Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Can't run MSE [Solved]


  • This topic is locked This topic is locked

#16
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,772 posts
Hi. :)
 

MBAM only found one problem. That seems suspicious.


Actually I would deem that a good sign myself.

Next:

Going back to this you posted initially:-
 

I went to Action Center and found that the Windows Security Service was turned off. When I tried to turn it on via the Action Center, it gave me a message that it can't be started. I typed "services" into the run command and security center was indeed, disabled. I set it for automatic, and then turned it on


Set this back to Automatic(Delayed Start) please >> then reboot the machine.

Re-scan with FSS:

Delete FSS.txt from the desktop >> empty the Recycle Bin
  • Then right-click FSS.exe and select Run as Administrator to start the program.
  • Select all available options.
  • Then click on the Scan tab.
  • When the scan is complete, it will produce a log named FSS.txt.
  • Post the contents in your next reply.
Check Hard Disk For Errors:

Download the attached hddcheck.bat below and save to your Desktop:-



Now right-click on hddcheck.bat and select Run as Administrator to run the batch file. A blank command window will open on the desktop, then close in a few minutes. This is normal and the batch file itself will self-delete when completed.

A file icon named checkhd.txt should appear on desktop. Please post the contents of this file in your next reply along with the new Farbar Service Scanner log.
  • 0

Advertisements


#17
gomyr

gomyr

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 240 posts

OK.  Went into Services and set "Security Center" (WSCSVC) to "Automatic-Delayed Start" and reset.  It was still on that setting after reboot.

 

Just out of curiosity, when are we going to get rid of the attrib9.dll file?

 

FSS scan result:

 

Farbar Service Scanner Version: 10-06-2014
Ran by Susan (administrator) on 16-06-2014 at 16:17:59
Running from "C:\Users\Susan\Desktop"
Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Disabled. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed


**** End of log ****

 

HD Check result:

 

The type of the file system is NTFS.
Volume label is TI106424W0F.

WARNING!  F parameter not specified.
Running CHKDSK in read-only mode.

CHKDSK is verifying files (stage 1 of 3)...
File verification completed.
  610 large file records processed.                                   

  0 bad file records processed.                                     

  0 EA records processed.                                           

  76 reparse records processed.                                      

CHKDSK is verifying indexes (stage 2 of 3)...
Index verification completed.
  0 unindexed files scanned.                                        

  0 unindexed files recovered.                                      

CHKDSK is verifying security descriptors (stage 3 of 3)...
Security descriptor verification completed.
  28841 data files processed.                                           

CHKDSK is verifying Usn Journal...
Usn Journal verification completed.
Windows has checked the file system and found no problems.

 106107903 KB total disk space.
  58054720 KB in 231997 files.
    126828 KB in 28842 indexes.
         0 KB in bad sectors.
    367979 KB in use by the system.
     65536 KB occupied by the log file.
  47558376 KB available on disk.

      4096 bytes in each allocation unit.
  26526975 total allocation units on disk.
  11889594 allocation units available on disk.
 


  • 0

#18
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,772 posts
Hi. :)
 

Went into Services and set "Security Center" (WSCSVC) to "Automatic-Delayed Start" and reset. It was still on that setting after reboot.


Good and aye can tell that also from the new FSS log.
 

Just out of curiosity, when are we going to get rid of the attrib9.dll file?


Are saying it is still present then ? As it should not be now.
  • 0

#19
gomyr

gomyr

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 240 posts

It is still there.  Shall I try to manually delete it?

C:\Windows\SysWOW64\attrib9.dll 449kb


  • 0

#20
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,772 posts

It is still there.  Shall I try to manually delete it?
C:\Windows\SysWOW64\attrib9.dll 449kb


Hmmm ok, bare with myself please and I will post back the next course of action in due course. :)
  • 0

#21
gomyr

gomyr

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 240 posts

I think I know why we did not get rid of the file.  In the 3rd line from the bottom of the "fixlist.txt" file you sent me, it lists, "C:\windows\SysWOW64\attrib9.dl" instead of "C:\windows\SysWOW64\attrib9.dll".

 

I'm not sure what is the best way to go about taking care of this. 

 

Awaiting your response.


  • 0

#22
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,772 posts
Hi again. :)

Carry out the below for myself please as follows and the correct file path is included this time. My apologies about the inaccurate prior one...

Custom FRST Script:

Please download the attached fixlist.txt(see below) and save to the desktop.

  • Then right-click on FRST.exe and select Run as Administrator to start FRST.
  • Then click on the Fix button/radio tab >> at the Fix completed prompt click on OK
  • Reboot your machine(ensure you do this) when prompted to0 do so and post the contents of the newly created Fixlog in your next reply.
Note: If FRST advises there is a new updated version to be downloaded, do so/allow this.
  • 0

#23
gomyr

gomyr

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 240 posts

OK,  The file has been removed, and verified via Windows Explorer.

 

FRST report:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 15-06-2014
Ran by Susan at 2014-06-17 05:42:00 Run:2
Running from C:\Users\Susan\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
Unlock: C:\Windows\SysWOW64\attrib9.dll
C:\Windows\SysWOW64\attrib9.dll
Reboot:
*****************

"C:\Windows\SysWOW64\attrib9.dll" => File/Directory unlocked successfully.
C:\Windows\SysWOW64\attrib9.dll => Moved successfully.


The system needed a reboot.

==== End of Fixlog ====


  • 0

#24
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,772 posts
Hi. :)
 

The file has been removed, and verified via Windows Explorer.


Good, please rerun TFC(Temp File Cleaner) again as outlined in post #14. Then carry out the below...

