Page 1 of 3 123 LastLast
Results 1 to 10 of 23

Thread: Windows won't update - is it malware?

  1. #1
    Member
    Join Date
    Apr 2006
    Posts
    56

    Default Windows won't update - is it malware?

    Hi

    My PCs are set to notify me of Windows Updates so that I can choose which ones to download and install. For several months I haven't had any notifications of newly released updates and thought nothing of it. However, two days ago I decided to do a manual check and there were 11 updates available dated 11th August 2015. Whenever I try to download them, the screen just says “Downloading updates, 0kb total, 0% complete”, regardless of how long I spend trying to download e.g. one hour, 90 minutes etc.

    So I decided to try just one update for IE and after about 30 minutes it downloaded and installed. There are now 30 pending updates and at this rate it will take 15 hours to download and install them. I also know that updating Windows when infected creates difficulties at a later stage.

    I have scanned with Malwarebytes and SuperAntiSpyware and the PCs seem clean, but a few strange things have been happening; sometimes when reading a PDF the document closes abruptly, and also my Canon scanner gets stuck through a scan, something that never happened before, and I also get the occasional blank IE page.

    Am I infected? My logs are below. Thanks.
    Attached Files Attached Files

  2. #2
    Security Expert-Emeritus Dakeyras's Avatar
    Join Date
    Sep 2008
    Location
    The Tundra
    Posts
    1,170

    Default

    Hi and welcome back to Safer Networking.

    After reviewing the logs provided(in future please do not attach them but merely post unless advised otherwise, thank you) nothing particularly malicious seems to be the root cause. Though I do advise you consider uninstalling this utter dross:

    Toolwiz Time Freeze 2014

    As it is not something I would personally advise anyone download/install/use etc as it has the potential to render a machine little more than a expensive doorstop. My humble opinion however and your call. Anyway to err on the side of caution before considering other root causes lets rule out malware as follows shall we...

    Next:

    For the duration of the below two scans, temp' disable/shut down your protection software now to avoid potential conflicts, how to do so can be read here.

    Scan with JRT:

    Please download Junkware Removal Tool to your desktop.

    • Right-click on JRT.exe and select Run as Administrator to launch the application >> follow the on-screen prompt.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next reply.

    Scan with Zoek:

    Please download Zoek and save to the desktop.

    • Right-click on zoek.exe and select Run as Administrator .
    • Once the GUI(graphical user interface) has loaded >> click on the More Options tab >> select Auto Clean only.
    • Ensure the option Scan All Users is selected >> now click on the Run Script tab.
    • Zoek will momentary close and a new GUI will appear and the scan will commence.
    • Please be patient as the scan may take some time depending on the specifications of your computer.
    • Once the scan is completed a log file named zoek-results.log will open via notepad, post the contents in your next reply.
    • If the system requires a reboot after the aforementioned scan, click on OK at the prompt(the log will appear after the reboot).
    • The zoek-results.log can also be found on your system drive.

    Note: Do not forget to re-enable your Security software after running the above scans!

    Next:

    When completed the above, please post back the following in the order asked for:

    • How is your computer performing now, any further symptoms and or problems encountered?
    • Junkware Removal Tool Log.
    • Zoek Log.
    Mammuthus Hibernian Scouserus, member of ASAP and UNITE.

  3. #3
    Member
    Join Date
    Apr 2006
    Posts
    56

    Default

    Hi Dakeyras

    Thanks for your help and sorry about the attachments; I completely forgot. The PC is running ok and not showing any more odd symptoms, but I haven't attempted any more updates, I will wait for your prompt. The JRT and Zoek logs are below-

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Junkware Removal Tool (JRT) by Malwarebytes
    Version: 8.0.2 (01.06.2016)
    Operating System: Windows 7 Home Premium x86
    Ran by USER (Administrator) on 14/02/2016 at 20:59:31.55
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    File System: 8

    Successfully deleted: C:\Users\USER\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\08G6DIIW (Folder)
    Successfully deleted: C:\Users\USER\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2S00M8CO (Folder)
    Successfully deleted: C:\Users\USER\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E0RIN9YF (Folder)
    Successfully deleted: C:\Users\USER\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ERVM4ZDC (Folder)
    Successfully deleted: C:\Users\USER\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GSO6AD2Z (Folder)
    Successfully deleted: C:\Users\USER\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IE2SDBRZ (Folder)
    Successfully deleted: C:\Users\USER\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L61HB3AJ (Folder)
    Successfully deleted: C:\Users\USER\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OJME0V0Y (Folder)

    Registry: 0

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Scan was completed on 14/02/2016 at 21:00:47.63
    End of JRT log

    Zoek.exe v5.0.0.1 Updated 27-09-2015
    Tool run by USER on 14/02/2016 at 21:01:47.89.
    Microsoft Windows 7 Home Premium 6.1.7601 Service Pack 1 x86
    Running in: Normal Mode No Internet Access Detected
    Launched: C:\Users\USER\Desktop\zoek.exe [Scan all users] [Checkboxes used]

    ==== System Restore Info ======================

    14/02/2016 21:02:51 Zoek.exe System Restore Point Created Successfully.

    ==== Empty Folders Check ======================

    C:\Program Files\AGEIA Technologies deleted successfully
    C:\Users\USER\AppData\Local\VirtualStore deleted successfully
    C:\Users\USER2\AppData\Local\VirtualStore deleted successfully

    ==== Deleting CLSID Registry Keys ======================

    HKEY_USERS\S-1-5-21-3911347883-1701421413-189546050-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9A9F603B-51A8-4630-AE99-4BBF01675575} deleted successfully

    ==== Deleting CLSID Registry Values ======================


    ==== Deleting Services ======================


    ==== Deleting Files \ Folders ======================

    C:\Program Files\AGEIA Technologies not found
    "C:\Users\USER\AppData\Roaming\Mozilla\Firefox\Profiles\Gj0neWhS.default\extensions\abs@avira.com" deleted

    ==== Firefox Extensions Registry ======================

    [HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
    "quickprint@hp.com"="C:\Program Files\Hewlett-Packard\SmartPrint\QPExtension" [26/01/2011 14:27]

    ==== Firefox Extensions ======================

    ==== Firefox Plugins ======================


    ==== Chromium Look ======================

    HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
    flliilndjeohchalpbbcdekjklbdgfkk - No path found[]

    ==== Set IE to Default ======================

    Old Values:
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
    "Start Page"="https://www.google.com/?gfe_rd=cr&ei=mTEsVKTNJOGq8wfem4HADQ&gws_rd=ssl"

    New Values:
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
    "Start Page"="https://www.google.com/?gfe_rd=cr&ei=mTEsVKTNJOGq8wfem4HADQ&gws_rd=ssl"

    ==== All HKCU SearchScopes ======================

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
    "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
    {012E1000-F331-11DB-8314-0800200C9A66} Google Url="http://www.google.com/search?q={searchTerms}"
    {0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02"

    ==== Empty IE Cache ======================

    C:\Users\USER\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
    C:\Users\USER\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully
    C:\Users\USER2\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
    C:\Users\USER2\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully
    C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
    C:\Windows\serviceprofiles\Localservice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
    C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully

    ==== Empty FireFox Cache ======================

    No FireFox Cache found

    ==== Empty Chrome Cache ======================

    No Chrome User Data found

    ==== Empty All Flash Cache ======================

    Flash Cache Emptied Successfully

    ==== Empty All Java Cache ======================

    No Java Cache Found

    ==== C:\zoek_backup content ======================

    C:\zoek_backup (files=112 folders=25 2484024 bytes)

    ==== Empty Temp Folders ======================

    C:\Users\Default\AppData\Local\Temp emptied successfully
    C:\Users\Default User\AppData\Local\Temp emptied successfully
    C:\Users\USER\AppData\Local\Temp will be emptied at reboot
    C:\Users\USER2\AppData\Local\Temp emptied successfully
    C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
    C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
    C:\Windows\Temp will be emptied at reboot

    ==== After Reboot ======================

    ==== Empty Temp Folders ======================

    C:\Windows\Temp successfully emptied
    C:\Users\USER\AppData\Local\Temp successfully emptied

