Had issues with being unable to run win updates

[larry1135]

Hi All,

Had win updates message showing in red saying service was turned off but in fact in services it was on.  So, I ran MBAM it came up with a few things I then used Microsoft fixit which fixed an item (sorry I do not remember what it was it fixed).  So, after that I decided to make sure everything was thoroughly clean and ran the Kapersky tdsskiller and when I set the objects to be scanned to include “Detect TDLFS file system it came back with the message below.  I’ve ran adwcleaner and cleaned out toolbars, I’ve ran Windows Defender and Combofix I have not had anything comeback with a specific virus detected and thing seem to be  running well now including updates with the exception of the TDSSKiller threat detection.  I’ve included the following logs, combofix, MBAM, OTL, and aswMBR. 

Do you think there is anything further that should be done?

Theat Detected
TDSS File System
Physical drive: \Device\Harddisk0\DR0
Suspicious object, medium risk

[larry1135]

aswMBR log

[essexboy]

Could you attach the TDSSKiller log please

[larry1135]

Hi Thanks

Could not find a way to get a log file so I copied and pasted the report to this notepad.  Also, I copied the threat to quarantine from TDSSKiller drop down option not sure that was such a good idea would I be able to delete that with out it causing a problem?

Thanks

[essexboy]

That looks OK is windows updating ?

Download and run farbar service scanner



Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

[larry1135]

Here are the Farbar Service Scanner results.  Also, the windows update is working now after the previous tools were ran.

Thanks much....

Farbar Service Scanner Version: 03-03-2013
Ran by Allstate3 (administrator) on 07-04-2013 at 16:22:35
Running from "C:\Users\Allstate3\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YVI6RKKV"
Windows 7 Home Premium Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Attempt to access Yahoo IP returned error. Yahoo IP is offline
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2013-04-06 11:52] - [2013-01-03 00:05] - 1293672 ____A (Microsoft Corporation) 7C0507D2391AF5933600CBCED799F277

C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\ipnathlp.dll => MD5 is legit
C:\Windows\system32\iphlpsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

[essexboy]

According to that windows updates is running .. Could you try it out and confirm

[larry1135]

essexboy,

Do you think the TDSSKiller detection of a TDLFS File System is a false positive?

Thanks in advance

[essexboy]

11:31:43.0580 0836  \Device\Harddisk0\DR0\TDLFS\config.ini - copied to quarantine
11:31:43.0611 0836  \Device\Harddisk0\DR0\TDLFS\tdl - copied to quarantine
11:31:43.0611 0836  \Device\Harddisk0\DR0\TDLFS\rsrc.dat - copied to quarantine
11:31:43.0627 0836  \Device\Harddisk0\DR0\TDLFS\bckfg.tmp - copied to quarantine
11:31:43.0627 0836  \Device\Harddisk0\DR0\TDLFS\tdlcmd.dll - copied to quarantine
11:31:43.0643 0836  \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Quarantine

No that is a real detection ..  If it still appears in TDSSKiller then select delete

[larry1135]

Thank You very much for all of the help very much appreciated.

[essexboy]

Subject to no further problems   

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems 

Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:

Remove ComboFix

• Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
  
• In the Run box, type in ComboFix /Uninstall
   (Notice the space between the "x" and "/")
  then click OK
  
  
  
  
• Follow the prompts on the screen
• A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button.  It will remove all the programmes we have used plus itself. 

Clear Restore Points

Go Start > All Programmes > Accessories > System tools
Right click Disc Cleanup and select run as administrator
When it pops up at the first prompt select OK after it has done some calculations the tabs will appear
Select More Options tab
Press Sytem Restore and Shadow Copies Cleanup button


Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

If you use on-line banking then as an added layer of protection install Trusteer Rapport

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit

• Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide  How did I get infected in the first place ?Keep safe  :wave: