Windows Update and Windows Defender not working

rengler · 08 Nov 2013

Hi everyone,

I am having a problem with my Windows 7 system on my Toshiba laptop. I discovered the problem while trying to download some software that requires the .NET framework 4.0. The framework software would not download.

While researching the error code that resulted from the .NET framework installation failure, I discovered that both Windows Update and Windows Defender are not working on my machine.

I have attempted to work through the instructions in the Windows Update Posting Instructions thread.

1) I have downloaded the System Update Readiness Tool for Windows 7 64 bit, but when I attempt to run it, I get the following error message:

2) I have performed the SFC scan and get a message saying no integrity errors were found, as per the screen shot below:

3)When I attempt to check for updates with Windows Update, I get the following error message saying the service is not running. I have tried restarting the computer as suggested but get the same result:

4) CBS log file is attached.

As a side note (I`m not sure if this is related, maybe it should be in its own thread) when I try to start Windows Defender, I get the following error message:

I have installed the latest Microsoft Security Essentials and I have update all of the device drivers on my computer using the Uniblue DriverScanner application so I should have the latest Intel drivers.

What should I do next to help solve this problem

Thanks
Randy

NoelDP · 09 Nov 2013

Please downloadthe Farbar Service Scanner from

http://www.bleepingcomputer.com/download/farbar-service-scanner/

Right-click onthe saved file and select 'Run as Administrator', and tick all the options,then click on the Scan button - copy and paste the report to your response.

It appears that at least one service has been affected - Have you had any malware infections lately? If so, which one?

rengler · 09 Nov 2013

Hi Noel,

Thanks for your help. My computer did have a malware infection recently, I believe it was called "zero access" or something like that.

I have performed the scan that you requested, it appears that most of these services are not running on my computer:

Farbar Service Scanner Version: 09-01-2013
Ran by Randy (administrator) on 09-11-2013 at 07:05:36
Running from "C:\Users\Randy\Downloads"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.
MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
bfe Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.

Firewall Disabled Policy:
==================
"HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" registry key does not exist.

System Restore:
============
System Restore Disabled Policy:
========================

Action Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.

Other Services:
==============
Checking Start type of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ImagePath of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ServiceDll of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking Start type of SharedAccess: ATTENTION!=====> Unable to retrieve start type of SharedAccess. The value does not exist.
Checking ImagePath of SharedAccess: ATTENTION!=====> Unable to retrieve ImagePath of SharedAccess. The value does not exist.
Checking ServiceDll of SharedAccess: ATTENTION!=====> Unable to retrieve ServiceDll of SharedAccess. The value does not exist.
Checking FirewallRules of SharedAccess: ATTENTION!=====> Unable to open "SharedAccess\Defaults\FirewallPolicy\FirewallRules" registry key. The key does not exist.

File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\iphlpsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

Thanks again for your assistance.

NoelDP · 09 Nov 2013

ZeroAccess is a particularly nasty beast - and can cause a LOT of problems even after 'removal'.
Please first run Anti-rootkit utility TDSSKiller and see what it has to say. Post the results.

There's no point in me repairing the currently known problems if you still have active malware present.

rengler · 09 Nov 2013

Hi Noel,

I ran the TDSS Killer program as requested, no threats were found:

NoelDP · 10 Nov 2013

That's good, at least :)
Please follow the instructions here http://kb.eset.com/esetkb/index?page...nt&id=SOLN2895+ then run another FarBar scan and post the new log.

rengler · 10 Nov 2013

Hi Noel,

I followed the above instructions and ran the ESET cleaner tool. It said that it did find Win64/Sirefef on my system and removed it.

Windows Update is now running. It must have been out of service for quite some time because there were 51 updates to install on my system.

I ran the FARBAR scan tool again and this is the log, it appears that all of the services are running except for Windows Defender.

FARBAR log:
Farbar Service Scanner Version: 09-01-2013
Ran by Randy (administrator) on 10-11-2013 at 14:06:18
Running from "C:\Users\Randy\Downloads"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============
Firewall Disabled Policy:
==================

System Restore:
============
System Restore Disabled Policy:
========================

Action Center:
============

Windows Update:
============
Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1

Other Services:
==============

File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys
[2013-11-10 10:05] - [2013-09-13 18:10] - 0497152 ____A (Microsoft Corporation) 314C17917AC8523EC77A710215012A65
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2013-11-10 10:05] - [2013-09-07 19:30] - 1903552 ____A (Microsoft Corporation) 40AF23633D197905F03AB5628C558C51
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\iphlpsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

NoelDP · 10 Nov 2013

That does look a lot better :)
What Anti Virus app do you have installed? - most will disable Windows Defender to prevent conflicts, so the setting is to be expected.

rengler · 10 Nov 2013

For anti-virus I am running the free version of avast, as well as malwarebytes. Everything seems to be working normally on my system now, thanks so much for your help.

NoelDP · 12 Nov 2013

Great!
Just for reference, I had a Vista system the other day that hadn't been updated for 254 days - it had a total of 51/52 updates :)

Good luck.