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable the currently installed Anti-Virus, how to do so can be read here.

Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
  • Please go here to run the scan...

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then right click on it and select Run as Administrator to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is Not checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
  • Now click on: EOLS3.gif
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the log file first!
  • Now click on: EOLS4.gif
  • Use notepad to open the log file located at C:\Program Files (x86)\ESET\ESET Online Scanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable the Anti-Virus application after running the above scan!

Next:

When completed the above, please post back the following in the order asked for:
  • How is the computer performing now, any further symptoms and or problems encountered ?
  • Eset Log.

  • 0

#25
gomyr

gomyr

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 240 posts

OK, this one took quite a while.  On a side note, MSE has come back to life!  Though it did not detect anything that Eset detected, it did detect a keygen program while ESET was running.  I opted to allow MSE to delete the file.

 

Here is the ESET log:

 

C:\FRST\Quarantine\C\windows\system32\rpcss.dll.xBAD    Win64/Patched.I trojan
C:\FRST\Quarantine\C\windows\SysWOW64\attrib9.dll.xBAD    a variant of Win32/Ponmocup.HP trojan
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\co[1].htm    HTML/Iframe.B.Gen virus
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\KB00191163.exe    Win32/Viknok.L trojan
 

 

It is getting late for me, I am going to bed.  I'll be up later this afternoon.

 

I will implement your next instruction at that time.

 

Thank You!


  • 0

Advertisements


#26
gomyr

gomyr

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 240 posts

UMMMM, I think I posted the wrong thing.  What I previously posted as the "ESET log" was actually the log file I copied before clicking the "finish" button.

 

HERE is the log from C:\Program Files (x86)\ESET\ESET Online Scanner\log.txt;

 

ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7587
# api_version=3.0.2
# EOSSerial=41001fa990116c4db210c201876c5791
# engine=18756
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2014-06-17 02:13:55
# local_time=2014-06-17 07:13:55 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1='Microsoft Security Essentials'
# compatibility_mode=5895 16777213 100 100 0 25044429 0 0
# scanned=294292
# found=4
# cleaned=0
# scan_time=3361
sh=CD0F466FE39407E6A1F810E1936D5E357AB37E84 ft=1 fh=f0133b81e25886fa vn="Win64/Patched.I trojan" ac=I fn="C:\FRST\Quarantine\C\windows\system32\rpcss.dll.xBAD"
sh=214B0DC42C5B88DF53981F9C64D38E0AB3646A10 ft=1 fh=efc4dddd805e090e vn="a variant of Win32/Ponmocup.HP trojan" ac=I fn="C:\FRST\Quarantine\C\windows\SysWOW64\attrib9.dll.xBAD"
sh=151A614A08467F15E926B05B126E8E304E854CA1 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen virus" ac=I fn="C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\co[1].htm"
sh=077004768FFBEEB45BF62D736035872EBDE5692E ft=1 fh=61011651a62e7db5 vn="Win32/Viknok.L trojan" ac=I fn="C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\KB00191163.exe"
 


  • 0

#27
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,772 posts
Hi. :)
 

On a side note, MSE has come back to life! Though it did not detect anything that Eset detected, it did detect a keygen program while ESET was running. I opted to allow MSE to delete the file.


Did you not disable MSE for the duration of the scan as advised or was it inactive then suddenly appeared enabled ? Plus did you run TFC again as outlined or not ?

Now with regard to what MSE flagged and then you allowed to subsequently delete I would have preferred you did not do that and merely inform myself; but what's done is done and no real harm as it can be restored again if a false positive for example.

Anyway please check for myself exactly what was removed via:-

Click on Start(Windows 7 Orb) >> Control Panel >> Administrative Tools >> Event Viewer >> Windows Logs >> System

Locate:-

Source= Microsoft Antimalware Event ID=1001 (scan finished)

Or merely:-

Right click on the MSE system tray icon >> Open >> History

Check both Quarantined items and All detected items >> make a note of anything present and in turn post the information in your next reply. You do not have to go too in-depth, merely the complete file path and name of the infection will suffice.
  • 0

#28
gomyr

gomyr

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 240 posts

Yes, I did run TFC as instructed.  As for MSE, I was unaware it was working again.  The icon was not visible in the system tray, had to click on the "up" arrow to show hidden icons to see it.

 

In the future I will make sure to disable it during future scans.

 

I presume you only want to see what it found in today's scan, and not in scans before we started this project.  If you want stuff from June 14 and previously, please let me know.

 

Today's scan only indicated 2 items:

Hacktool:Win32/Keygen - C:\Myer\Microsoft Office 2010 Professional Plus With Activator\Activator.exe - removed

 

VirTool:Win32/Injector.gen!EX - C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6UG82QYA\UY0yv.exe - Quarantined

 

The first one, I am sad to admit is my fault, I installed an unauthorized copy of Office on the computer a long, long time ago, before I changed into the "white hat".  I no longer condone, nor engage in software piracy.   The second one, MSE says is used to create worms, viruses and other malware.  I presume it came bundled with some nasty bit of mischief.


  • 0

#29
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,772 posts
Hi.
 

The first one, I am sad to admit is my fault, I installed an unauthorized copy of Office on the computer a long, long time ago, before I changed into the "white hat". I no longer condone, nor engage in software piracy.


I applaud your honestly with myself however I do ask you now uninstall all Microsoft Office related software per the forums Terms of Use if you still want my continued assistance.

For intrest sake OpenOffice is a freeware alternative, there are many similar such software applications to be had that are freeware also.
  • 0

#30
gomyr

gomyr

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 240 posts

Office is gone.  I actually use Open Office myself anyway.


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP