fouten update windows 7

joopkass

vanaf 10 april kan ik windows 7 niet meer updaten 

hierover met Microsoft in overleg gegaan 

fout die optrad was dat er een access denied optrad 

op aanraden van microsoft Malwarebytes in save mode uitgevoerd 

verbazing dat dit programma een rapport geeft van 68 bladzijdes met fouten

samengevat zijn er 

0 fouten in processes

2 fouten in modules 

49 fouten in egistry keys

2 fouten in nregistry values

3 fouten in registry data

219 fouten in folders

829 fouten in files 

en 0 fouten in physical sectors

als ik de scan gebruikt van F secure 

ik ben gebruiker van xs4all en heb via hen f-secure op mijn machine staan

F-Secure Security Panel 1.89 build 205

 

dan kom er geen fout uit 

uitleg van microsoft is dat als er een virus langs glipt als eerste een registry key wordt aangemaakt 

die er voor zorgt dat de beveiliging altijd o.k. terug geeft 

graag commentaar hierop en hoe op te lossen 

microsoft zegt dat dit zoveel fouten zijn dat er een volledige backup van de data gemaakt moet worden 

en dan opnieuw vanaf scratch beginnen 

 

 

Simon

Hello,

This is the English language section of the community. For more people to be able to help, please repost in English, or use the Deutsch forum, if appropriate.

Thanks.

joopkass

Sorry about posting it in dutch 

here is the translation in english (sort of)

From april 10 on i cannot update windows 7 

I have talked to Microsoft about that 

The error i got means access denied 

they said that i should run Malwarebytes in save mode 

when i ran the program it gave me a shock

the error report was 68 pages long

a recap of it  said 

i had 

 

0 errors in processes

2 errors in modules 

49 errors in registry keys

2 errors in registry values

3 errors in registry data

219 errors in folders

829 errors in files 

en 0 errors in physical sectors

 

I am a user of F-secure 

F-Secure Security Panel 1.89 build 205

which i got as a user of xs4all

 

when i do a scan with f-secure there is no error on the machine 

 

explanation of microsoft is that when a virus slips through the first thing it does 

is setting a registry key which give f-secure always a o.k.

 

Please comment on it and is there a way to circumvent it and solve the problems

acccording to microsoft i have to backup al the files and then start with a clean windows 7  

 

Simon

I'm not an expert on this, but my latest build is F-Secure 1.99 build 192, so yours would appear to be older, but I'm not sure how much older, or how it works coming from xs4all.  I would initially suggest that you see if you can get a newer build, and run a scan with it. 

 

I'm also not quite sure whether 'errors' in your report mean 'viruses', or actual errors.  I don't think F-Secure would pick up 'errors' in the registry, for example, as it's not designed to do so, if the 'errors' are not viruses or malware.

 

Sorry not to be of more help, but hopefully someone else will be along later with a better idea of how to proceed with this.

 

I assume you've tried doing a System Restore to before April 10th?

Simon

Just another point, regarding the F-Secure build number, I'm not sure if 'F-Secure Security Panel' is the same as 'F-Secure Internet Security', which is what I'm using, so sorry for any confusion there.

Ukko

Hello, joopkass

 

Just because your version of F-Secure related with your provider (xs4all) - it's can be some kind of outdate in any technologies (but databases must be up-to-date);

 

It's mean trouble with system can be related:

 

 - some of "attacks" - which can to prevent by behavior/pro-active technologies (which can be in your version a little be one-step-ago);

 

 - some kind of randomly mistake by your steps (if you randomly meet some of malicious files and think about that like safe-file);

 

 - any others - which can be, of course, with any protection-software;

 

-----------

About situation:

 

Malwarebytes can to detect various PuPs/not-active-keys and etc., which related with any viruses in system (can be already deleted/removed/cleaned) or just with "false-positive" (when... it's just suspicious or potential risk);

 

But just because your system have troubles with Updates and etc. It's can be related with any adware and etc.

Probably you can try to check - if Malwarebytes can to detect anything else (again?) - and if it's already all clean - maybe your system without "active troubles";

 

And you can try to fix troubles in settings by hand - or by any command-line "sfc /scannow" (and etc.);

Also some kind of repair MBR and etc. (without totally re-install system);

 

F-Secure can to ingore already "not-active" empty/not-empty keys in registry or some kind of "temp-files" - or just missing "that a lot of files with infection"; Here will be good any logs about detections-names and etc.

And also you can create a ticket for F-Secure support;

 

Most "not hard" step - indeed... backup all your important files and re-install system. Close to totally fixed any troubles or potential problems.

 

But... if you don't want to that. Try to check situation about "sfc /scannow" and any other popular steps for checking "health" in system by default steps;

And then... you can try to use any RescueCD/LiveCD for scan system:

 

 - can to help... if it's still with any malicious programs in system; Or... some of RCD/LCD have features about some kind of "repair" any kind of "broken default settings";

 

 

If your system still with "active"-malicious actions... it's can be any rootkits... And here RescueCD/LiveCD (by F-Secure or any other protection/security companies) can to help too.

If you have alternative data stream - also can be helpful default features about repair any system-files to default;

Also you can try to download and use F-Secure Blacklight (from official F-Secure source) - re-name that file and scan system (can be helpful - if F-Secure not detected anything.. because malware have protection against "process" with F-Secure-related names).

 

Sorry about a lot of text.

 

Not really sure.. that understand which situation you have in current time (about your system); 

 

Blackcat

Is the error report from a Malwarebytes log-file or from Windows event viewer? I have never seen a 68 page error report!

 

Can you post exactly the Windows Update error?

 

Was there any mention anywhere in Malwarebytes of any malicious items detected?

 

What version of Malwarebytes are you running? Version 2?

 

I would try;

 

1. Re-boot your machine and see if the Windows updates then come down.

 

2. Triple check for malware by downloading and scanning with HitManPro(free 30-day version);  http://www.surfright.nl/en/hitmanpro

 

3. Try Microsoft's diagnostic tool. It's called the Windows Update Troubleshooter; http://windows.microsoft.com/en-us/windows7/open-the-windows-update-troubleshooter

 

4. Reset Windows Update; http://support.microsoft.com/kb/971058

 

 

EDIT: In addition have you posted on the XS4ALL Forums or contacted their Support?

 

Simon

@Blackcat - just for reference, is HitManPro compatible with FS if run in real time?

Blackcat

@Simon 

 

He should be okay as HitManPro will only run in the background, it has no real-time scanner. For 30 days after the first install it will remove any malware it finds; after this time you need to buy a license.

 

 

Simon

OK, thanks.  Might have a look at that myself, then. 

Blackcat

Keep an eye on HitManPro.Alert 3  http://www.surfright.nl/en/home/press/surfright-announces-alert-3

Simon

Looks a bit complex, that one. 

joopkass

O..k 

I started hitmanpro  and it solved my problem

it found 586 errors   

and solves them bij deleting or put them in quaratine 

 

Thanks every one for inputting answers to me 

 

I will also inform microsoft that the problem could be solved so easely 

and not the way they suggested 

 

 

Blackcat

@joopkass 

 

Glad to hear you are sorted out but can you provide a little more detail.

 

Did HitmanPro find errors or malware? Could you post one of the "errors" it corrected?

 

Your experience confirms that HitManPro is a good backup scanner to have in anyone's protection arsenal. 

Ukko

Also like addition:

 

 - HitmanPro probably always (doesn't matter if you choose "one time scan") create a log-files local-folders (AppData/Local Settings) in txt-files; Already not sure - but it's can to have any "user information", but must be possible to "copy" just "found items";

 

 - HitmanPro also detected most part of tracking cookies (F-Secure can to not deleting some of them "as design" by "safe-status"; or just if you use any alternative browser);

 

 Also HitmanPro can to "give" a little be more "numbers" of "found items", than it's can be - just because it's a little be another kind of "statistics" (it's mean 586 items - can be not really indeed 586 trouble-files or registry-keys or just tracking cookies);

 

But... probably indeed HitmanPro can to "back to default" any system settings. But that can to do Malwarebytes too (especially about part of "blocked Windows update"-keys).

 

Anyway - you can be close to "sure" - that system are OK. But still you need to check more (it's must be related with kind of found-items) .

joopkass

Here are the details of hitmanpro 

 

Scan date . . . . . . : 2014-04-19 10:34:46
Scan mode . . . . . . : Normal
Scan duration . . . . : 13m 45s
Disk access mode . . : Direct disk access (SRB)
Cloud . . . . . . . . : Internet
Reboot . . . . . . . : Yes

Threats . . . . . . . : 586
Traces . . . . . . . : 889

Objects scanned . . . : 2.286.197
Files scanned . . . . : 152.748
Remnants scanned . . : 824.134 files / 1.309.315 keys

 

Malware _____________________________________________________________________

C:\ProgramData\Wincert\win32cert.dll -> Quarantined
Size . . . . . . . : 7.168 bytes
Age . . . . . . . : 109.0 days (2013-12-31 11:14:04)
Entropy . . . . . : 5.0
SHA-256 . . . . . : 667985D140FF2E4AB20FDF12F1F5195693E0AB32318827D446CA182CC311F1EE
> Kaspersky . . . . : not-a-virus:WebToolbar.Win32.SearchSuite.a
Fuzzy . . . . . . : 106.0

C:\Users\hcc FVC platform\AppData\Local\Temp\{45F4935D-CF7A-4BFB-A910-87589E17B1AB}\Custom.dll -> Quarantined
Size . . . . . . . : 61.440 bytes
Age . . . . . . . : 369.7 days (2013-04-14 16:57:30)
Entropy . . . . . : 6.4
SHA-256 . . . . . : D269508431C5F9946D7A2C4217B24A2E9FD30AFA2B32E23FF40960D04CF5E994
Product . . . . . : SoftSafe
Publisher . . . . : SoftSafe
Description . . . : Custom DLL for SoftSafe
Version . . . . . : 2013.4.
Copyright . . . . : Copyright © 2012 S
> Kaspersky . . . . : not-a-virus:AdWare.Win32.Agent.aeph
Fuzzy . . . . . . : 100.0

C:\Users\hcc FVC platform\AppData\Roaming\OpenCandy\6894ED5653D54DA6AFE460B86873752B\SSStub_SearchProtect_p1v0.exe -> Quarantined
Size . . . . . . . : 322.680 bytes
Age . . . . . . . : 20.6 days (2014-03-29 19:38:50)
Entropy . . . . . : 7.9
SHA-256 . . . . . : 74D1728E35E66597921E27256C6EA6997498BD61BC6EB2536FB250D368964630
RSA Key Size . . . : 2048
Authenticode . . . : Valid
> Kaspersky . . . . : not-a-virusownloader.Win32.Agent.baxm
Fuzzy . . . . . . : 108.0

 

Potential Unwanted Programs _________________________________________________

C:\Program Files (x86)\Ask.com\ (AskBar) -> Deleted
C:\Program Files (x86)\Ask.com\assets\oobe\ (AskBar) -> Deleted
C:\Program Files (x86)\Ask.com\assets\oobe\b.png (AskBar) -> Deleted
C:\Program Files (x86)\Ask.com\assets\oobe\bl.png (AskBar) -> Deleted
C:\Program Files (x86)\Ask.com\assets\oobe\br.png (AskBar) -> Deleted
C:\Program Files (x86)\Ask.com\assets\oobe\l.png (AskBar) -> Deleted
C:\Program Files (x86)\Ask.com\assets\oobe\pointer.png (AskBar) -> Deleted
C:\Program Files (x86)\Ask.com\assets\oobe\r.png (AskBar) -> Deleted
C:\Program Files (x86)\Ask.com\assets\oobe\t.png (AskBar) -> Deleted
C:\Program Files (x86)\Ask.com\assets\oobe\tl.png (AskBar) -> Deleted
C:\Program Files (x86)\Ask.com\assets\oobe\tr.png (AskBar) -> Deleted
C:\Program Files (x86)\Ask.com\cobrand.ico (AskBar) -> Deleted
C:\Program Files (x86)\Ask.com\config.xml (AskBar) -> Deleted
C:\Program Files (x86)\Ask.com\favicon.ico (AskBar) -> Deleted
C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (AskBar) -> Deleted
Size . . . . . . . : 1.520.776 bytes
Age . . . . . . . : 359.0 days (2013-04-25 09:44:14)
Entropy . . . . . : 6.8
SHA-256 . . . . . : F20D2999461349323E7D44795ABED7A2A1EA8D3B6A32F91B3B1B58822503766F
Product . . . . . : Toolbar
Publisher . . . . : Ask
Description . . . : Ask Toolbar
Version . . . . . : 5.15.23.36191
Copyright . . . . : (c) Ask. All rights reserved.
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : -17.0
Startup
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}\
HKU\S-1-5-21-905213307-2693827331-2924149415-1001\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{00000000-6E41-4FD3-8538-502F5495E5FC}
References
HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}\
HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\
HKLM\SOFTWARE\Wow6432Node\Classes\GenericAskToolbar.ToolbarWnd.1\
HKLM\SOFTWARE\Wow6432Node\Classes\GenericAskToolbar.ToolbarWnd\
HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}\
HKU\S-1-5-21-905213307-2693827331-2924149415-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}\

