MSE error stops all downloading and cannot be turned off.

[mgadams]

I was hit by a virus which has now been removed using Kaspersky virus removal.
The scan now shows clean both with that software and with malwarebytes.
Unfortunately the cleanup seems to have done something to my system and I am not able to access MSE in any way. The icon looks like a sheet of paper. I tried deleting through control panel programs and features but get an error
"You do not have sufficient access to uninstall Microsoft security essentials. Please contact your system administrator."

I am the administrator on this computer the only other user is guest.
Also, I cannot download any software or pdf files. When I try it deletes the file telling me Failed, Virus scan failed.

Can anyone help please???

 

[cottonball]

mgadams,

Welcome to the forum!

Can you tell us the name of the virus removed, and the exact name of the Kaspersky program used for removal? If you have a report, that will help.

:info: On the damage, also download Farbar Service Scanner

Save to the Desktop

• Make sure the following options are checked:
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center
  • Windows Update
  • Windows Defender
• Press: Scan
• FSS creates a log, FSS.txt, on the Desktop.

:ar: Please provide the FSS.txt in your reply.

 

[mgadams]

I do not know the name of the virus. I had a computer guy help me with it. I do know it came from an email one of our people received that was labled xerox scan. It changed all the files to applications.

It was the Kaspersky virus removal tool.

As far as running the farbar service scanner I downloaded it to a usb then moved to my computer and ran it? I am not able to download anything to this computer. When I try it deletes the file telling me
"Failed, Virus scan failed"

 

[mgadams]

Farbar Service Scanner Version: 13-09-2013
Ran by Tina Adams (administrator) on 18-09-2013 at 08:37:33
Running from "C:\Users\Tina Adams\Desktop"
Microsoft Windows 7 Professional Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.


Firewall Disabled Policy:
==================
"HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" registry key does not exist.


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.

Action Center Notification Icon =====> Unable to open HKLM\...\ShellServiceObjects\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A} key. The key does not exist.


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============
Checking Start type of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ImagePath of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ServiceDll of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.

Checking Start type of SharedAccess: ATTENTION!=====> Unable to retrieve start type of SharedAccess. The value does not exist.
Checking ImagePath of SharedAccess: ATTENTION!=====> Unable to retrieve ImagePath of SharedAccess. The value does not exist.
Checking ServiceDll of SharedAccess: ATTENTION!=====> Unable to retrieve ServiceDll of SharedAccess. The value does not exist.
Checking FirewallRules of SharedAccess: ATTENTION!=====> Unable to open "SharedAccess\Defaults\FirewallPolicy\FirewallRules" registry key. The key does not exist.
Checking Start type of PolicyAgent: ATTENTION!=====> Unable to open PolicyAgent registry key. The service key does not exist.
Checking ImagePath of PolicyAgent: ATTENTION!=====> Unable to open PolicyAgent registry key. The service key does not exist.
Checking ServiceDll of PolicyAgent: ATTENTION!=====> Unable to open PolicyAgent registry key. The service key does not exist.

Checking Start type of RemoteAccess: ATTENTION!=====> Unable to open RemoteAccess registry key. The service key does not exist.
Checking ImagePath of RemoteAccess: ATTENTION!=====> Unable to open RemoteAccess registry key. The service key does not exist.
Checking ServiceDll of RemoteAccess: ATTENTION!=====> Unable to open RemoteAccess registry key. The service key does not exist.



File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2013-08-14 08:06] - [2013-07-06 01:05] - 1293760 ____A (Microsoft Corporation) 4E8B9BE71B807B3BAEDB7F4243F85E3C

C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll
[2013-08-14 08:06] - [2013-07-09 00:46] - 0140288 ____A (Microsoft Corporation) 7CA1BECEA5DE2643ADDAD32670E7A4C9


ATTENTION!=====> C:\Program Files\Windows Defender\MpSvc.dll Reparse point on file detected.

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

 

[cottonball]

You can attach the reports, if you like.

The above report shows several services in need of repair.

To make sure the virus is really gone, please do the following:

:info: Please go to the Farbar Recovery Scan Tool Download
Select the version that applies to your system.

Save it to your Desktop.

Double-click the downloaded file to run it.

When the tool opens click Yes to the disclaimer.
Press the Scan button.

