Hi,
got a clients PC, that I cleaned, first with the Microsoft security essentials offline scanner and next malwarebytes. it found alot and I deleted it, but I think there still is something left, because I’m not able to run Windows Defender and Microsoft Security Essentinel, and the solution center is disabled a few seconds after i try to start it.
I did run a Hijackthis, and have attached the log.
BR
John B.
Hi there Hijack this does not give sufficient data for modern malware
Download OTL to your Desktop
Secondary link
[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif
[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
dir “%systemdrive%*” /S /A:L /C
CREATERESTOREPOINT
[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs
THEN
Download aswMBR.exe ( 4.5mb ) to your desktop.
Double click the aswMBR.exe to run it Click the “Scan” button to start scan
https://dl.dropboxusercontent.com/u/73555776/AswMBR%20scan.JPG
On completion of the scan click save log, save it to your desktop and post in your next reply
Hi,
hereby the requested log files.
BR
John B.
OK this is a zero access infection
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Download the attached Fix.txt to your desktop
Run OTL and press Run Fix
A dialogue will open asking for the location of fix.txt
Navigate to and select the text file you downloaded
Press Run Fix again
OTL will now run and then reboot
THEN
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1
Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png
http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png
[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.
Notes:
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
AND FINALLY
Please download Junkware Removal Tool to your desktop.
[]Right-mouse click JRT.exe and select “Run as Administrator” the tool will open and start scanning your system
[]please be patient as this can take a while to complete depending on your system’s specifications
[]On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
[]post the contents of JRT.txt into your next message.
Hi,
second round of requested log files
BR
John B.
Could you now check MSES and defender please to confirm that they are running and updating. Also are there any other apparent problems
I’m still not able to run Windows Defender and Microsoft Security Essentinel, and the solution center is still disabled a few seconds after i try to start it.
OK lets check out the services… A fresh OTL run will let me see
[*]Run OTL.
https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif
[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
dir “%systemdrive%*” /S /A:L /C
CREATERESTOREPOINT
[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[]When the scan completes, it will open One notepad windows.
[]Attach this log
Hi,
here is the second OTL run.
BR
John B.
Could you run this small programme to reset MSES to default http://www.thewindowsclub.com/repair-microsoft-security-essentials-with-fix-mse-utility
Have you run SFC as the files and registry entries are reporting correct for the solution centre
Hi,
the mse fix utility says that MSE is not found on the system, but I know it is there.
I did run tweaker.com repair tool before we started all this, is that a problem?
Probably not as I find windows all in one repair a good tool, is this an updated XP/Vista to windows 7 ?
Checking out possible solutions to the action centre at the moment
In that case MSES has been damaged beyond repair so either a fresh install or an over the top install should cure that
it is a full updated Windows 7 32bit Danish.
It was just that there was an appdata loop that normally is apparent in upgraded systems rather than clean installs … No problem I was just curious 
Hi,
just found out that reinstalling MSE didn’t help.
alos found out that I’m able to run MSE under fail safe mode, so now I’m sure there is something left preventing security center from running as it should.
BR
John B.
As it runs in safe but not normal mode suggests some form of conflict
Could you set the system to clean boot and let me know if MSE runs in normal mode then
Next we will check for driver conflicts
Step 1: Start MSConfig
Click Start, type msconfig in the Start Search box, and then press ENTER.
If you are prompted for an administrator password or for a confirmation, type the password, or provide confirmation.
Step 2: Configure Selective Startup options
1.In the System Configuration Utility dialog box, click Selective Startup on the General tab.
https://dl.dropbox.com/u/73555776/Cleanboot1.JPG
2.Click to clear the Load Startup Items check box.
Note The Use Original Boot.ini check box is unavailable.
3.Click the Services tab.
https://dl.dropbox.com/u/73555776/cleanboot2.JPG
4.Click to select the Hide All Microsoft Services check box.
5.Click Disable All, and then click OK.
6. When you are prompted, click Restart.
Once back in windows does the problem still occur with MSE and security centre
just found out that it already was in selective startup mode. so all scans we did was run in this mode. problem?
BR
John B.
Nope, no problem. In that case could you run a fresh OTL scan with all users selected but no script required
the OTL log from the newest scan.
BR
John B.