Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: MSE error stops all downloading and cannot be turned off.


17 Sep 2013   #1

Windows 7 Prof
 
 
MSE error stops all downloading and cannot be turned off.

I was hit by a virus which has now been removed using Kaspersky virus removal.
The scan now shows clean both with that software and with malwarebytes.
Unfortunately the cleanup seems to have done something to my system and I am not able to access MSE in any way. The icon looks like a sheet of paper. I tried deleting through control panel programs and features but get an error
"You do not have sufficient access to uninstall Microsoft security essentials. Please contact your system administrator."

I am the administrator on this computer the only other user is guest.
Also, I cannot download any software or pdf files. When I try it deletes the file telling me Failed, Virus scan failed.

Can anyone help please???

My System SpecsSystem Spec
.

17 Sep 2013   #2

Windows 7 Home Premium
 
 

mgadams,

Welcome to the forum!

Can you tell us the name of the virus removed, and the exact name of the Kaspersky program used for removal? If you have a report, that will help.

On the damage, also download Farbar Service Scanner

Save to the Desktop
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press: Scan
  • FSS creates a log, FSS.txt, on the Desktop.
Please provide the FSS.txt in your reply.
My System SpecsSystem Spec
18 Sep 2013   #3

Windows 7 Prof
 
 

I do not know the name of the virus. I had a computer guy help me with it. I do know it came from an email one of our people received that was labled xerox scan. It changed all the files to applications.

It was the Kaspersky virus removal tool.

As far as running the farbar service scanner I downloaded it to a usb then moved to my computer and ran it? I am not able to download anything to this computer. When I try it deletes the file telling me
"Failed, Virus scan failed"
My System SpecsSystem Spec
.


18 Sep 2013   #4

Windows 7 Prof
 
 

Farbar Service Scanner Version: 13-09-2013
Ran by Tina Adams (administrator) on 18-09-2013 at 08:37:33
Running from "C:\Users\Tina Adams\Desktop"
Microsoft Windows 7 Professional Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.


Firewall Disabled Policy:
==================
"HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" registry key does not exist.


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.

Action Center Notification Icon =====> Unable to open HKLM\...\ShellServiceObjects\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A} key. The key does not exist.


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============
Checking Start type of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ImagePath of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ServiceDll of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.

Checking Start type of SharedAccess: ATTENTION!=====> Unable to retrieve start type of SharedAccess. The value does not exist.
Checking ImagePath of SharedAccess: ATTENTION!=====> Unable to retrieve ImagePath of SharedAccess. The value does not exist.
Checking ServiceDll of SharedAccess: ATTENTION!=====> Unable to retrieve ServiceDll of SharedAccess. The value does not exist.
Checking FirewallRules of SharedAccess: ATTENTION!=====> Unable to open "SharedAccess\Defaults\FirewallPolicy\FirewallRules" registry key. The key does not exist.
Checking Start type of PolicyAgent: ATTENTION!=====> Unable to open PolicyAgent registry key. The service key does not exist.
Checking ImagePath of PolicyAgent: ATTENTION!=====> Unable to open PolicyAgent registry key. The service key does not exist.
Checking ServiceDll of PolicyAgent: ATTENTION!=====> Unable to open PolicyAgent registry key. The service key does not exist.

Checking Start type of RemoteAccess: ATTENTION!=====> Unable to open RemoteAccess registry key. The service key does not exist.
Checking ImagePath of RemoteAccess: ATTENTION!=====> Unable to open RemoteAccess registry key. The service key does not exist.
Checking ServiceDll of RemoteAccess: ATTENTION!=====> Unable to open RemoteAccess registry key. The service key does not exist.



File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2013-08-14 08:06] - [2013-07-06 01:05] - 1293760 ____A (Microsoft Corporation) 4E8B9BE71B807B3BAEDB7F4243F85E3C

C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll
[2013-08-14 08:06] - [2013-07-09 00:46] - 0140288 ____A (Microsoft Corporation) 7CA1BECEA5DE2643ADDAD32670E7A4C9


ATTENTION!=====> C:\Program Files\Windows Defender\MpSvc.dll Reparse point on file detected.

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****
My System SpecsSystem Spec
18 Sep 2013   #5

Windows 7 Home Premium
 
 

You can attach the reports, if you like.

The above report shows several services in need of repair.

To make sure the virus is really gone, please do the following:

Please go to the Farbar Recovery Scan Tool Download
Select the version that applies to your system.

Save it to your Desktop.

Double-click the downloaded file to run it.

When the tool opens click Yes to the disclaimer.
Press the Scan button.

FRST64 makes a log (FRST.txt) in the same directory from which the tool is run (Desktop).

Please provide the FRST.txt in your reply. <<---

The first time the tool is run, it also makes another log: Addition.txt
Also post the: Addition.txtin your reply.<<---
My System SpecsSystem Spec
18 Sep 2013   #6

Windows 7 Prof
 
 

I have downloaded frst.exe in the email I received it said use 64 bit version. but here it says select the version that applies. I believe it is the 32bit but I am not positive. How can I confirm this?
My System SpecsSystem Spec
18 Sep 2013   #7

Windows 7 Home Premium
 
 

The previous FSS report says it is 32 bit (x86)

To be sure...

Please go to Start > All Programs > Accessories > Command Prompt
At the Command prompt, type (or copy/paste with the mouse}:

echo %PROCESSOR_ARCHITECTURE%

Press: Enter

It provides the info as to whether the system is 32 bit (x86), or 64 bit.
My System SpecsSystem Spec
18 Sep 2013   #8

Windows 7 Prof
 
 

Hear you go. Thank you for all your help.


Attached Files
File Type: txt Addition.txt (48.1 KB, 2 views)
File Type: txt FRST.txt (45.9 KB, 3 views)
My System SpecsSystem Spec
19 Sep 2013   #9

Windows 7 Home Premium
 
 

mgadams,

Pressing on with FRST...

Please open Notepad (Start > All Programs > Accessories > Notepad)
Copy the entire contents of the code box below
Save it on the Desktop, and name it: fixlist.txt

Code:
start
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
MountPoints2: {0abd8d5c-5e46-11e2-8c56-e89a8f68d47a} - F:\setup.exe -a
MountPoints2: {b0fdca7b-f97f-11e0-a201-e89a8f68d47a} - F:\setup.exe -a
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKCU - DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = 
SearchScopes: HKCU - {2fa28606-de77-4029-af96-b231e3b8f827} URL = 
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = 
SearchScopes: HKCU - {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = 
SearchScopes: HKCU - {ec29edf6-ad3c-4e1c-a087-d6cb81400c43} URL = 
Toolbar: HKLM - Upromise RewardU Toolbar - {BCB2559D-DE26-E8F4-D552-AE05CE2BAC69} - C:\Program Files\Upromise RewardU Toolbar\Toolbar.dll ()
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKCU -Upromise RewardU Toolbar - {BCB2559D-DE26-E8F4-D552-AE05CE2BAC69} - C:\Program Files\Upromise RewardU Toolbar\Toolbar.dll ()
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files\QuickTime\plugins\npqtplugin6.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files\QuickTime\plugins\npqtplugin7.dll No File
CHR Plugin: (AmazonMP3DownloaderPlugin) - C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin.dll No File
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
CHR Plugin: (BrowserPlus (from Yahoo!) v2.9.8) - C:\Users\Tina Adams\AppData\Local\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
C:\Users\Tina Adams\AppData\Local\Google\Desktop\Install
C:\Program Files\Google\Desktop\Install
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client
end
Note: This script is written specifically for use only on this computer.
Running this on another computer may cause damage to the Operating System!!

Run FRST, and press the Fix button, just once, and wait.
The tool creates a report on the pen drive called: Fixlog.txt
Please post the Fixlog.txt in your reply.


Please go to the TDSSKiller Download, and select the .exe version
Double-click on TDSSKiller.exe to run the program.
When the TDSSKiller console opens, click on: Change Parameters
Under Additional Options, place a check in the box next to: Detect TDLFS File System
Click: OK

Press: Start Scan

•If a suspicious object is detected by this program, the default action is Skip. Leave this action as is, and click on: Continue
•If malicious objects are found, they show in the Scan results.
•Ensure Cure (the default action) is selected, then click: Continue > Reboot now, to finish the cleaning process.

(Note: If Cure is not available, select Skip, >>Do not select: Delete<<)

When done, the tool creates a log on the disk with the Windows Operating System, normally C:\
Logs have a name like:
C:\TDSSKiller.X.X.X_08.30.2013_15.31.43_log.txt
Please attach the TDSSKiller log in your reply.

Let's get the results from these programs, and take it from there. There are still more repairs to be done.
My System SpecsSystem Spec
19 Sep 2013   #10

Windows 7 Prof
 
 

Here is the fixlog.txt file.
I am rebooting the computer then I will run the tdsskiller as instructed.


Attached Files
File Type: txt Fixlog.txt (10.6 KB, 0 views)
My System SpecsSystem Spec
Reply

 MSE error stops all downloading and cannot be turned off.




Thread Tools




Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 05:40 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33