Technical Discussion
  >> Security Related Issues


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | 3 | >> (show all)   Print Thread
Standard User meditator
(fountain of knowledge) Thu 14-Jun-12 17:11:18
Print Post

Is this due to a virus?


[link to this post]
 
I'm running WinXP and, of late, my MS Security Essentials antimalware program often fails to start when I boot up. I've checked that the service in Windows actually runs at bootup and it does. The BITS service is also running, or at least that's what services.msc shows. I can fix it by stopping the msse service and then restarting it (running in automatic mode) but it's a fag to have to do that almost every time I boot the machine up.

Also, I always do my updates to Windows manually, and now at the WU website the latest updates have become unobtainable. WU shows them but when I try to look at the details of each one, I get:

Server Error 404 File or Directory Not Found.

Oddly, a few of last month's that I don't particularly want or need to have are available, as is also the latest Malicious Software checker.

I've done full scans of my machine with both MSSE and the monthly Malicious Software checker available via WU and it all seems okay.

Have I picked up a virus, or is this a case of MSSE and/or Windows having become corrupted? I did notice a 'funny' when I was downloading files from the WU website on the last occasion, that being that the Windows Firewall changed temporarily to Off halfway through one of the installs.

Googling for it has produced a whole mix of possible explanations. Luckily, I've a backup image of my system partition to revert to, if necessary.
Standard User Zadeks
(experienced) Thu 14-Jun-12 17:38:18
Print Post

Re: Is this due to a virus?


[re: meditator] [link to this post]
 
Why patch Windows manually? Turn Auto Update on ASAP.
Standard User Pipexer
(eat-sleep-adslguide) Thu 14-Jun-12 18:28:09
Print Post

Re: Is this due to a virus?


[re: meditator] [link to this post]
 
Could be a virus, it could just be other borked things with the system though.

Before going further is this the only security program you have installed?

Check the Windows event log and find out why Security Essentials is failing to start.

Also look in the event log for any other errors or strange events.

What I'd recommend doing

1) Download AVG free antivirus
2) Uninstall Security Essentials
3) Reboot
4) Install, update, and run AVG
5) If no Virus found, presume you don't have a virus.
6) Remove AVG
(run system temporarily without any antivirus)
7) Check DNS settings in case they have been changed
8) Check HOSTS file in c:\windows\system32\drivers\etc - open in notepad and make sure it's fairly empty
9) Delete temporary files
10) Update IE to IE8.
11) Uninstall any unnecessary/suspect programs
12) go into msconfig > startup tab > uncheck anything suspect
13) Restart computer
14) Try running Windows Update again, download the entire lot
15) If no joy, post here, post the results of a Hijack this! file here / If seems OK, reinstall security essentials

Zen 8000 Pro


Register (or login) on our website and you will not see this ad.

Standard User Pipexer
(eat-sleep-adslguide) Thu 14-Jun-12 18:29:05
Print Post

Re: Is this due to a virus?


[re: Zadeks] [link to this post]
 
In reply to a post by Zadeks:
Why patch Windows manually? Turn Auto Update on ASAP.

Yes, even if temporarily, as the Windows Automatic Update engine in XP is different from how the web browser one behaves and if that is borked then Automatic Updates might continue to work fine.

Zen 8000 Pro
Standard User HTTP404
(newbie) Thu 14-Jun-12 19:30:43
Print Post

Re: Is this due to a virus?


[re: meditator] [link to this post]
 
Are you running CCleaner ??

There is a known conflict - CCleaner can "accidentally" delete an MSE file and so stop it starting at the next boot up.

From the CCleaner start up screen, select applications and down at the bottom of the screen is a windows section. Make sure MS Antimalware is unchecked.

Just a thought.
Standard User Deadbeat
(knowledge is power) Thu 14-Jun-12 21:40:24
Print Post

Re: Is this due to a virus?


[re: meditator] [link to this post]
 
Download, burn and boot from the Kaspersky Rescue Disk. Update the definitions and run a full scan.
Standard User mikebear
(learned) Thu 14-Jun-12 21:50:52
Print Post

Re: Is this due to a virus?


[re: meditator] [link to this post]
 
I suggest you run this latest free AV from Sophos :- http://nakedsecurity.sophos.com/2012/06/13/do-not-pu...

It's not quick but is considered very thorough.

You should not have to modify any of your existing programs.
Standard User cheshire_man
(knowledge is power) Thu 14-Jun-12 21:58:52
Print Post

Re: Is this due to a virus?


[re: meditator] [link to this post]
 
Is MSE failing to start, or is it just the tray icon not appearing?

