Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MSE will not complete full scan & other help programs don't seem to work


  • This topic is locked This topic is locked
230 replies to this topic

#46 sleepyjeen

sleepyjeen
  • Topic Starter

  • Members
  • 154 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:44 AM

Posted 28 February 2013 - 04:05 PM

Farbar Service Scanner Version: 20-02-2013
Ran by jeen (administrator) on 28-02-2013 at 15:03:32
Running from "C:\Users\jeen\Desktop"
Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****



BC AdBot (Login to Remove)

 


#47 whoabuddy

whoabuddy

    Bleepin' Verbose


  • Malware Response Instructor
  • 2,053 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cottonwood, AZ
  • Local time:07:44 AM

Posted 01 March 2013 - 12:50 PM

Hi sleepyjeen,

I can see from the FSS log that we still have the same issue - what happened when you ran the netsh advfirewall reset command? Did you receive any message on the command prompt after you ran it?

Best Regards,
whoabuddy
Meditate. Elevate. Appreciate. | "Life is a journey, love is the destination, happiness is the path!"
If I am helping you and have not responded within 48 hours, please send me a PM.
Vi Veri Universum Vivus Vici (VVVVV)
Excellent Security Advice
Proud member of UNITE

#48 sleepyjeen

sleepyjeen
  • Topic Starter

  • Members
  • 154 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:44 AM

Posted 01 March 2013 - 01:10 PM

If there was a message it flew by so fast I didn't catch it.  Would you like me to do it again?



#49 sleepyjeen

sleepyjeen
  • Topic Starter

  • Members
  • 154 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:44 AM

Posted 03 March 2013 - 02:43 PM

An update:  Thought I would update the database MSE and do a full scan.  Once again it is not working and is stopped at  windows\system32\codeintegrity\driver.stl.  I knew I had a problem so I did a fresh reboot to see if that would help and no such luck.  Feels like square 1 all over again. 



#50 whoabuddy

whoabuddy

    Bleepin' Verbose


  • Malware Response Instructor
  • 2,053 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cottonwood, AZ
  • Local time:07:44 AM

Posted 04 March 2013 - 08:25 AM

Hi sleepyjeen,

Not to worry, we are making progress, and I have some more steps for you to follow. Now that we have run the Combofix program and removed the infected services.exe file, we need to remove then reinstall Microsoft Security Essentials to make sure all of the components are working correctly. We still have to review and update your applications as well.

We need to reset your Firewall settings:
  • Click on the Start Orb
  • Click on Control Panel
  • In the search box, type firewall
  • Click on Windows Firewall
  • In the left pane, click Restore Defaults
  • A box will appear, click Restore Defaults then Yes to confirm
For more information: http://windows.microsoft.com/en-us/windows7/restore-windows-firewall-settings

We need to reinstall Microsoft Security Essentials:
  • Download Microsoft Security Essentials from Microsoft below and save the file to your desktop:
    http://windows.microsoft.com/en-us/windows/security-essentials-download
    Note: if asked, you need to download the Windows 7 x64 or 64-bit version
  • Click on the Start Orb
  • Click on Control Panel
  • Click on Programs, then Programs and Features
    Note: a list of applications will load with a progress bar at the top
  • Scroll down and click on Microsoft Security Essentials, then click Uninstall
  • Follow the on-screen prompts until it is uninstalled
  • Reboot the computer
    Note: this step is important as it makes sure any running or in-use files are deleted as well before we install the latest version
  • Once the computer loads again, install Microsoft Security Essentials from the file you downloaded to your desktop
  • Follow the on-screen prompts, and be sure to check the box If no firewall is turned on, turn on Windows Firewall during the installation
  • Reboot the computer
  • Open Microsoft Security Essentials, click on the Update tab, download the latest definitions
  • Run a new full scan
We need a new scan from Farbar Service Scanner:

Same procedure as before, please check all boxes when running the tool.

In your next post I need the following:
  • Confirmation of firewall reset
  • New Farbar Service Scan log (FSS.txt)
  • Results of Microsoft Security Essentials full scan after reinstall
One fortunate thing about computers is they give us a hundred different ways to complete one task - and in my opinion it's never a bad thing until we run out of ideas to try :)

Best Regards,
whoabuddy
Meditate. Elevate. Appreciate. | "Life is a journey, love is the destination, happiness is the path!"
If I am helping you and have not responded within 48 hours, please send me a PM.
Vi Veri Universum Vivus Vici (VVVVV)
Excellent Security Advice
Proud member of UNITE

#51 sleepyjeen

sleepyjeen
  • Topic Starter

  • Members
  • 154 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:44 AM

Posted 04 March 2013 - 11:21 AM

I am now running without any antivirus program.  MSE will not install at all.  Had a terrible time uninstalling it however, it does show it uninstalled.  Rebooted and Akamai Netsession Client, EEventmanager App, RunUpd, and GPTUpd,exe all needed to be allowed with the Firewall.  Choice was Private Networks or Public and the Private was already checked so I went with that. 

I tried installing MSE several times and tried in safe mode none of which worked.

I did the defaults on the firewall and I did run the Farbar program.  The scan is below:

Farbar Service Scanner Version: 20-02-2013
Ran by jeen (administrator) on 04-03-2013 at 10:16:01
Running from "C:\Users\jeen\Desktop"
Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****



#52 sleepyjeen

sleepyjeen
  • Topic Starter

  • Members
  • 154 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:44 AM

Posted 04 March 2013 - 11:26 AM

Just in case you need the error code number it is 0x80070643  This is what comes up when trying to install MSE



#53 sleepyjeen

sleepyjeen
  • Topic Starter

  • Members
  • 154 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:44 AM

Posted 04 March 2013 - 01:03 PM

I am wondering if I should try to install a different antivirus program.  With not having any protection I am nervous about doing any work on my computer.



#54 sleepyjeen

sleepyjeen
  • Topic Starter

  • Members
  • 154 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:44 AM

Posted 04 March 2013 - 04:32 PM

Okay after I quit being stressed I restored my system to an earlier day and then uninstalled and reinstalled MSE.  It updated ok and does the quick scan but when doing a full scan still gets hung up in that same place.  I once again set the windows firewall to defaults and this time I just cancelled the windows firewall notices that came up instead of allowing them.  So now at least I have an antivirus program back on even though I am not sure how well it is protecting when it isn't all working correctly. 



#55 whoabuddy

whoabuddy

    Bleepin' Verbose


  • Malware Response Instructor
  • 2,053 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cottonwood, AZ
  • Local time:07:44 AM

Posted 07 March 2013 - 12:15 PM

Hi sleepyjeen,

We are still looking better, there is only one setting that needs to be updated as opposed to three, and the prompts you saw were to be expected as well. Windows Firewall controls what applications on your computer can communicate with the Internet, and we reset the list so it was asking you on behalf of everything that would like to access the Internet.

Now the reference number that you gave me references issues with a product called Microsoft .NET, which is used by a lot of Microsoft applications. I want to try running a fix then removing and reinstalling MSE again, except this time we will download AVG AntiVirus Free as an alternative in case Microsfot Security Essentials does not install. We are chasing down a very small issue, and at this point I do not see any malware in your logs. Sometimes infections can cause more issues than we expect, but we still have some steps to take to try and correct them.

Note: from this point forward please do not use your machine until all of the steps below are completed.

We need to download a few programs to your desktop:

To make it a little easier, I have provided direct links to everything except AVG. Please save all of the files to your desktop so we will have easy access to them later, and if the file already exists please replace it with the newer version you are downloading.We need to run a custom fix with OTL:
  • Please open otlicon.png on your desktop.
  • Copy and Paste the following code into the customscanfix.png textbox.
    :reg
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall"=1
    
  • Push the runfix.png button.
  • When the fix is complete, a log file will be displayed, please copy and paste the contents in your next reply.
We need to remove Microsoft Security Essentials:
  • Click on the Start Orb
  • Click on Control Panel
  • Click on Programs, then Programs and Features
    Note: a list of applications will load with a progress bar at the top
  • Scroll down and click on Microsoft Security Essentials, then click Uninstall
  • Follow the on-screen prompts until it is uninstalled
  • Reboot the computer
    Note: this step is important as it makes sure any running or in-use files are deleted before we run repairs
We need to repair Microsoft .NET and reinstall Microsoft Security Essentials:
  • Close any open applications/windows
  • On your desktop, double-click on NetFxRepairTool.exe that we downloaded earlier
  • Accept any security prompts and allow it to extract the required files
  • Check that you agree to the terms and click Next
  • The tool will run automated tests and show recommended changes, click Next
  • The tool will apply the recommended changes, click Next to continue troubleshooting
  • The tool will show versions of .NET to be repaired, click Next to begin repairs
    note: the repair time varies depending on how many versions of .NET are installed and what actions need to be performed
  • The tool will display that the repair is complete. Do no press any of the buttons on this tool at this point
  • Minimize the tool by pressing the _ button in the top right
  • On your desktop, double-click on mseinstall.exe that we downloaded earlier
  • Follow the on-screen prompts, and be sure to check the box If no firewall is turned on, turn on Windows Firewall during the installation
  • When the installation is complete, minimize Microsoft Security Essentials by pressing the _ button in the top right
  • At the bottom of your screen, click on the Microsoft .NET Framework Repair Tool to bring the window back up
  • Click Finish to close the tool, re-open Microsoft Security Essentials, click on the Update tab, download the latest definitions
  • Reboot the computer
  • Open Microsoft Security Essentials, try running a Full Scan
Note: If you are unable to install Microsoft Security Essentials during this process, please click Finish to close the .NET repair tool, then run avg_free_stb_all_2013_2899_cnet.exe to install AVG anti-virus. This will give you something to use until we figure out the issue from that point forward.