    ==== Empty Recycle Bin ======================

    C:\$RECYCLE.BIN successfully emptied

    ==== EOF on 14/02/2016 at 21:21:53.09 ======================

  4. #4
    Security Expert-Emeritus Dakeyras's Avatar
    Join Date
    Sep 2008
    Location
    The Tundra
    Posts
    1,170

    Default

    Hi.
    Thanks for your help and sorry about the attachments; I completely forgot.
    You're welcome, fair play re the attachments.
    The PC is running ok and not showing any more odd symptoms,
    Acknowledged.
    I haven't attempted any more updates, I will wait for your prompt.
    Please visit this page How do I reset Windows Update components?, under the heading Windows 8.1, Windows 8, and Windows 7, click on:

    Run now

    At the prompt, save to your desktop. Once downloaded, double click on WindowsUpdateDiagnostic.diagcab >> once the GUI(graphical user interface) appears/loads >> select Windows Update

    Then click on Next >> follow the prompts. Once completed reboot your machine if not prompted and then check for Windows Updates(do not download any/install etc).

    Next:

    Let myself know the outcome of the above when ready and we will then go from there, thank you.
    Mammuthus Hibernian Scouserus, member of ASAP and UNITE.

  5. #5
    Member
    Join Date
    Apr 2006
    Posts
    56

    Default

    I have run the Windows Update Diagnostic troubleshooter, rebooted and searched for new updates, but none was found after 60 minutes, and again after 45 minutes. The 30 updates which were present but won't download have also disappeared. The troubleshooter posted the following message-

    Problems found-

    1. Service registration is missing or corrupt – not fixed.
    2. Windows Update error 0x8007005 (2016-02-15-T_11_38_55P) – not fixed.
    3. Problems installing recent updates – fixed.
    4. Problems installing recent updates – fixed.
    5. Problems installing recent updates – fixed.

    Which way forward?

  6. #6
    Security Expert-Emeritus Dakeyras's Avatar
    Join Date
    Sep 2008
    Location
    The Tundra
    Posts
    1,170

    Default

    Hi.

    My apologies for the delay. All acknowledged, lets carry out a benign scan as follows shall we to further try and ascertain what may be the actual problem...

    Scan with FSS:

    Please download Farbar Service Scanner and save to your Desktop.

    • Right-click FSS.exe and select Run as Administrator to start the program >> click on Yes at the prompt.
    • Select all available options.
    • Then click on the Scan tab.
    • When the scan is complete, it will produce a log named FSS.txt.
    • Post the contents in your next reply.
    Last edited by Dakeyras; 2016-02-17 at 20:46. Reason: Update.
    Mammuthus Hibernian Scouserus, member of ASAP and UNITE.

  7. #7
    Member
    Join Date
    Apr 2006
    Posts
    56

    Default

    Hi Dakeyras

    The FSS scan results -

    Farbar Service Scanner Version: 27-01-2016
    Ran by USER (administrator) on 18-02-2016 at 23:11:38
    Running from "C:\Users\USER\Desktop"
    Microsoft Windows 7 Home Premium Service Pack 1 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    There is no connection to network.
    Attempt to access Google IP returned error. Google IP is unreachable
    Attempt to access Google.com returned error: Other errors
    Attempt to access Yahoo.com returned error: Other errors


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Policy:
    ========================


    Action Center:
    ============


    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.