I seem to recall that the icon can sometimes not be displayed even when MSE is actually running.

Tony
Standard User Deadbeat
(knowledge is power) Fri 15-Jun-12 12:29:10
Print Post

Re: Is this due to a virus?


[re: mikebear] [link to this post]
 
Sophos would need to have improved vastly over the last couple of months before I could recommend it. High levels of FP's coupled with average retrospective results don't do it for me.
Besides which, installing an AV on a possibly already infected system is not advisable as many trojans and rootkits will immediately disable it but allow it to throw clean results. The Kaspersky disk that I pointed to scans entirely offline and so can't (As yet anyway) be affected by resident malware.

The Falcon4 UBCD contains amongst many other utilities, an offline and updateable version of SuperAntispyware. This is also well worth keeping in the toolbox.
Standard User meditator
(fountain of knowledge) Fri 15-Jun-12 13:21:13
Print Post

Re: Is this due to a virus?


[re: Deadbeat] [link to this post]
 
I'm grateful for all the suggestions but I wish individuals would stick to the question I've actually posed - Is that particular error message an indication of a virus infection? Diving off into all sorts of criticisms of the way I operate and giving all sorts of suggestions for alternative antivirus apps isn't actually going to help me with the problem in hand. Believe me, I've been through many antivirus programs and firewalls in my time and I'm not going to change again.

Following system bootup, the MSSE icon in the systray now invariably shows as red (disabled). Indeed, if I then open MSSE, I can do nothing with it at all. The MSSE service is running - or at least apparently so, at that point - and I can correct the icon and re-enable MSSE by stopping the service then restarting it.

With the Windows Update service, I can get in to the service and the website lists to me its recommended updates based on a scan of my machine and normally I can click on the details of each and find out whether there are any potential issues with any of them before I download them (as indeed occasionally there are, if only some of you really knew), but now when I do that I get the aforementioned error message.

I strongly suspect that the malfunctioning of MSSE and the WU website are linked. Either I've picked up a virus or conceivably one or more control files common to both of them have become lost or damaged. Since posting this query I've in fact checked the respective dates of when I recall one of the MSSE downloads only half working and then me having to abort it, and the date when a crucial server in my ISP's network endured a sustained DoS attack and completely crashed. The attack caused strange up/down status of the Internet, seen from my and other users' end. The Internet was then completely unavailable to me for over 24 hrs. They're the same dates. The ISP has since apologised for the havoc and loss of service that was caused.

Although MSSE and WU have their own separate installers, it might well be that the aborting action I performed - the MSSE definition download started but never completed when the Internet connection (beyond the exchange) failed - caused a corruption of MSSE. I first began noticing the systray icon anomoly a day or so after. Normally, due to the way in which apps and utilities load at bootup, MSSE is momentarily disabled at bootup but then becomes enabled.

I'll give WU another quick try but I think my best recourse will be to restore from a partition backup that I keep. Thanks for your indulgences in this.
Standard User cheshire_man
(knowledge is power) Fri 15-Jun-12 16:25:35
Print Post

Re: Is this due to a virus?


[re: meditator] [link to this post]
 
One thought. Have you tried uninstalling and re-installing MSE? Not only would that (hopefully) sort out any possible corruption of MSE files but also cause it to fully update iteself to the latest state. I recall on my XP desktop occasionally MSE would play silly whats-its and the only way I could sort it was to remove and reinstate.

Might be worth a go.

Tony
Standard User Deadbeat
(knowledge is power) Fri 15-Jun-12 17:24:02
Print Post

Re: Is this due to a virus?


[re: meditator] [link to this post]
 
My reply re Sophos was not aimed at you!! Also, my suggestion re Kaspersky and Superantispyware are not alternatives - They are non installable offline scanners which are used to check if you are infected or not, thus answering your original question.
Standard User Pipexer
(eat-sleep-adslguide) Fri 15-Jun-12 18:08:17
Print Post

Re: Is this due to a virus?


[re: meditator] [link to this post]
 
You're going about your problem solving the wrong way though, there is no point in speculating because you don't know, otherwise you would have fixed it and wouldn't be asking here. I suggested you check the Windows event log, have you? It might tell you why the services are starting disabled. Have you posted a hijack this log?

Unfortunately we can't give you an accurate answer as to whether it's a virus from your description, there simply isn't enough information available.

Does following my advice really hurt? Nope, probably would take about half an hour (excluding running a scan with AVG), and it's worth a go because you have run out of options!

I don't think your ISP has anything to do with the issues.

Zen 8000 Pro
Standard User XRaySpeX
(eat-sleep-adslguide) Fri 15-Jun-12 18:27:05
Print Post

Re: Is this due to a virus?


[re: meditator] [link to this post]
 
In reply to a post by meditator:
Is that particular error message an indication of a virus infection?
Of course not! It is far too general. It could mean that there is something wrong with the WU server, as it states, but that is unlikely when the rest of us don't get it. I'd suspect corruption of your own PC way before a virus.

I'd completely uninstall and reinstall MSSE if I were you.

1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 19 Meg WBC
Administrator MrSaffron
(staff) Mon 18-Jun-12 14:57:41
Print Post

Re: Is this due to a virus?


[re: XRaySpeX] [link to this post]
 
MSE underwent an upgrade to version 4 (check number as going from memory) and this resulted in various bits not working, and updates not patching. Turned out that MSE had failed to upgrade itself, and a uninstall and manual install downloading the new version from the MS website cured things.

Things like the firewall switching off, seems to be what happens when the MSE suite is updating various components, and you see the service status's altering.

Andrew Ferguson, [email protected]
www.thinkbroadband.com - formerly known as ADSLguide.org.uk
The author of the above post is a thinkbroadband staff member. It may not constitute an official statement on behalf of thinkbroadband.
Standard User meditator
(fountain of knowledge) Wed 20-Jun-12 15:41:18
Print Post

Re: Is this due to a virus?


[re: MrSaffron] [link to this post]
 
Many thanks for all your inputs to this issue. Sorry I've not responded for some time, as I've been busy with many other, non-computing jobs, as well as spending a lot of time going through many backups of mine to look for clues.

MrSaffron, thanks for what looks like a vital piece of information about MSSE. What you've stated does fit with what I'm currently experiencing in a backup of my system dated 19th April. That's to say, MSSE starts properly in the enabled state when the program's opened. For that date, MSSE comprised Security Essentials v.2.1.1116.0 and Antimalware v.3.0.8402. Do you happen to know the date on which the failure to upgrade occurred?

Given that Microsoft has presumably been aware of this issue, one would have thought that they could simply have cured the problem in a subsequent download. Hmm, looks like my best bet will be to eliminate MSSE and then download the new version from the Microsoft website.

There was the other problem as well, though - the anomoly with Windows Update. I normally perform updates to WinXP manually, going through the Start/Windows Update route. (There are many reasons for choosing to update Windows by this method, rather too numerous to go into here). At the WU website, the scanning of my PC is performed and the page then lists all available relevant downloads. I then look at the details of each individual update before adding it to the list for download. By 'details' I don't just mean the summary details on that page, I mean the details you're taken to (usually an MS Technet page) when you click on the specific Details link given there. The details will describe any potential malfunctions due to hardware/software incompatibilities, Registry mods required, etc.

What's not happening is that the Details pages are not appearing. WU gives the link, but when I click on the link I get the error message I described earlier, namely:

Server Error
404 - File or Directory Not Found.
The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.


I've restored successive backups going back to mid-March and have exercised the WU website in this way for each one and, oddly, what I've been finding is that even with the oldest backups, the Details webpages will not appear. However, the Details pages of some much earlier updates which I'd previously declined to download will appear. So, it's not consistent. Also, I'm sure that during that three-month period I never experienced this problem; it was only when I went to do this month's updates that I encountered it.

In fact, I'm wondering whether, for some strange reason, Microsoft has now decided not to present any Details webpages anymore. Of course, it's difficult to be certain about this, as I'm looking back several months and it might be that Microsoft made a policy change on this just last month, say.

I would ask you all to try this for yourself, but with many if not all of you using Automatic Update and therefore not being aware that detailed information about each individual download is provided in a link at the WU website, I don't suppose you'd want to mess too much with WU, and possibly you'd find no updates for downloading manually anyway.

But what makes this odd is that although the Details webpages won't appear, the individual update itself downloads okay. I've tried it and checked afterward. Thus, at a pinch, I could continue by not seeing the details each month, but it would mean that I couldn't discriminate between a 'no known issues' download and a more risky one.

If instead this problem with WU has been caused by a corruption of the updating process - and there's been plenty of scope for that in the last few months, with a power blackout, two instances of ISP server catastrophically failing, and my router starting to malfunction (now replaced by a new and better one) - I could restore my system to an early-March position, say, in the hope of getting to a good state again, but the rub would be that there'd be lots of subsequent work in reinstalling all my other software.

If there really is a genuine problem with this feature in WU, then it'd help if Microsoft could let us all know. But I guess that, with the majority of people using Automatic Updates instead, the chances of anyone flagging up the problem, if indeed real, is small. This is why my initial question was asking if anyone had come across this, or whether any recent viruses are known to disable this aspect of WU.

Addendum: Perhaps an important factor in this is that I'm using IE7, not IE8. I tried IE8 quite some time ago but found its user interface less good than IE7's. With my eyesight not being great these days, IE8's changes to the sizes and appearances of text were, for me, detrimental, so I changed back to IE7. It's conceivable that Microsoft have recently started making changes and imposing limitations on Windows updates that use IE7, on the basis that IE7 is considered by most to be obsolete now.

MrSaffron, returning to the matter of MSSE, do you happen to know whether uninstalling it is a clean affair, or is it the usual case of having to mop up the remnants that are left, including perhaps some Windows Registry entries?

Edited by meditator (Wed 20-Jun-12 19:32:16)

Administrator MrSaffron
(staff) Tue 26-Jun-12 09:31:18
Print Post

Re: Is this due to a virus?


[re: meditator] [link to this post]
 
On the MSSE I resolved it by using returning to a previous restore point, i.e. one just before the upgrade happened. Then uninstalled MSSE, and installed the new version.

All done remotely over the internet amazingly.

Andrew Ferguson, [email protected]
www.thinkbroadband.com - formerly known as ADSLguide.org.uk
The author of the above post is a thinkbroadband staff member. It may not constitute an official statement on behalf of thinkbroadband.
Standard User meditator
(fountain of knowledge) Tue 26-Jun-12 11:43:04
Print Post

Re: Is this due to a virus?


[re: MrSaffron] [link to this post]
 
Thanks, MrSaffron.

Yes, although it's taken you a little time to catch up on this issue, I'm pleased to say that I've in the meantime managed to solve both of the problems. Your earlier mention of the faulty program update to MSSE was certainly key in sorting out that particular bug.

Just to remind you, the two problems were: (i) At system boot-up, MSSE being disabled; (ii) a batch of updates to WinXP at the WU website no longer displaying their Details via the hyperlinks there.

Like you, MrSaffron, I found a backup of my system where the MSSE was still enabled at boot-up. However, that merely left MSSE as v2, and I could see that the KB2691905 program update for MSSE - which apparently has been the cause of various recent problems with MSSE - was, for my machine, pending at the WU website. So I took your advice and, with careful preparation, uninstalled my v2 MSSE (using Add/Remove Programs). This went without a hitch. Having already downloaded the newer v4 of the program (mseinstall.exe), I was then able to reinstall it. I then fetched the latest definitions, configured it and ran a quick scan. All appears to now work, but I suppose time will tell.

The second problem, concerning access at the WU website to the detailed information about each individual Windows update, turned out to be caused by Microsoft having moved the locations of a whole batch of details. I perform my Windows updates manually and whilst I'd found that the details of newer updates offered to me at the WU website were accessible by their respective links, all those associated with earlier updates (going back just a few months) simply weren't displayable any more and instead I kept getting the 404 error message whenever I tried. Using each KB no. and Google Search, however, I finally found the current locations and so was able to read the information and decide whether to download and install or not. I suppose it's conceivable that with me using IE7 and that particular batch of Windows updates being up to three months old, some overzealous person at Microsoft had decided to in effect archive the details, but then not give any clue as to where to subsequently find them.
Standard User Pipexer
(eat-sleep-adslguide) Tue 26-Jun-12 16:52:34
Print Post

Re: Is this due to a virus?


[re: meditator] [link to this post]
 
So my initial suggestion to uninstall and reinstall security essentials (effectively) which you dismissed turned out to fix it.

And the 2nd problem would probably have been fixed by letting Automatic updates remediate the inconsistencies, as suggested.

Interesting.

Zen 8000 Pro
Standard User meditator
(fountain of knowledge) Thu 28-Jun-12 10:14:17
Print Post

Re: Is this due to a virus?


[re: Pipexer] [link to this post]
 
MrSaffron et al,

It looks like the reinstall of MSSE doesn't cure the non-start of it. Having reinstalled MSSE, mine started okay for several days following, but just this morning it was back to its old way again. A reboot and it was okay again.

So it appears that uninstalling the old version and installing the latest v4 does not fully sort this problem out. The non-starting of MSSE seems to be a random affair.

