[Essexboy]

My apologies I somehow missed the notification for your reply

Could you let me know at what stage you are at now and we will see if we can resolve them step by step

[Advertisements]

Hi Essexboy. Here's my status:  About a week ago, I did a complete reformat of the HD, Win 7 has a built-in program to reformat and restore back to factory settings, which made it easier to rebuild. I lost my product key for the upgrade from Win 7 Starter to the Home Premium I purchased, so I'm stuck with the basics, but that's OK, it's the least of my worries.

For security, I downloaded Security Essentials, and turned on Windows Firewall, got Firefox and Sandboxie, NoScript, and a few other add-ons, tried to DL Adobe Flash Player and Java, but for some reason I'm having some trouble with them, though I disabled a few other add-ons I thought might've interfered. I didn't get Online Armor again yet.

I hope whatever prevented my updates from working properly is gone but a friend who has the same problem said Service Pack 1 is infected, he got that from some tech news source he knows about, so he said not to update anything connected with SP1. He had to reformat his computer twice. Although he has Vista, his situation is the same, that he couldn't install certain security updates, since about the same time I started having trouble with that.

My friend also said he thinks the personal files I backed up are OK. Remember I was afraid to use any of my backups? While waiting for you to reply again, I tried getting hold of my friend but due to each of us having some offline problems to deal with, we were unable to work on this together.

I hope I listed everything that's important; if I remember something else, I'll edit this message. I want to be sure my computer is clean. Maybe a way to test it is to get Online Armor again and see if that message about the corrupt file comes up again, but for now I'll wait to hear from you.

Thank you for all your help.

[blueblue]

Hi Essexboy. Here's my status:  About a week ago, I did a complete reformat of the HD, Win 7 has a built-in program to reformat and restore back to factory settings, which made it easier to rebuild. I lost my product key for the upgrade from Win 7 Starter to the Home Premium I purchased, so I'm stuck with the basics, but that's OK, it's the least of my worries.

For security, I downloaded Security Essentials, and turned on Windows Firewall, got Firefox and Sandboxie, NoScript, and a few other add-ons, tried to DL Adobe Flash Player and Java, but for some reason I'm having some trouble with them, though I disabled a few other add-ons I thought might've interfered. I didn't get Online Armor again yet.

I hope whatever prevented my updates from working properly is gone but a friend who has the same problem said Service Pack 1 is infected, he got that from some tech news source he knows about, so he said not to update anything connected with SP1. He had to reformat his computer twice. Although he has Vista, his situation is the same, that he couldn't install certain security updates, since about the same time I started having trouble with that.

My friend also said he thinks the personal files I backed up are OK. Remember I was afraid to use any of my backups? While waiting for you to reply again, I tried getting hold of my friend but due to each of us having some offline problems to deal with, we were unable to work on this together.

I hope I listed everything that's important; if I remember something else, I'll edit this message. I want to be sure my computer is clean. Maybe a way to test it is to get Online Armor again and see if that message about the corrupt file comes up again, but for now I'll wait to hear from you.

Thank you for all your help.

[Essexboy]

The SP1 infection is a fallacy .. If you get it from MS Windows updates.. I have it installed with no problem..

Lets check the services to ensure that they are OK



run farbar service scanner



Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.


What problem are you having with Java ? More to the point do you actually need it ?

[blueblue]

Hi, about java, I think I need it for some sites I visit, same with Flash. here's the log you requested.

Farbar Service Scanner Version: 06-08-2012
Ran by Nobody (ATTENTION: The logged in user is not administrator) on 25-08-2012 at 14:45:18
Running from "C:\Users\Nobody\Desktop"
Windows 7 Starter (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Nsi Service is not running. Checking service configuration:
The start type of Nsi service is OK.
The ImagePath of Nsi service is OK.
Checking ServiceDll: ATTENTION!=====> Unable to open Nsi registry key. The service key does not exist.

nsiproxy Service is not running. Checking service configuration:
The start type of nsiproxy service is OK.
The ImagePath of nsiproxy service is OK.

tdx Service is not running. Checking service configuration:
The start type of tdx service is OK.
The ImagePath of tdx service is OK.

afd Service is not running. Checking service configuration:
The start type of afd service is OK.
The ImagePath of afd service is OK.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo IP returned error: Other errors
Attempt to access Yahoo.com returned error: Other errors


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.

bfe Service is not running. Checking service configuration:
The start type of bfe service is OK.
The ImagePath of bfe service is OK.
The ServiceDll of bfe service is OK.


Firewall Disabled Policy:
==================


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.


System Restore Disabled Policy:
========================


Action Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.

winmgmt Service is not running. Checking service configuration:
The start type of winmgmt service is OK.
The ImagePath of winmgmt: "%systemroot%\system32\svchost.exe -k netsvcs".
The ServiceDll of winmgmt service is OK.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.

EventSystem Service is not running. Checking service configuration:
The start type of EventSystem service is OK.
The ImagePath of EventSystem service is OK.
The ServiceDll of EventSystem service is OK.

cryptsvc Service is not running. Checking service configuration:
The start type of cryptsvc service is OK.
The ImagePath of cryptsvc service is OK.
The ServiceDll of cryptsvc service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1

PlugPlay Service is not running. Checking service configuration:
The start type of PlugPlay service is OK.
The ImagePath of PlugPlay service is OK.


Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2012-08-14 01:07] - [2012-03-30 03:29] - 1287024 ____A (Microsoft Corporation) 55E9965552741F3850CB22CBBA9671ED

C:\Windows\system32\dnsrslvr.dll
[2012-08-14 01:07] - [2011-03-02 22:29] - 0132608 ____A (Microsoft Corporation) B15BE77A2BACF9C3177D27518AFE26A9

C:\Windows\system32\mpssvc.dll
[2009-07-13 16:53] - [2009-07-13 18:15] - 0565760 ____A (Microsoft Corporation) 5CD996CECF45CBC3E8D109C86B82D69E

C:\Windows\system32\bfe.dll
[2009-07-13 16:54] - [2009-07-13 18:14] - 0493568 ____A (Microsoft Corporation) 85AC71C045CEB054ED48A7841AAE0C11

C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll
[2009-07-13 16:23] - [2009-07-13 18:16] - 0125952 ____A (Microsoft Corporation) 5FD90ABDBFAEE85986802622CBB03446

C:\Windows\system32\vssvc.exe
[2009-07-13 16:24] - [2009-07-13 18:14] - 1025536 ____A (Microsoft Corporation) 7EA2BCD94D9CFAF4C556F5CC94532A6C

C:\Windows\system32\wscsvc.dll
[2012-08-14 01:08] - [2010-12-20 22:38] - 0073728 ____A (Microsoft Corporation) A661A76333057B383A06E65F0073222F

C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll
[2009-07-13 16:30] - [2009-07-13 18:16] - 0589312 ____A (Microsoft Corporation) 53F476476F55A27F580661BDE09C4EC4

C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll
[2012-08-14 00:56] - [2012-04-23 21:47] - 0139264 ____A (Microsoft Corporation) 520A108A2657F4BCA7FCED9CA7D885DE

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\ipnathlp.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

[Essexboy]

Could you log in as administrator please

Download the attached reg file to your desktop
[attachment=60039:nsi.reg]
Double click the file and accept the warning
Reboot and then re-run FSS please

[blueblue]

Hi, here's the log you requested from the admin account.