    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1


    Other Services:
    ==============


    File Check:
    ========
    C:\Windows\system32\nsisvc.dll => File is digitally signed
    C:\Windows\system32\Drivers\nsiproxy.sys => File is digitally signed
    C:\Windows\system32\dhcpcore.dll => File is digitally signed
    C:\Windows\system32\Drivers\afd.sys => File is digitally signed
    C:\Windows\system32\Drivers\tdx.sys => File is digitally signed
    C:\Windows\system32\Drivers\tcpip.sys => File is digitally signed
    C:\Windows\system32\dnsrslvr.dll => File is digitally signed
    C:\Windows\system32\dnsapi.dll => File is digitally signed
    C:\Windows\system32\mpssvc.dll => File is digitally signed
    C:\Windows\system32\bfe.dll => File is digitally signed
    C:\Windows\system32\Drivers\mpsdrv.sys => File is digitally signed
    C:\Windows\system32\SDRSVC.dll => File is digitally signed
    C:\Windows\system32\vssvc.exe => File is digitally signed
    C:\Windows\system32\wscsvc.dll => File is digitally signed
    C:\Windows\system32\wbem\WMIsvc.dll => File is digitally signed
    C:\Windows\system32\wuaueng.dll => File is digitally signed
    C:\Windows\system32\qmgr.dll => File is digitally signed
    C:\Windows\system32\es.dll => File is digitally signed
    C:\Windows\system32\cryptsvc.dll => File is digitally signed
    C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
    C:\Windows\system32\ipnathlp.dll => File is digitally signed
    C:\Windows\system32\iphlpsvc.dll => File is digitally signed
    C:\Windows\system32\svchost.exe => File is digitally signed
    C:\Windows\system32\rpcss.dll => File is digitally signed


    **** End of log ****

  8. #8
    Security Expert-Emeritus Dakeyras's Avatar
    Join Date
    Sep 2008
    Location
    The Tundra
    Posts
    1,170

    Default

    Hi.

    The FSS scan results
    Thanks, all appears fine apart form the Connection Status results which may be a possible cause. Please bare with myself as Windows Updates issues are not the easiest to rectify. Plus as primarily I actually only provide Anti-Malware support we may have to consider say a referral to specialist forum for such issues and or say a Windows 7 Repair Install for example.

    Anyway lets proceed as follows shall we...

    Scan with MTB:

    Please download MiniToolBox and save your desktop.

    • Right-click on MiniToolBox.exe and select Run as Administrator to start the program >> click on Yes at the prompt.
    • Check/select the option Select All
    • Then click on Go and post the result (Result.txt) in your next reply.

    Note: If the log generated is too large to post conventionally merely attach it to your reply.
    Mammuthus Hibernian Scouserus, member of ASAP and UNITE.

  9. #9
    Member
    Join Date
    Apr 2006
    Posts
    56

    Default

    Hi Dakeyras

    I completely understand and thanks for the help so far. I had serious Windows Update issues several years ago and finally resolved it by resetting Windows File Resource Center. I am very relieved I'm unlikely to be infected as failure to update Windows is the quickest way to malware; incidentally I am a member of a Windows 7 Operating System forum so should the need be let me know and I'll pass this onto them. The MTB log is attached.
    Attached Files Attached Files

  10. #10
    Security Expert-Emeritus Dakeyras's Avatar
    Join Date
    Sep 2008
    Location
    The Tundra
    Posts
    1,170

    Default

    Hi.

    All acknowledged/you're welcome!

    Check Hard Disk For Errors:

    • Open Notepad.
    • Copy and Paste everything from the Code Box below into Notepad:
    Code:
    @echo off
    cmd /c chkdsk c: |find /v "percent" >> "%userprofile%\desktop\checkhd.txt"
    del %0
    • Go to File >> Save As
    • Save File name as Dakeyras.bat
    • Change Save as Type to All Files and save the file to your Desktop.
    • It should look similar to this:

    Now right-click on the desktop Dakeyras.bat and select Run as Administrator to run the batch file. It will self-delete when completed.

    A file icon named checkhd.txt should appear on your Desktop. Please post the contents of this file in your next reply.

    Windows 7 - System File Checker:

    • Click on Start(Windows 7 Orb).
    • Click on All Programs >> Accessories
    • Right click on Command Prompt and select Run as Administrator.
    • Click on Continue at the UAC prompt.
    • At the Command Prompt C:\Windows\System32> type in the following exactly:
    cd c:\
    • Then depress the Enter/Return key, then type in the following exactly:
    sfc /scannow
    • Then depress the Enter/Return key.

    Note: This may take awhile to finish. When completed close the Administrator Command Prompt window, via typing Exit then depress the Enter/Return key.
    Mammuthus Hibernian Scouserus, member of ASAP and UNITE.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •