM

Execute the instructions on this page.
Open the Windows Update troubleshooter
http://windows.microsoft.com/en-US/windows7/Open-the-Windows-Update-troubleshooter

If that fails to restore your Windows Updates

Continue.


Check the settings for the BITS (Background Intelligent Transfer Service).

Click the start button then click RUN...
Type in services.msc then ok

Scroll down the list to Background Intelligent Transfer Service and double click it to open the properties box.
On the general tab, the start up type should be set to manual or automatic.
Click the Log On tab, "log on as:" should be Local system account.
Below that in the hardware profile box under service, it should say enabled, if not click the enable button.
Apply and ok, then exit services.


Try a Download now.

Keep me posted.
Post any error message that may help identify the problem.
=*=

#7 Frustrated Updater

Frustrated Updater
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 05 January 2013 - 10:56 AM

I tried using the Windows Update troubleshooter but it does not go past the "Checking for updates online" phase. As for BITS, the Startup type was set to "Automatic (Delayed Start)" which I changed to "Automatic". The "log on as:" under the Log On tab was already set to "Local System account" but I see no option for a hardware profile box under service below that as you mentioned.

In addition to these steps I have already tried a bunch of Windows Update troubleshooting methods such as the ones outlined here but to no avail.

What is curious is that the list of things I am not able to download is selective. Windows Update won't run nor can I download most security software installers. ComboFix, Farbar, Adwcleaner etc would not download. I also cannot download Adobe Reader. Many other downloads seem to work and Microsoft Security Essentials and Malwarebytes seem to be able to successfully update their definitions too. Am wondering if my router may have been infected. What do you suggest next? Thanks and looking forward to solving this!

#8 nasdaq

nasdaq

  • Malware Response Team
  • 37,297 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:43 AM

Posted 05 January 2013 - 11:40 AM

Did you create these backup folders?
What do they contain?

2012-12-26 15:28:42 -------- d-----w- C:\Windows\SoftwareDistribution.older
2012-12-26 15:27:46 -------- d-----w- C:\Windows\softwaredistribution.bak6
2012-12-26 15:26:48 -------- d-----w- C:\Windows\softwaredistribution.bak5
2012-12-26 13:22:17 -------- d-----w- C:\Windows\softwaredistribution.bak4
2012-12-26 10:20:15 -------- d-----w- C:\Windows\softwaredistribution.bak3
2012-12-26 10:14:00 -------- d-----w- C:\Windows\softwaredistribution.bak2
2012-12-26 08:05:59 -------- d-----w- C:\Windows\softwaredistribution.bak1
2012-12-26 07:54:11 -------- d-----w- C:\Windows\softwaredistribution.bak



Microsoft Antimalware Real-Time Protection feature has encountered an error and failed.
Feature: On Access
Error Code: 0x80004005

You have many such error on your extra.log file

Have a look at this article.

http://eventid.net/display.asp?eventid=3002&eventno=10785&source=Microsoft%20Antimalware&phase=1

I would remove Windows defender using the Add/Remove Programs list.

http://answers.microsoft.com/en-us/protect/forum/mse-protect_start/windows-defender-and-microsoft-security-essentials/5309cb8d-02e1-40e8-974f-0dcedb9ab9fd

Try the updates.

Keep me posted.

#9 Frustrated Updater

Frustrated Updater
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 05 January 2013 - 12:15 PM

I created the backup folders in question before consulting you after reading the following tip:

It is possible that the contents of the SoftwareDistribution folder have become corrupted,
so try Renaming the SoftwareDistribution folder

Click Start, Choose Run.
In the Run box, type services.msc.
Click OK.
Right-click the Automatic Updates service.
Click Stop.
Stopping the service will take a moment.

Rename the “SoftwareDistribution” folder:
a. Click Start, click Run, type: %systemroot%
Click OK.
b. Right-click the SoftwareDistribution folder, and then click Rename.
c. Type SoftwareDistribution.old, and then press ENTER to rename this folder.

Click Start. Choose Run.
In the Run box, type services.msc.
Click OK.
Right-click the Automatic Updates service.
Click Start.
Starting the service will take a moment.

Please note that your update history is contained in the “datastore” folder and when you
rename the Software Distribution folder, the history is lost but it’s not important. You
can if need be, copy the contents back from the renamed softwareDistribution.old folder.
Losing the history of Windows Updates is not important.


I tried to remove Windows Defender using the Add/Remove programs list but it does not show up there. When I search for and then click on Windows Defender in the start menu I get a message stating that it is turned off and asking me if I want to turn it on.

#10 nasdaq

nasdaq

  • Malware Response Team
  • 37,297 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:43 AM

Posted 05 January 2013 - 02:08 PM

Windows defender cannot be uninstalled. Make sure you have disable it as shown here.
http://www.howtogeek.com/howto/15788/how-to-uninstall-disable-and-remove-windows-defender.-also-how-turn-it-off/

Execute this. Ignore any message, just continue untill all complete.

When Windows Update is a problem, I use the following to re-register the file.
Start, Run, type in cmd, press enter
At the DOS prompt execute the following commands, one by one.
Press the enter key after each entry
regsvr32 wuapi.dll
regsvr32 wuaueng.dll
regsvr32 wucltui.dll
regsvr32 wups.dll
regsvr32 msxml3.dll
regsvr32 jscript.dll
regsvr32 atl.dll
regsvr32 Mshtml.dll
regsvr32 Shdocvw.dll
regsvr32 Oleaut32.dll
regsvr32 Actxprxy.dll
regsvr32 initpki.dll

Type Exit press enter to return the operating mode.

If that fails then I would disable Microsoft Security Essentials

Then I would enable Windows defender and try the updates.

Keep me posted.

#11 Frustrated Updater

Frustrated Updater
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 06 January 2013 - 10:31 AM

I disabled Windows Defender from the Services menu and then re-registered the files that you mentioned. The following ones showed error messages:

regsvr32 wuaueng.dll
regsvr32 wucltui.dll
regsvr32 wups.dll
regsvr32 jscript.dll
regsvr32 Mshtml.dll
regsvr32 Shdocvw.dll
regsvr32 Oleaut32.dll
regsvr32 Actxprxy.dll
regsvr32 initpki.dll

Windows Update still does not work. I then disabled Microsoft Security Essentials and turned on Windows Defender. This didn't help either. When I try certain downloads (for example, Adobe Reader) it always gets stuck at a certain point. In the case of Reader, it will not progress beyond 189 KB of the 977 KB total and my download speed will slow down to zero. Am at a loss as to what to do.

#12 nasdaq

nasdaq

  • Malware Response Team
  • 37,297 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:43 AM

Posted 06 January 2013 - 11:34 AM

Try this solution.
Uninstall MSE and reinstall.

http://answers.microsoft.com/en-us/protect/forum/mse-protect_updating/cant-download-definitions-error-code-0x80240022/2c1f970d-cc30-45a8-8a7c-0e7677137771

#13 Frustrated Updater

Frustrated Updater
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 06 January 2013 - 11:44 AM

Sure, but how do I go about this? The link doesn't specify. Thanks.

#14 nasdaq

nasdaq

  • Malware Response Team
  • 37,297 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:43 AM

Posted 06 January 2013 - 11:48 AM

Use the Add/Remove Programs list to remove MSE.

Reinstall the application.
http://www.microsoft.com/security/pc-security/mse.aspx

#15 Frustrated Updater

Frustrated Updater
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 06 January 2013 - 11:49 AM

Will do this right away and get back to you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users