With specifically this MSSE issue, I'm not getting any error messages, BTW. And I'm able to say that the old version uninstalled cleanly via Add/Remove Programs; I checked for the requisite Keys in the Registry after uninstalling it.
Standard User Pipexer
(eat-sleep-adslguide) Thu 28-Jun-12 17:09:12
Print Post

Re: Is this due to a virus?


[re: meditator] [link to this post]
 
Check the windows event log and it may contain a clue as to why the service is failing to start. Something is not quite right with your OS installation because those two problems I've never run into before.

Zen 8000 Pro
Standard User meditator
(fountain of knowledge) Fri 29-Jun-12 11:01:10
Print Post

Re: Is this due to a virus?


[re: Pipexer] [link to this post]
 
I had a look at Event Viewer a week or more ago and though there were some MSSE-related entries they were somewhat cryptic and so it got me nowhere. Since then, anyway, I've completely removed MSSE and reinstalled it, so a few days ago when I did that I should have ended up with a completely new and clean MSSE. But, as I've pointed out, it's still misbehaving, ie. sometimes when I boot up it's automatically enabled but on other bootup occasions it's disabled.

I've been using MSSE for a few years now and this is the first time I've ever had any trouble with it. I've not recently added any new apps or seriously modified anything. Have just been happily updating the defs day to day. Never had an error message flash onscreen. As I pointed out earlier in my submission, I can work around the problem and in all other respects MSSE seems to still function okay. It's just this booting-up annoyance that's there.

Anyway, looking again a moment ago at Event viewer, there are, as before, some entries relating to MSSE. These are what I found:-

Application -

MPSampleSubmission Error (Event ID 1001).
EventType mptelemetry, P1 80240022, P2 processdownload results, P3 download ..... P10NIL.

Microsoft Security Client (Event 101001).
The description for Event 101001 in Source (Microsoft Services Client) cannot be found. The local computer may not have the necessary registry info or message DLL files to display messages from a remote computer .......... 0x80040154.

Security -

Failure Audit (Event ID 615).
Policy change.
IPSec services failed to get the complete list of the network interfaces on the machine.

System -

MS Antimalware (Event ID 2001).
MS Antimalware has encountered an error trying to update signatures.
New signature version:
Previous signature version: 0.0.0.0

MS Antimalware has encountered an error trying to update signatures.
New signature version:
Previous signature version: 1.129.379.0

I suspect that the last two System ones are false positives, since their dates correspond to the time when I was installing the fresh version of MSSE. So, I think those two occurred because when MSSE finished installing itself, it automatically tried to get further updates from Microsoft but couldn't because I'd disabled the Ethernet connection. Instead, it got them a few moments later. ID615 was probably also caused by that, but again was of no consequence because MSSE would have just performed the action later instead.

The two Application entries are maybe the more worrying, in the sense of understanding them and of finding a way to correct the matter. I think MPSample Submission may have some relation to Windows's Scheduled Tasks, as in the version of MSSE that I had previously, it put a task with a name similar to that into Scheduled Tasks.

Looking a lot further back in Event Viewer, I can see that some similar things were logged by Windows back in mid-March, which was at the time that I was completing a new install of my operating system and my apps on a new hard drive. But a lot of water's passed under the bridge since then, and there's been the addition of numerous Windows updates since then as well. The potential for the corruption or loss of the odd file or two must be quite high.

It wasn't until about a week ago that I first noticed that the MSSE systray icon remained in the red state after bootup, so I've presumed something must have happened relatively recently that's caused MSSE to malfunction in this way. And given that I've not added any programs or utilities or made any other significant changes to my system since March, this must be down to either an MSSE or a Windows update (unless it's being caused by a configuration setting somewhere).

Sequel: I've now done a bit more experimenting. What I've now observed is that the event error that gets generated so as to cause MSSE to be initially disabled is Failure Audit 615, where IPSec services fails to get the complete list. I've followed a link that the Event Viewer gave for this, only to find that there's no Microsoft information about it.

Edited by meditator (Fri 29-Jun-12 18:46:16)

Standard User Guest_Again
(legend) Wed 22-Aug-12 17:51:00
Print Post

Re: Is this due to a virus?


[re: Pipexer] [link to this post]
 
You forgot another option, Pipexer!

16) Buy a Mac / iMac / MacBook / MBP, etc... wink

Standard User Pipexer
(eat-sleep-adslguide) Wed 22-Aug-12 19:43:58
Print Post

Re: Is this due to a virus?


[re: Guest_Again] [link to this post]
 
A poor idea; I don't recommend it. tongue

Zen 8000 Pro
Pages in this thread: 1 | 2 | 3 | >> (show all)   Print Thread

Jump to