In your next post I need the following:
  • log file from OTL fix
  • results of Microsoft Security Essentials reinstall
  • results of Microsoft Security Essentials full scan
  • Status Update - any other issues at this point?
Best Regards,
whoabuddy
Meditate. Elevate. Appreciate. | "Life is a journey, love is the destination, happiness is the path!"
If I am helping you and have not responded within 48 hours, please send me a PM.
Vi Veri Universum Vivus Vici (VVVVV)
Excellent Security Advice
Proud member of UNITE

#56 sleepyjeen

sleepyjeen
  • Topic Starter

  • Members
  • 154 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:44 AM

Posted 07 March 2013 - 03:08 PM

First here is the log:

========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\"EnableFirewall"|1 /E : value set successfully!
 
OTL by OldTimer - Version 3.2.69.0 log created on 03072013_114425

 

Next:

Had trouble uninstalling MSE, an error came up that said error with uninstall wizard, reboot and try again.  I rebooted and it did finally uninstall.

The NetFXRepair seemed to go through its process and it said if was finished with the repair.

When I rebooted to run the full scan with MSE I received a message that said windows firewall is still turned off for some unknown error, turn on manually.  I did not do this because I was not sure if you wanted me to do that.

I tried to run the full scan with MSE and again it stopped at C:\Windows\System32\CodeIntegrity\driver.stl

I then went to look at the windows firewall and it says:

Update your firewall settings.  Windows firewall is not using the recommended settings to protect your computer.  Then there is a button to click on that says Use recommended settings.  I did not click on that because I saw that the fix you did was about the firewall so was not sure you wanted me to do anything with it.  So I now have no firewall protection.

Should I go ahead and click on the button to use recommended settings so that I will have a firewall again?

 

I got really nervous with no firewall because of all the financial things on my computer so I tried to click on the recommended setting to turn it on and the firewall will not turn on at all.  Just wanted you to be aware that it won't turn on.
 


Edited by sleepyjeen, 07 March 2013 - 03:19 PM.


#57 whoabuddy

whoabuddy

    Bleepin' Verbose


  • Malware Response Instructor
  • 2,053 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cottonwood, AZ
  • Local time:07:44 AM

Posted 07 March 2013 - 03:24 PM

Hi sleepyjeen,

 

Thank you for the log, it looks like the fix worked and the setting is now set correctly.

 

As for Windows Firewall, you can choose to "Use recommended settings", and if you could provide a new FSS scan after I'm interested to see what comes up at this point.

 

Let's back up to some basics as well:

 

 - how long does the full scan stop on that file?

 - how far along (estimated) in the scan is MSE when this happens?

 

I have a few more ideas and will let you know as soon as I work up the instructions.

 

Best Regards,

whoabuddy

 

 


Meditate. Elevate. Appreciate. | "Life is a journey, love is the destination, happiness is the path!"
If I am helping you and have not responded within 48 hours, please send me a PM.
Vi Veri Universum Vivus Vici (VVVVV)
Excellent Security Advice
Proud member of UNITE

#58 whoabuddy

whoabuddy

    Bleepin' Verbose


  • Malware Response Instructor
  • 2,053 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cottonwood, AZ
  • Local time:07:44 AM

Posted 07 March 2013 - 03:27 PM

Hi sleepyjeen,

 

I just saw your edit regarding the firewall, have you rebooted?  If so, can you try resetting the firewall per my instructions a few posts back again (#50)?  Then please answer the questions in my last post, run the FSS scan, and we will get it fixed up.

 

Best Regards,

whoabuddy


Meditate. Elevate. Appreciate. | "Life is a journey, love is the destination, happiness is the path!"
If I am helping you and have not responded within 48 hours, please send me a PM.
Vi Veri Universum Vivus Vici (VVVVV)
Excellent Security Advice
Proud member of UNITE

#59 sleepyjeen

sleepyjeen
  • Topic Starter

  • Members
  • 154 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:44 AM

Posted 07 March 2013 - 04:32 PM

I tried to do what you said in message 50 regarding the firewall.  It will not work.  When I click on restore defaults or recommended settings it will not work and goes to the box that says to update your firewall settings.  Windows firewall is not using the recommended setting to protect your computer.  At one point I tried advanced settings and got an error code 0x6D9. 

 

 

Farbar Service Scanner Version: 20-02-2013
Ran by jeen (administrator) on 07-03-2013 at 15:28:32
Running from "C:\Users\jeen\Desktop"
Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****



#60 sleepyjeen

sleepyjeen
  • Topic Starter

  • Members
  • 154 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:44 AM

Posted 07 March 2013 - 04:34 PM

Also you had asked about how long the scan runs before stopping.  It varies.  Today it was running 40 some minutes before stopping at the same point, other times it is around 17 minutes.  It is almost like it scans in a different order or something because it always seems to stop with the same file.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users