FRST64 makes a log (FRST.txt) in the same directory from which the tool is run (Desktop).

Please provide the FRST.txt in your reply. <<---

The first time the tool is run, it also makes another log: Addition.txt
Also post the: Addition.txtin your reply.<<---

 

[mgadams]

I have downloaded frst.exe in the email I received it said use 64 bit version. but here it says select the version that applies. I believe it is the 32bit but I am not positive. How can I confirm this?

 

[cottonball]

The previous FSS report says it is 32 bit (x86)

To be sure...

Please go to Start > All Programs > Accessories > Command Prompt
At the Command prompt, type (or copy/paste with the mouse}:

echo %PROCESSOR_ARCHITECTURE%

Press: Enter

It provides the info as to whether the system is 32 bit (x86), or 64 bit.

 

[mgadams]

Hear you go. Thank you for all your help.

 

[cottonball]

mgadams,

Pressing on with FRST...

:info: Please open Notepad (Start > All Programs > Accessories > Notepad)
Copy the entire contents of the code box below
Save it on the Desktop, and name it: fixlist.txt

start
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
MountPoints2: {0abd8d5c-5e46-11e2-8c56-e89a8f68d47a} - F:\setup.exe -a
MountPoints2: {b0fdca7b-f97f-11e0-a201-e89a8f68d47a} - F:\setup.exe -a
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKCU - DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = 
SearchScopes: HKCU - {2fa28606-de77-4029-af96-b231e3b8f827} URL = 
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = 
SearchScopes: HKCU - {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = 
SearchScopes: HKCU - {ec29edf6-ad3c-4e1c-a087-d6cb81400c43} URL = 
Toolbar: HKLM - Upromise RewardU Toolbar - {BCB2559D-DE26-E8F4-D552-AE05CE2BAC69} - C:\Program Files\Upromise RewardU Toolbar\Toolbar.dll ()
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKCU -Upromise RewardU Toolbar - {BCB2559D-DE26-E8F4-D552-AE05CE2BAC69} - C:\Program Files\Upromise RewardU Toolbar\Toolbar.dll ()
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [URL]http://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab[/URL]
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} [URL]http://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab[/URL]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [URL]http://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab[/URL]
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files\QuickTime\plugins\npqtplugin6.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files\QuickTime\plugins\npqtplugin7.dll No File
CHR Plugin: (AmazonMP3DownloaderPlugin) - C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin.dll No File
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
CHR Plugin: (BrowserPlus (from Yahoo!) v2.9.8) - C:\Users\Tina Adams\AppData\Local\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
C:\Users\Tina Adams\AppData\Local\Google\Desktop\Install
C:\Program Files\Google\Desktop\Install
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client
end

Note: This script is written specifically for use only on this computer.
Running this on another computer may cause damage to the Operating System!!

Run FRST, and press the Fix button, just once, and wait.
The tool creates a report on the pen drive called: Fixlog.txt
:ar: Please post the Fixlog.txt in your reply.


:info: Please go to the TDSSKiller Download, and select the .exe version
Double-click on TDSSKiller.exe to run the program.
When the TDSSKiller console opens, click on: Change Parameters
Under Additional Options, place a check in the box next to: Detect TDLFS File System
Click: OK

Press: Start Scan

•If a suspicious object is detected by this program, the default action is Skip. Leave this action as is, and click on: Continue
•If malicious objects are found, they show in the Scan results.
•Ensure Cure (the default action) is selected, then click: Continue > Reboot now, to finish the cleaning process.

(Note: If Cure is not available, select Skip, >>Do not select: Delete<<)

When done, the tool creates a log on the disk with the Windows Operating System, normally C:\
Logs have a name like:
C:\TDSSKiller.X.X.X_08.30.2013_15.31.43_log.txt
:ar: Please attach the TDSSKiller log in your reply.

Let's get the results from these programs, and take it from there. There are still more repairs to be done.

 

[mgadams]

Here is the fixlog.txt file.
I am rebooting the computer then I will run the tdsskiller as instructed.

 

[mgadams]

TDSSKiller log file attached.

NOTE: I was able to download on this machine without an error this time.. Yay....

 

[mgadams]

Here is the TDSSKiller log file.
Nothing was found

 

[cottonball]

Looking good!!

Let's do the following and see what it can repair...

:info: Since the following steps involve editing the Registry, please create new restore point before proceeding.
http://www.sevenforums.com/tutorials/697-system-restore-point-create.html
Select: Option Two

:info: Now, please download the ESET ServiceRepair tool:
http://kb.eset.com/library/ESET/KB%20Team%20Only/Malware/ServicesRepair.exe
(Direct link only available)
Save to the Desktop.
Double-click to run the downloaded file.

When the program runs, a prompt appears asking if you want to proceed.
Click: Yes
When the Services routine is Completed, you are asked to Reboot.
Click Yes to allow the reboot.

The tool creates a folder named CC Support on the Desktop.
:ar: Please provide the CC Support\Logs\SvcRepair.txt in your reply.


:info: Now, run the Farbar Service Scanner once again.
Select all the options.
Press: Scan

:ar: Please provide the new FSS.txt in your reply.

 

[mgadams]

Completed Per your instructions. files attached.

 

[mgadams]

Cottonball,
I see you are retired Air Force. Thank You for your service.. My Dad is also retired and worked in Computers in the service.
When I was young he used to take me to work and let me create the punchcards... Yes I know what they are.
I was in 4 years myself and was discharged as disabled due to an injury. Minor really compared to some of our vets.
Anyhow thanks for your service and also thanks for all the help you provide here.
Tina

 

[cottonball]

...he used to take me to work and let me create the punchcards...

:roflmao:
Got a good laugh out of that one. I remember those punchcards also, stacked on desks, tables, and all over the place!! That was back in the seventies, early eighties...



My pleasure to help.


Have not forgotten you. Need to get a hold of some Registry keys, and post them for you to use.

The ESET ServicesRepair did a good job, and now there are only 2 Registry keys in need of attention, and another entry that will not be difficult to take care of.

Will get back to you later today, probably this evening. Overloaded with trivia today!!

Thanks for your patience.

 

[cottonball]

Let's roll...

:info: Please download the following files and save them to your Desktop:
(Direct links only available)

PolicyAgent:
http://download.bleepingcomputer.com/win-services/7/PolicyAgent.reg

RemoteAccess:
http://download.bleepingcomputer.com/win-services/7/RemoteAccess.reg

Now double-click on the PolicyAgent.reg file.
A prompt appears asking if you want to merge the information contained in the file into the Registry.
Confirm the prompt to merge to your Registry.
Click: OK

Next, double-click on the RemoteAccess.reg file.
Also confirm the prompt to merge to your Registry.
Click: OK

:info: Last, let's merge a missing Action Center key into the Registry:

Please open Notepad by pressing the Windows key and the R key at the same time.
In the Open area, type: notepad
Copy and paste all the text inside the code box below to Notepad:

Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}]
"AutoStart"=""

In Notepad, go to File > Save As
Save the file to: Desktop
Save the file as: fixac.reg
Save type as needs set to: All files

On the Desktop, double-click: fixac.reg
Confirm the prompt to merge to your Registry.
Click: OK

:info: Restart the computer.

:info: On the Desktop, right-click fixac.reg, and select: Delete
Do the same for PolicyAgent.reg and the RemoteAccess.reg

Also empty the Recycle Bin.

:info: Now, once again press the Windows key and the R key at the same time.
In the Open area, type: services.msc

In the Services console, make sure Security Center is there, and:
Startup Type is set to: Automatic (Delayed Start)
Service Status is set to: Started

:ar: When done, please run the Farbar Service Scanner once again, and post its FSS.txt report.

 

[mgadams]

OK all done. Here is the file.

 

[cottonball]

The FSS report looks good.

In your initial post you mentioned:

I am not able to access MSE in any way. The icon looks like a sheet of paper. I tried deleting through control panel programs and features but get an error
"You do not have sufficient access to uninstall Microsoft security essentials. Please contact your system administrator."

I am the administrator on this computer the only other user is guest.

Also, I cannot download any software or pdf files. When I try, it deletes the file telling me Failed, Virus scan failed.

Do these issues still happen?

 

[mgadams]

All these issues are now resolved. Thank you.
One additional question. In the MSE History are two quarantined items.
Can I just select remove all?
The virus it identifies is Sirefef!cfg

Thanks again for all your help. You are amazing..
Tina