C:\Program Files (x86)\Ask.com\mupcfg.xml (AskBar) -> Deleted
C:\Program Files (x86)\Ask.com\precache.exe (AskBar) -> Deleted
Size . . . . . . . : 71.816 bytes
Age . . . . . . . : 359.0 days (2013-04-25 09:44:15)
Entropy . . . . . : 6.3
SHA-256 . . . . . : 4A343C9AAF47664B14C03AFB281C15F6705C6A750B59A6C578D712200A180F07
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : -9.0

C:\Program Files (x86)\Ask.com\SaUpdate.exe (AskBar) -> Deleted
Size . . . . . . . : 198.280 bytes
Age . . . . . . . : 359.0 days (2013-04-25 09:44:15)
Entropy . . . . . : 6.6
SHA-256 . . . . . : 7939C565BD4751048F57854DEE262D437E79B992EA05EE29D6111A39F7A7DAB7
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : -9.0

C:\Program Files (x86)\Ask.com\Updater\ (AskBar) -> Deleted
C:\Program Files (x86)\Ask.com\Updater\config.xml (AskBar) -> Deleted
C:\Program Files (x86)\Ask.com\Updater\Updater.exe (AskBar) -> Deleted
Size . . . . . . . : 1.646.216 bytes
Age . . . . . . . : 359.0 days (2013-04-25 09:44:14)
Entropy . . . . . : 6.1
SHA-256 . . . . . : 0CEEC40C38DEBE1012C6D9FD08FF648AD3AB8080B388E5B62A6946847A2BB243
Product . . . . . : Updater
Publisher . . . . : Ask
Description . . . : Ask Updater
Version . . . . . : 1.2.536191
Copyright . . . . : (c) Ask. All rights reserved.
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Running processes : 5180
Fuzzy . . . . . . : -17.0

C:\Program Files (x86)\Ask.com\UpdateTask.exe (AskBar) -> Deleted
Size . . . . . . . : 137.864 bytes
Age . . . . . . . : 359.0 days (2013-04-25 09:44:15)
Entropy . . . . . : 6.5
SHA-256 . . . . . : 727D5CF5392C6E53306C6029455EEAD2C45923010297958975700A17101698FE
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : -11.0
Startup
C:\Windows\system32\Tasks\Scheduled Update for Ask Toolbar

C:\Program Files (x86)\Conduit\ (Conduit) -> Deleted
C:\Program Files (x86)\Conduit\Community Alerts\ (Conduit) -> Deleted
C:\Program Files (x86)\Conduit\Community Alerts\Alert.dll (Conduit) -> Deleted
Size . . . . . . . : 638.560 bytes
Age . . . . . . . : 651.7 days (2012-07-06 18:55:19)
Entropy . . . . . : 6.4
SHA-256 . . . . . : F22E58CDFE94D4A5FBBF2795A743B167ED9923E289E14654631E0077DD306C1D
Product . . . . . : Alert
Publisher . . . . : Conduit Ltd.
Description . . . : Alert
Version . . . . . : 1.1.4.1
Copyright . . . . : Copyright © Conduit Ltd. 2011.
RSA Key Size . . . : 1024
Authenticode . . . : Valid
Fuzzy . . . . . . : -15.0

C:\Program Files (x86)\DealPly\ (Delta Search) -> Deleted
C:\Program Files (x86)\DealPly\DealPlyTune.dll (Delta Search) -> Deleted
Size . . . . . . . : 71.272 bytes
Age . . . . . . . : 669.8 days (2012-06-18 14:22:21)
Entropy . . . . . : 6.4
SHA-256 . . . . . : CDF6791EEB0EE9FBC9BBA1E96694B708EC51F0B10B68941E96D62AB217F84D4C
Product . . . . . : DealPlyTune.dll
Publisher . . . . : DealPly Technologies Ltd.
Description . . . : http://www.dealply.com/
Version . . . . . : 1.0.0.1
Copyright . . . . : Copyright (C) 2011 DealPly Technologies Ltd.
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : -15.0

 

As you see several programs caused the problems

 

 

Ukko

Thanks for updates.

 

How you can see... a lot of troubles was about adware/riskware/toolbars, which marked as "not-a-virus";

And F-Secure practically doesn't detect that files; because marked like as "clean/legimate programs" (a little be sad about it);

 

But detected any certainly malicious adware/riskware/toolbars/not safe (for user's data) and etc.

 

Bad there just next points:

 

 - some of toolbars/riskware/adware (legimate) can be worst for users, than malware.

 

If user want to install it - all OK. Program will be do, which user want.

But some kind of "marketing" for that programs as "payload" - and user just not "unchecked" any in installer for another program... and already have a lot of any toolbars in system or other kind of protectors/guards (which so related with any search/media big companies);

 

 

DeltaSearch, OpenCandy and AskToolbar - some kind of already "known" mainstream in that situations... and it's a little be sad... that F-Secure doesn't prevent that yet (because current programs did a really trash things with system/registry).

 

If you can to remember... which installers was with that "payload" (potential) - you can transfer that sample for F-Secure SAS (service for analysis samples) and ask about "are that normal or not";

Just because current samples... most related with any not good things with system (include any broken default settings);

 

-----------

But.... very important - that possibly current "samples" indeed was like "payload" in any installer for another program (uncheck any settings during installation - and all good with system); Or installed by any "service-provider";

This is some kind of "normal" and close to "legimate" process for most companies (but some of them - detected that items as "not-a-virus" or include current items to PuPs/Riskware category);

 

And it's totally different with situations, when:

 

 - valid certs by any that of companies (because it's all with any SaaS-relationships) compromissed;

like some of "Xunlei Downloader" was so famous about "malicious-actions";

 - payload in installer - indeed malicious totally;

 

That kind of "malware" F-Secure detected practically always. Also it's related with any "unknown" companies (which same with ask.com, but "unknown" so good).

 

Anyway - you can able to transfer any "samples" for F-Secure.... because:

 - what if.. current situation... "variant of compromissed" and malicious items (not likely);

 - what if - F-Secure must to detect that... and it's missing in somewhat reasons.

----

Like example.. about first item on your log-list:

667985d140ff2e4ab20fdf12f1f5195693e0ab32318827d446ca182cc311f1ee - can to check on virustotal.com

Here practically visible.. that detected by some of companies (and most of them with category "toolbar"/"not-a-virus"/"generic-behavior-heur");

 

Except HitmanPro (just because it's close to "trial-program" or which need to buy);

I still also can to recommend Online Scanner by NOD32 - it's practically detected most related "PuPs/Adware" and it's good "help" too.

All other means - F-Secure better or with "one-line" about other companies (it's mean - can not be "greates level up" if you use any other scanners for detection malicious items in malicious means);

Blackcat

@joopkass 

 

As suspected your errors are threats. But as Ukko states most of these are PUPS/unwanted Toolbars/BHOs, which nearly all AVs including F-Secure are not too hot in detecting.

 

Although you now appear threat free I would carry out additional scans to make sure you have in fact detected all the threats.

 

1. Download AdwCleaner onto your desktop; http://www.bleepingcomputer.com/download/adwcleaner/  When the scan has finished, look through the scan results and uncheck any entries that you do not wish to remove. When you are satisfied with the selection, simply click on theClean button, which will cause AdwCleaner to reboot your computer and remove the files and registry entries associated with the various adware that you are removing.  On reboot, AdwCleaner will display a log showing the files, folders, and registry entries that were removed.

 

2. Download Junkware Removal Tool to your desktop and carry out a scan; http://www.bleepingcomputer.com/download/junkware-removal-tool/

 

3. Carry out another scan with Malwarebytes Anti-Malware; but if it detects any PUPS make sure that these are either checked for removal (MBAM v.1.75) or set for "Treat detections as malware" (MBAM v. 2). (Did you not try and remove these threats with MBAM first time round?).

 

In the future I would consider backing up F-Secure with MBAM/HitMan Pro and making sure you carry out regular Image backups of your system.