Solved Windows 7 wierd Micosoft update valid

[Geeky123]

I have Windows 7 32bit. I have Windows Update set to notify only. I have great AV real protection software running but something wierd just happened.

I was on Ebay using Firefox and suddenly the browser froze and message that a script was trying to run click yes or no. I click no as I have NoScript installed along with host of other protective browser software. Then my computer started cranking away and in process explorer Trusted Installer was active. It was installing something to my hard drive.

I found out that what ever it was wrote to Licenses C:\program data; state data C:\ProgramData\Microsoft\RAC; and to RacMetaData.dat. RacWmiDatabase, RacWmiDataBookmarks.dat
2013/08/03 12:48:50 -0700 MESSAGE Starting database refresh
2013/08/03 12:48:50 -0700 MESSAGE Stopping IP protection
2013/08/03 12:48:51 -0700 MESSAGE IP Protection stopped successfully
2013/08/03 12:49:08 -0700 MESSAGE Database refreshed successfully
2013/08/03 12:49:08 -0700 MESSAGE Starting IP protection
2013/08/03 12:49:11 -0700 MESSAGE IP Protection started successfully

What was so annoying is that my desktop is on ethernet. It then went out to my router via wireless and installed software on there as well and shutdown my laptop.

It pisses me off as it didn't give me a choice and UAC is set at the highest level ALWAYS notify when installing software. I assume that would key off of TrustedInstaller

The same thing happened when Microsoft installed 9 api-ms-win-downlevel-*dll's without my permission. Even WinPatol didn't alert.

Now with all this stuff about MS and the NSA, I am spooked what is in this database and are they collecting information? What made them look at other devices networked to my router and pushed it out to other devices as well?

I thought I activated some malicious script in my browser because this sequence occurred at the same time as the non-responsive script error message. Running Malwarebytes and Avira came up with no detections.

Any ideas or suggestions?

 

[VistaKing]

Run Farbar Recovery Scan Tool

32-bit Version OS Farbar Recovery Scan Tool <==== Download Link

Drag the FRST.exe from the Downloads folder to your Desktop

Right click on FRST.exe and choose

When the tool opens click Yes on the disclaimer window .
Press Scan button.


Please upload both logs in your reply.(FRST.txt and Addition.txt)

:note: FRST.txt and Addition.txt will be on the Desktop :note:

Upload a File
Click on the Go Advanced button under the Message box . Scroll down to Additional Options then click on Manage Attachments in the Attach Files sections . Click the Browse button locate the file then click on the Open button . In the Upload File from your Computer section click on the Upload button . Wait until it finishes uploading then close the window . Then click Submit Reply .

 

[Jacee]

Sounds like it might possibly be WAT (antipiracy update) took place. Did you recently add new hardware?

 

[Geeky123]

Sounds like it might possibly be WAT (antipiracy update) took place. Did you recently add new hardware?

NO, no hardware or software installed

There was this scripting error in my browser which NoScript didn't pick up and then something started getting install on my hard drive as TrustedInstaller became activated and at 11:23AM something got installed in my system32 directory. Of course, it might be easier just to do a restore. But if MS is pushing something out then it wouldn't be detected by AV software. Time to start using a sandox.

OK here are the files at 11:23 or there abouts something was installed in my system32 directory. After that SearchIndexer and SearchProtocolHost ramped up big time.

THX

 

[VistaKing]

<==== Download Link


<==== Download Link

:ar: Click on one of the links above that goes with your Windows 7 bit versions

:ar: Save to the Desktop.

:ar: Close all windows and browsers

:ar: Right click on

and choose

:ar: Press: SCAN

:ar: provide the RKreport.txt (Mode: Scan) in your reply.

 

[Golden]

C:\ProgramData\Microsoft\RAC

Is the Reliability Monitor folder. Sounds like the data store was updated. Is your Windows 7 installation updated?

 

[Geeky123]

Well, it went over to my laptop and did something over there at the same time. My windows update window on my laptop shows last successful update was on 7/23 yet in my events log on my laptop shows windows was successfully updated 8/03 but then it rebooted my laptop and was receiving HomeGroup Porvider Service not found which it would as you have to log into my laptop.

My windows updates are set to notify only!!

What makes me angry is the fact that I don't know if is this MS and if so why is done in such a silent manner? Where is the explanation? What's the purpose between MS Security Updates and these silent updates? Why would TrustedInstaller then go out and search my other computers on the network? Why didn't WinPatrol pick it up or even how could it even install bypassing my UAC set to always notify if software is being installed on my computer without my interaction? What's the purpose of setting to Notify Only but not download? How could it get pass my firewall set to always block incoming unless authorized by me?

 

[VistaKing]

Farbar Service Scanner

Click here :ar: Farbar Service Scanner to DOWNLOAD

Place the file onto your desktop

Right click on FSS.exe select

Place a check mark next to the following options

• Internet Services
• Windows Firewall
• System Restore
• Security Center
• Windows Update
• Windows Defender

Press the Scan button

Farbar Service Scanner will create a log, called FSS.txt, on the Desktop. Upload the FSS.txt with your reply

 

[Jacee]

Okay, I see "SearchScopes" .... not good. Web Search Bar Search Scope Monitor -->Adware.

Download AdWareCleaner AdwCleaner Download
or from here Téléchargements - Outils de Xplode - AdwCleaner
to your desktop
1.Right-click on adwcleaner.exe and select Run As Administrator to launch the application.
2.Click on Delete button.
3.Confirm each time with OK.

4.Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply.
Note: You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.

 

[Geeky123]

Ok, these are the two reports. In Rogue, I have policies set in WinPatrol to prevent changes to registry tools and is the reason for showing up there. I don't see anything suspicious..

Does anyone know if MS pushes silent updates for changes to Windows7 code outside of automatic updates?

These reports are from my desktop. My laptop is so messed up, I'm just going to reimage the system partition.

I appreciate all your help and suggestions! The fact that it was able to bypass the router firewall and the other one on my laptop, it's got to be MS.

 

[Geeky123]

Ok, I was trying to track down whether the problem came from the laptop to the desktop or vice versa. Apparently, from looking at all the logs Skype... acquired from MS... was making an automatic update at the time and was attempting to syncronize software apps between both computers. I no longer use Skype for security reasons and that may explain the reason it was making updates to the audio. But then again I don't have updates with Skype set to auto either.

But I think that is where the problem lies and since installer couldn't log back into windows after reboot on the laptop and couln't syncronize the contacts lists etc betwen both computers.. everything just got messed up and the installed failed. The logs stated an audit policy was changed and a special logon occurred at the time. But then the log error said it was from a windows automatic update?

Does this make sense?

 

[VistaKing]

Are you having issues with the laptop or desktop or both ? I'm kinda confused .

 

[Geeky123]

I was on my laptop for a bit this morning and then I went into my office and was working on my desktop when the problem began with script issue in my browser and Firefox froze. I then noticed TrustedInstaller, SearchIndexer and searchProtocolHost starting to crank away on the desktop and I could hear files being written to the hard drive.

I then started troubleshooting what happened on the desktop when I wrote my first post because I couldn't figure out update could get past all the security checkpoints. I then went back into the other room and realized that my laptop had attempted to reboot while I was in the other room. Then I realize that the problem I had experienced on my desktop had migrated to my laptop which gets it stream from my wireless router.

So all of the diagnostics have been for the desktop trying to solve what went wrong on it. I decided not to mess with the laptop as I can re-image the laptop drive since the system partition is small. But I was thinking how can both computers get messed up at the same time is the thought occur to me to start at the logs on my laptop. In my laptop logs, there was an WindowUpdateClient error on an auto update for Skype that was posted as a windows update. So you can ignore everything that I was saying about the laptop as I was typing out loud to myself.

So the troubleshooting has always been for the desktop computer. If this makes any sense to you.

The bottom line is that I believe that an auto update from Skype tried to auto update both computers at the same time and failed when it tried to synconize.

So I was asking if this makes sense to you and if it does then this explains it and solves the problem. As I couldn't understand how MS could suddenly do an auto update with control panel settings in windows update set to notify only.

 

[VistaKing]

If you don't use Skype . Uninstall it . Then you could hide the Skype update

 

[Geeky123]

Thanks for for those that helped, much appreciated!

 

[Diosoth]

Windows doesn't much care what you set Update to do. If you set it to download automatically but ask you to install, it'll still auto-install when you restart the PC regardless of your choice. I recently set up a Dell PC with Windows XP, set updates to notify only, and it still auto-installed several updates without asking or even notifying me it'd done so. There are also minor updates that run without notice such as MSE definition updates, though occasionally you will get something updated stealthily.

Though in your case I suspect something odd happened beyond the usual Microsoft updates.

 

[Jacee]

Re-run AdwCleaner again, but this time, click on the "delete" button!


# AdwCleaner v2.306 - Logfile created 08/03/2013 at 20:31:26
# Updated 19/07/2013 by Xplode
# Operating system : Windows 7 Ultimate Service Pack 1 (32 bits)
# User : June - DELTAJ
# Boot Mode : Normal
# Running from : C:\Users\June\Desktop\AdwCleaner.exe
# Option [Search]

***** [Services] *****

***** [Files / Folders] *****
File Infected : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SOFTWARE PROGRAMS\Microsoft Developer Network\MSDN Library for Visual Studio 2008 - ENU.lnk ( arg. : /helpcol ms-help://MS.MSDNQTR.v90.en /LaunchNamedUrlTopic DefaultPage)
File Infected : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SOFTWARE PROGRAMS\Microsoft Visual Studio 2008\Microsoft Visual Studio 2008 Documentation.lnk ( arg. : /helpcol ms-help://ms.vscc.v90 /LaunchNamedUrlTopic DefaultPage /usehelpsettings VisualStudio.9.0)
Folder Found : C:\Users\June\AppData\Roaming\Mozilla\Firefox\Profiles\xz4icms6.BASIC\jetpack
***** [Registry] *****
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com
Key Found : HKCU\Software\Softonic
Key Found : HKCU\Software\YahooPartnerToolbar
***** [Internet Browsers] *****
-\\ Internet Explorer v9.0.8112.16496
[OK] Registry is clean.
-\\ Mozilla Firefox v22.0 (en-US)
File : C:\Users\June\AppData\Roaming\Mozilla\Firefox\Profiles\ogjehw9r.default\prefs.js
Found : user_pref("extensions.linkextend.searchYahoo", false);
File : C:\Users\June\AppData\Roaming\Mozilla\Firefox\Profiles\xz4icms6.BASIC\prefs.js
Found : user_pref("extensions.ghostery.bugs", "{\"copyright\":\"This proprietary database is protected by co[...]
Found : user_pref("extensions.ghostery.lsos", "{\"copyright\":\"This proprietary database is protected by co[...]
File : C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\hytre5ki.default\prefs.js
[OK] File is clean.
*************************
AdwCleaner[R1].txt - [2200 octets] - [03/08/2013 20:08:33]
AdwCleaner[R2].txt - [2131 octets] - [03/08/2013 20:31:26]
########## EOF - C:\AdwCleaner[R2].txt - [2191 octets] ##########