Farbar Service Scanner Version: 06-08-2012
Ran by Someone (administrator) on 25-08-2012 at 16:06:49
Running from "C:\Users\Nobody\Desktop"
Microsoft Windows 7 Starter (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Google IP is accessible.
Attempt to access Google.com returned error: Other errors
Yahoo IP is accessible.
Attempt to access Yahoo.com returned error: Other errors


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2012-08-14 01:07] - [2012-03-30 03:29] - 1287024 ____A (Microsoft Corporation) 55E9965552741F3850CB22CBBA9671ED

C:\Windows\system32\dnsrslvr.dll
[2012-08-14 01:07] - [2011-03-02 22:29] - 0132608 ____A (Microsoft Corporation) B15BE77A2BACF9C3177D27518AFE26A9

C:\Windows\system32\mpssvc.dll
[2009-07-13 16:53] - [2009-07-13 18:15] - 0565760 ____A (Microsoft Corporation) 5CD996CECF45CBC3E8D109C86B82D69E

C:\Windows\system32\bfe.dll
[2009-07-13 16:54] - [2009-07-13 18:14] - 0493568 ____A (Microsoft Corporation) 85AC71C045CEB054ED48A7841AAE0C11

C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll
[2009-07-13 16:23] - [2009-07-13 18:16] - 0125952 ____A (Microsoft Corporation) 5FD90ABDBFAEE85986802622CBB03446

C:\Windows\system32\vssvc.exe
[2009-07-13 16:24] - [2009-07-13 18:14] - 1025536 ____A (Microsoft Corporation) 7EA2BCD94D9CFAF4C556F5CC94532A6C

C:\Windows\system32\wscsvc.dll
[2012-08-14 01:08] - [2010-12-20 22:38] - 0073728 ____A (Microsoft Corporation) A661A76333057B383A06E65F0073222F

C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll
[2009-07-13 16:30] - [2009-07-13 18:16] - 0589312 ____A (Microsoft Corporation) 53F476476F55A27F580661BDE09C4EC4

C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll
[2012-08-14 00:56] - [2012-04-23 21:47] - 0139264 ____A (Microsoft Corporation) 520A108A2657F4BCA7FCED9CA7D885DE

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\ipnathlp.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

[Essexboy]

OK that looks better, are you having any problems ?

[blueblue]

I was having trouble with flashplayer and figured out it was an addon that was interfering.

I just hope my computer is clean.

I'll tell my friend what you said about SP1; been thinking about that. It's interesting that we had the same problem, but I thought, if SP1 were infected, wouldn't everyone have the same problem? I know what I have to do now, and hope all will go well.

Thank you Very Much for all your help.

Edited by blueblue, 25 August 2012 - 09:46 PM.

[blueblue]

Something may be wrong, just noticed today: My clock got way off time somehow, I am suspicious. I don't recall doing anything to it but I'm sure it was on time. During the rebuilding process, I don't recall a need to adjust it, and I'm sure I looked at it a few times, it was OK till this afternoon. If I run a full scan it'll take 12 hours, maybe I should get that program I had before that helped fix that, trying to remember what it was, have to read old messages to find it.

I hope you're having a nice day, can't sit at this thing all the time.

[Essexboy]

Have you reset the time ? And does it stay correct after reboot

[blueblue]

Yes I was able to reset it, and it was OK even after reboot. This is very suspicious to me, I didn't do anything to it that could've caused the change.

[Essexboy]

There could be many reasons for this to occur, I have had it happen to me once... But is all well now ?

[blueblue]

OK, so far all is well. If it happens again I'll let you know.

Well I have some updates to install, will do one at a time in case something goes wrong. I'll report back here to let you know how it goes. My friend insists the SP1 rumor is true, knows others with the same problems, says he has confirmation on it. I'll be back soon, I hope.

[Essexboy]

Hmm but where did he get the SP from ?

[blueblue]

He got the update from mircosoft.

I got some updates yesterday, tried installing the hidden ones, one went through, It was a big file so I let it go through by itself. When I went to install the other 2, they disappeared! It's happened before, I guess I had them for too long and microsoft had them expired, or maybe reissued in a new form, who knows, so I got the ones that came in after losing the 2 important ones I wanted, one was for security.

So far all is OK, but that one is the one I wanted to check on to be sure it wasn't the infected file, I have to look in my notes to check. I don't know if my friend keeps track of them and remembers which ones failed, which ones messed up his computer, etc. Since this trouble started for me, I've tried to keep a record of it so I can report the troublesome ones back to Ms.