Jump to content

Microsoft Security Essentials won't update


Recommended Posts

MSE won't update its definitions.  I searched this forum's threads and the closest symptom I could find was MSE opening momentarily, then closing.  In this case, MSE appears to function normally, and a scan finds nothing, but it's using a definition file that's 6 months old.  In the process of troubleshooting the issue, I discovered that Windows 7 hasn't set a restore point since January.  The date of the last restore point matches the date of the last MSE definition file that was downloaded. 

 

When I attempt to fix MSE using Microsoft's tools, I can't get their diagnostics to run.  When I try to fix that, can't get past trying to correct the computer's system time, which is off by 4 minutes.  All of this is leading me to suspect an infection of some sort.  A threat scan with Malwarebytes, using the latest version, finds nothing.

 

Here are the logs generated by Farbar:

 

 

----------------------------------

 

Well, another surprise.  I can't seem to paste the log files, so I will have to attach them.

 

The computer is used by a family member to frequently go to Facebook and play games there such as Scrabble and Words with Friends.  Many links and videos are clicked in Facebook.  There are numerous popups appearing in some web pages.  Normal default browser is Chrome, but IE is now the default for the time being.  Previous scans using Malwarebytes have found PUP,optional.superfish.a, which has been quarantined and deleted repeatedly.

 

Your help will be greatly appreciated.  Thanks in advance.

 

Strongsail

FRST.txt

Addition.txt

Link to post
Share on other sites

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

Next,

 

Open Malwarebytes 2.0, run a Threat Scan

 


On the Dashboard, click the 'Update Now >>' link
After the update completes, click the 'Scan Now >>' button.
Or, on the Dashboard, click the Scan Now >> button.
If an update is available, click the Update Now button.
A Threat Scan will begin.
When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
In most cases, a restart will be required.
Wait for the prompt to restart the computer to appear, then click on Yes.

 

Post log:

 


After the restart once you are back at your desktop, open MBAM once more.
Click on the History tab > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click 'Copy to Clipboard'
Paste the contents of the clipboard into your reply.

 

Next,

 

Download AdwCleaner by Xplode onto your Desktop.


Double click on Adwcleaner.exe to run the tool.
Click on Scan
Once the scan is done, click on the Clean button.
You will get a prompt asking to close all programs. Click OK.
Click OK again to reboot your computer.
A text file will open after the restart. Please post the content of that logfile in your reply.
You can also find the logfile at C:\AdwCleaner[sn].txt. Where n in the scan reference number

 

Next,

 

thisisujrt.gif Please download Junkware Removal Tool to your desktop.


Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.

 

Next,

 

Farbar scanner, for use when connection or redirect issues:

 

Download Farbar Service Scanner from here: http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/ and run it on the computer with the issue.

Make sure the following options are checked:

 


Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender

 


Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

 

Let me see those logs, also let me know if any remaining issues or concerns....

 

Kevin....

 

 

 

 

fixlist.txt

Link to post
Share on other sites

Kevin,

 

Yesterday, I followed your instructions and ran all the cleaners.  MSE was then able to update its definitions.  So, that issue appears to have been resolved.  However, some time later, the computer (Toshiba laptop, AMD 64bit, W7 Home Premium) locked up and had to be shut down by pressing and holding the power button.  That's not the first time in the recent past that this has happened; it may not be related.

 

Today, with the intent of sending you a reply with the logs, I attempted to open MBAM and it won't run.  I get a message box saying the app has stopped working.  It behaved the same after a restart.  The message box details are:

 

Well, stymied again.  I can highlight and copy the details but can't paste them here.  My attempt to paste text failed here yesterday as well.  The text pastes OK to a Notepad file.  I will attach it.

 

This computer has many issues, it seems.  The lockup isn't new.  It also often takes an unusually long time to shut down.

 

I would like to get the logs to you.  I will attempt to retrieve the others and paste them here or attach them.

 

I went to the C:\Program Data\MBAM\Logs and opened the newest file named protection-log.xml, selected all and copied.  It won't paste. I'm attaching it.  All other log files are also attached.

 

Thanks again,

Strongsail

 

 

protection-log-2014-07-10.xml

mbam appcrash.txt

AdwCleanerR0.txt

AdwCleanerS0.txt

JRT.txt

FSS.txt

Link to post
Share on other sites

Download Services Repair tool, available here - http://kb.eset.com/library/ESET/KB%20Team%20Only/Malware/ServicesRepair.exe and Save it to your Desktop. Right click on it and select Run As Administrator, follow the prompts. It should reboot when it finishes. If not reboot it yourself.

 

Next,

 

Rerun FSS and post a fresh log....

Link to post
Share on other sites

Kevin,

 

Thanks for your patience.  I ran ServicesRepair, rebooted and ran FSS.  The log is pasted below.

 

strongsail

 

 

 

Farbar Service Scanner Version: 10-06-2014
Ran by Heather Strong (administrator) on 15-07-2014 at 17:10:12
Running from "C:\Users\Heather Strong\Downloads\Farbar Service Scanner"
Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
 
Firewall Disabled Policy: 
==================
 
 
System Restore:
============
 
System Restore Disabled Policy: 
========================
 
 
Action Center:
============
 
 
Windows Update:
============
 
Windows Autoupdate Disabled Policy: 
============================
 
 
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.
 
 
Windows Defender Disabled Policy: 
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1
 
 
Other Services:
==============
 
 
File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
 
 
**** End of log ****
Link to post
Share on other sites

Ok we continue as follows:

 

Download RKill from here: http://www.bleepingcomputer.com/download/rkill/

 

There are three buttons to choose from with different names on, select the first one and save it to your desktop.

 


Double-click on the Rkill desktop icon to run the tool.
If using Vista or Windows 7, right-click on it and Run As Administrator.
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
A log pops up at the end of the run. This log file is located at C:\rkill.log. Please post this in your next reply.
If you do not see the black box flash on the screen delete the icon from the desktop and go back to the link for the download, select the next button and try to run the tool again, continue to repeat this process using the remaining buttons until the tool runs. You will find further links if you scroll down the page with other names, try them one at a time.
If the tool does not run from any of the links provided, please let me know.

 

Next

 

Please run a Threat Scan with MBAM.  If you're unable to run or complete the scan as shown below please see the following:  MBAM Clean Removal Process 2x

Follow the relevant steps and ensure to run mbam-clean tool after UNinstalling Malwarebytes.

 

When reinstalling the program please try the latest version from here:

http://www.malwarebytes.org/mwb-download/

Right click and choose "Run as administrator" to open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link

Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.

Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.

Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.

 

Kevin

Link to post
Share on other sites

Followed your latest guidance.  Here are the two loga.

 

-------------------------

 

Rkill 2.6.7 by Lawrence Abrams (Grinler)
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 07/18/2014 04:28:29 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * No issues found.
 
Checking Windows Service Integrity: 
 
 * No issues found.
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * No issues found.
 
Program finished at: 07/18/2014 04:28:42 PM
Execution time: 0 hours(s), 0 minute(s), and 12 seconds(s)
 
----------------------------
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 7/18/2014
Scan Time: 4:44:06 PM
Logfile: 
Administrator: Yes
 
Version: 2.00.2.1012
Malware Database: v2014.07.18.10
Rootkit Database: v2014.07.17.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Heather Strong
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 336898
Time Elapsed: 41 min, 24 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 2
PUP.Optional.Downloader, C:\Users\Heather Strong\Downloads\java_installer.exe, Quarantined, [c3de762a95e65fd76929613b3fc58878], 
PUP.Optional.Conduit.A, C:\Users\Heather Strong\AppData\Local\Google\Chrome\User Data\Default\Preferences, Good: (), Bad: (      "startup_urls": [ "http://search.conduit.com/?ctid=CT3153924&SearchSource=48&CUI=UN22672725411221518&UM=2" ],), Replaced,[2f720b954b30a5915b3b805849bb43bd]
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
---------------------------------------
 
The computer shut down normally last night and started OK today, but later it locked up and required forced shutdown.
 
strongsail
Link to post
Share on other sites

What exactly happened to cause the lock up, was it a specific action on your part?

 

Run the following:

 

Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/

 


Quit all running programs.
For Windows XP, double-click to start.
For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
Read and accept the EULA (End User Licene Agreement)
Click Scan to scan the system.
When the scan completes select "Report" save to desktop. Close the program > Don't Fix anything!
Post back the report which should be located on your desktop.

 

Kevin

Link to post
Share on other sites

Kevin,

 

No, it hasn't been any identifiable specific action that causes lockup.  It seems to happen during periods of inactivity - the user returns to the computer after doing something else and finds it unresponsive.  She has grown tired of my haranguing and is now pretty good at closing Chrome when she leaves the computer (facebook fear on my part) so there usually is no browser running when it locks up.  Alt-ctrl-del does nothing.  The power button has to be held down until the laptop goes dark, then rebooted.

 

I will run RogueKiller as soon as I can.

 

strongsail

Link to post
Share on other sites

No, it's my wife's.  I'm her erstwhile IT guy.  We share a wifi network through a Trendnet router with its hardware firewall enabled.

 

I also have a Toshiba laptop, Intel, 64bit W7 Home Premium SP1, and I am having some issues with it as well, but it's not as crippled as hers.  My MBAM scan finds the same file, PUP.optional.conduit.a, every day.  I quarantine it, and it's back the next session.  Can I run the same routines on my machine that you've recommended for hers?  My laptop is occasionally slow to shut down, but it doesn't become unresponsive like hers.

 

BTW, MBAM found PUP.optional.conduit.a again today on my wife's pc.  Haven't run Roguekiller on it yet.  Will do so soon.

Link to post
Share on other sites

Regarding your own laptop, best option is to start a new thread and post both logs from a scan with FRST....

 

Back to your wife`s laptop, post log from Rogue Killer when ready, also run the following and post that log also...

 

Please download SystemLook from the following link below and save it to your Desktop.

 

 

http://images.malwareremoval.com/jpshortstuff/SystemLook.exe

 

 

 

  •  

     

  • Double-click SystemLook.exe to run it.

     

     

  • Copy the content of the following codebox into the main textfield:
    :regfindconduit*conduit*
  • Click the Look button to start the scan.

     

     

  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

     

     

 

 

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

Kevin

Link to post
Share on other sites

Here's the scan log from Roguekiller.  Per your instructions, no actions were taken except the scan.

 

RogueKiller V9.2.3.0 [Jul 11 2014] by Adlice Software
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Heather Strong [Admin rights]
Mode : Scan -- Date : 07/21/2014  13:33:09
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 13 ¤¤¤
[suspicious.Path] (X64) HKEY_USERS\S-1-5-21-2287867881-2331650427-3606157411-1001\Software\Microsoft\Windows\CurrentVersion\Run | Google+ Auto Backup : "C:\Users\Heather Strong\AppData\Local\Programs\Google\Google+ Auto Backup\Google+ Auto Backup.exe" /autostart  -> FOUND
[suspicious.Path] (X86) HKEY_USERS\S-1-5-21-2287867881-2331650427-3606157411-1001\Software\Microsoft\Windows\CurrentVersion\Run | Google+ Auto Backup : "C:\Users\Heather Strong\AppData\Local\Programs\Google\Google+ Auto Backup\Google+ Auto Backup.exe" /autostart  -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9FC09D19-A5B0-4539-85F8-EC3F2556AC75} | DhcpNameServer : 68.238.64.12 68.238.96.12  -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{9FC09D19-A5B0-4539-85F8-EC3F2556AC75} | DhcpNameServer : 68.238.64.12 68.238.96.12  -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{9FC09D19-A5B0-4539-85F8-EC3F2556AC75} | DhcpNameServer : 68.238.64.12 68.238.96.12  -> FOUND
[PUM.Policies] (X64) HKEY_USERS\S-1-5-21-2287867881-2331650427-3606157411-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> FOUND
[PUM.Policies] (X64) HKEY_USERS\S-1-5-21-2287867881-2331650427-3606157411-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0  -> FOUND
[PUM.Policies] (X86) HKEY_USERS\S-1-5-21-2287867881-2331650427-3606157411-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> FOUND
[PUM.Policies] (X86) HKEY_USERS\S-1-5-21-2287867881-2331650427-3606157411-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0  -> FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> FOUND
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ HOSTS File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: NOT LOADED [0xc000036b]) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MK3265GSXN +++++
--- User ---
[MBR] dc52eefd5faed41870f1ca13d1c44527
[bSP] b9818e7a885bcd3eec8b6b3757018fc4 : HP MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 3074048 | Size: 294583 MB
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 606380032 | Size: 9161 MB
User = LL1 ... OK
User = LL2 ... OK
 
+++++ PhysicalDrive1: Toshiba External USB HDD USB Device +++++
--- User ---
[MBR] 3e72b09eb84508e79773d683ec87e176
[bSP] 3aeb32ad7d9d93aa331d21a65a52a4ee : HP MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 2048 | Size: 476936 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )
Link to post
Share on other sites

Here's the log from the SystemLook scan.

 

SystemLook 30.07.11 by jpshortstuff
Log created at 13:39 on 21/07/2014 by Heather Strong
Administrator - Elevation successful
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.
 
========== regfind ==========
 
Searching for "conduit"
No data found.
 
Searching for "*conduit*"
No data found.
 
-= EOF =-
Link to post
Share on other sites

Ran the command in 64bit Systemlook.  Here's the log.

 

SystemLook 30.07.11 by jpshortstuff
Log created at 08:46 on 22/07/2014 by Heather Strong
Administrator - Elevation successful
 
========== regfind ==========
 
Searching for "conduit"
No data found.
 
Searching for "*conduit*"
No data found.
 
-= EOF =-
 
My wife reports fewer popups in browser windows, if that's any consolation.  No recent lockups.
 
We are leaving on holiday today, and will be away almost a month.  We don't travel with our laptops - too bulky - we use Lenovo tablets when traveling; wife's is Android, mine is W8.1.  So, this is the last of your suggested routines I'll be able to run until we get back.  When we return, if her laptop exhibits any more symptoms, I will contact you through this thread if you'd care to leave it open.  Thanks for your help so far!  It's been a learning experience for me.  I will make a donation to your "Unite Against Malware," and will purchase the full version of Malwarebytes, when we return.
 
Regards,
 
strongsail
Link to post
Share on other sites

Run the following to clean up:

 

Download "Delfix by Xplode" and save it to your desktop.

 

"Delfix link mirror"

 

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

 

Make Sure the following items are checked:

 


    Activate UAC
    Remove disinfection tools
    Create registry backup
    Purge System Restore
    Reset system settings

 

Now click on "Run" and wait patiently until the tool has completed.

 

The tool will create a log when it has completed. We don't need you to post this.

 

Part of the routine will be to create a registry back up with ERUNT,  the back up will be created here:

 

C:\Windows\ERUNT

 

When all is known to be well with your system you can delete that back up folder if you consider it as not needed...

 

Next,

 

if there are still pop ups occurring, which browser does that effect?

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.