Jump to content

Windows Firewall, Defender, & Security Service Disabled by Virus


Recommended Posts

Okay so yesterday I unknowingly installed a virus onto my computer... This virus wouldn't allow me to delete it or anything... If I tried it would say "explorer.exe crashed" or something like that... I ended up using a program called Unlocker to delete it and then I scanned my computer twice with Malware Bytes, AVG, and Trend Micro Housecall. I am fairly confident the virus is removed now but what it left me with is very frustrating =( ...

 

Now that the virus is gone I am left with some very concerning  problems:

 

1. My Windows Firewall cannot be enabled, if I try to access it my PC says:

 

"There was an error opening the Windows Firewall with Advanced Security snap-in". "The Windows Firewall with Advanced Security snap-in failed to load. Restart the Windows Firewall service on the computer that you are managing. Error code: 0x6D9".

 

If I go to services.msc the "Windows Firewall" service isn't even listed on the page.

 

2. My Windows Defender cannot be started/found.

WindowsDefenderDisabledVirusAftermathIss

 

3. There is a problem in Windows Action Center.

WindowsActionCenterIssueVirusAftermath.p

 

Now there may be other issues but I am unsure if there is... If someone can please help me out with this it would be very appreciated!

 

If you would like a link to the download page of the virus I could give it to you as it is a RAR file but it will give you a VIRUS so.... I don't think that is such a great idea... Oh and I heard about a program called Sandboxie which I guess I will be using from now on if I ever install anything...

Link to post
Share on other sites

Run the following:

 

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Next,

 

Download Farbar Service Scanner from here: http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/ and run it on the computer with the issue.

Make sure the following options are checked:

 


Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender

 


Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

 

Kevin...

Link to post
Share on other sites

Yes run FRST  run a Quick scan with Malwarebytes first, post those logs.... If logs are clean we can close out your thread...

Okay I have all 4 log files attached. I took a look at them and I could see that windows defender says it is not working apparently... Idk if it has always been like this but I am pretty sure it is supposed to work?

Link to post
Share on other sites

You are running an illegal program on your system originally designed to crack microsoft office, we can offer no further help.

 

2013-09-17 23:42 - 2013-10-03 12:24 - 00000000 ____D C:\Windows\AutoKMS

 

Please read the following stickie regarding piracy: http://forums.malwarebytes.org/index.php?showtopic=97700

Seriously I have never heard of AutoKMS before.... I can delete it if it means you can help me.. All I really wanted to know was if my PC is virus infected or not still and why my Windows Defender says its broke??? and that also explains why microsoft office never expires lol... I knew something must've been up with that...

Link to post
Share on other sites

okay... well if there is nothing that can be done for now then we are done for now uz I did solve my issue with the firewall thing and the other stuff cuz of system restore... Thank you for you help so far though! I wouldn't know even where to begin... never used that farbar thing before...

Link to post
Share on other sites

Hello Radical924,

 

Have you deleted the folder  C:\Windows\AutoKMS ?

  • Please download CKScanner from >>Here<<
  • Important: - Save it to your desktop.
  • Right-click CKScanner.exe & select Run as administrator to start.
  • then click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify the file saved. Please Run the program only once.
  • Copy/paste the contents of CKFiles.txt in your next reply.
We cannot help you further as long as pirated software is on this box.
Link to post
Share on other sites

Hello Radical924,

 

Have you deleted the folder  C:\Windows\AutoKMS ?

  • Please download CKScanner from >>Here<<
  • Important: - Save it to your desktop.
  • Right-click CKScanner.exe & select Run as administrator to start.
  • then click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify the file saved. Please Run the program only once.
  • Copy/paste the contents of CKFiles.txt in your next reply.
We cannot help you further as long as pirated software is on this box.

 

Yup just deleted the folder and the task scheduler task... It said it never ran before lol... So idk where it came from but doesn't matter now it's gone...

 Below are the contents of CKFiles.txt:

CKScanner 2.4 - Additional Security Risks - These are not necessarily badc:\program files\autodesk\3ds max 2013\maps\substance\textures\cracked_plaster.sbsarc:\program files\comicrack\changes.txtc:\program files\comicrack\comicrack.engine.display.forms.dllc:\program files\comicrack\comicrack.engine.dllc:\program files\comicrack\comicrack.exec:\program files\comicrack\comicrack.exe.configc:\program files\comicrack\comicrack.inic:\program files\comicrack\comicrack.plugins.dllc:\program files\comicrack\comicrack.urlc:\program files\comicrack\cyo.common.dllc:\program files\comicrack\cyo.common.presentation.dllc:\program files\comicrack\cyo.common.windows.dllc:\program files\comicrack\defaultlists.txtc:\program files\comicrack\icsharpcode.sharpziplib.dllc:\program files\comicrack\ironpython.dllc:\program files\comicrack\ironpython.modules.dllc:\program files\comicrack\license.txtc:\program files\comicrack\microsoft.dynamic.dllc:\program files\comicrack\microsoft.scripting.dllc:\program files\comicrack\microsoft.scripting.metadata.dllc:\program files\comicrack\microsoft.windowsapicodepack.dllc:\program files\comicrack\microsoft.windowsapicodepack.shell.dllc:\program files\comicrack\mysql.data.dllc:\program files\comicrack\newstemplate.htmlc:\program files\comicrack\readme.txtc:\program files\comicrack\sharpcompress.dllc:\program files\comicrack\sharppdf.dllc:\program files\comicrack\tao.opengl.dllc:\program files\comicrack\tao.platform.windows.dllc:\program files\comicrack\uninst.exec:\program files\comicrack\windows7.multitouch.dllc:\program files\comicrack\help\comicrack introduction.djvuc:\program files\comicrack\help\comicrack introduction.djvu.xmlc:\program files\comicrack\help\comicrack online manual.inic:\program files\comicrack\help\comicrack wiki.inic:\program files\comicrack\help\readme.txtc:\program files\comicrack\languages\cs-cz.zipc:\program files\comicrack\languages\de.zipc:\program files\comicrack\languages\el-gr.zipc:\program files\comicrack\languages\es.zipc:\program files\comicrack\languages\fi.zipc:\program files\comicrack\languages\fr.zipc:\program files\comicrack\languages\hr.zipc:\program files\comicrack\languages\hu.zipc:\program files\comicrack\languages\it.zipc:\program files\comicrack\languages\ja.zipc:\program files\comicrack\languages\nl-be.zipc:\program files\comicrack\languages\pl.zipc:\program files\comicrack\languages\pt-br.zipc:\program files\comicrack\languages\ru.zipc:\program files\comicrack\languages\sk-sk.zipc:\program files\comicrack\languages\tr.zipc:\program files\comicrack\languages\zh-cn.zipc:\program files\comicrack\languages\zh-hans.zipc:\program files\comicrack\languages\zh.zipc:\program files\comicrack\resources\7z.dllc:\program files\comicrack\resources\7z.exec:\program files\comicrack\resources\7z64.dllc:\program files\comicrack\resources\c44.exec:\program files\comicrack\resources\ddjvu.exec:\program files\comicrack\resources\djvm.exec:\program files\comicrack\resources\libdjvulibre.dllc:\program files\comicrack\resources\libjpeg.dllc:\program files\comicrack\resources\libtiff.dllc:\program files\comicrack\resources\libz.dllc:\program files\comicrack\resources\icons\ageratings.zipc:\program files\comicrack\resources\icons\ageratings_australia.zipc:\program files\comicrack\resources\icons\formats.zipc:\program files\comicrack\resources\icons\publishers.zipc:\program files\comicrack\resources\icons\special.zipc:\program files\comicrack\scripts\autonumber.pyc:\program files\comicrack\scripts\commitproposed.pyc:\program files\comicrack\scripts\newcomics.pyc:\program files\comicrack\scripts\otherscripts.pyc:\program files\comicrack\scripts\package.inic:\program files\comicrack\scripts\sample.pyc:\program files\comicrack\scripts\sample.xmlc:\program files\comicrack\scripts\searchandreplace.pyc:\program files (x86)\microsoft directx sdk (june 2010)\samples\c++\direct3d\uvatlas\crackdecl.cppc:\program files (x86)\microsoft directx sdk (june 2010)\samples\c++\direct3d\uvatlas\crackdecl.hscanner sequence 3.ZZ.11.TKAPJ0 ----- EOF ----- 
Link to post
Share on other sites

Thanks for the logs, ok we can continue:

 

Let me know how system is responding, if there are any remaining issues or concerns...

 

Next,

 

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Next,

 

Please download RogueKiller from here:

 

http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe  <- 32 bit version

 

http://www.sur-la-toile.com/RogueKiller/RogueKillerX64.exe  <- 64 bit version

                                     

  • Make sure to get the correct version for your system.
  • Quit all running programs
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • Wait until Prescan has finished...
  • The following EULA will appear, please select accept
     
    RKLicence.png
     
  • Ensure MBR scan, Check faked and AntiRootkit are checked
  • Select Scan
     
    RK1A.png
     
  • When the scan completes select Report, copy and paste that to your reply.
     
    RK2A.png
     
  • The log should be found in RKreport[?].txt on your Desktop
  • Exit/Close RogueKiller


     
    Post those logs...
Link to post
Share on other sites

Okay here is the Roguekiller log... It mentioned something about "Zero Access" and linked me to a webpage: http://www.adlice.com/zeroaccess-removal-with-roguekiller/ Also I already posted the other 2 logs before lol... I still have them saved if you still need them.

RogueKiller V8.7.1 _x64_ [Oct  3 2013] by Tigzymail : tigzyRK<at>gmail<dot>comFeedback : http://www.adlice.com/forum/Website : http://www.adlice.com/softwares/roguekiller/Blog : http://tigzyrk.blogspot.com/Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits versionStarted in : Normal modeUser : ******* [Admin rights]Mode : Scan -- Date : 10/05/2013 15:03:15| ARK || FAK || MBR |¤¤¤ Bad processes : 0 ¤¤¤¤¤¤ Registry Entries : 8 ¤¤¤[RUN][ROGUE ST] HKUS\.DEFAULT\[...]\Run : 20090604 (C:\Program Files (x86)\Encore\Hoyle\RegApp\encore_reg.exe /r "C:\Program Files (x86)\Encore\Hoyle\RegApp\encore_reg.rpd") -> FOUND[RUN][ROGUE ST] HKUS\S-1-5-18\[...]\Run : 20090604 (C:\Program Files (x86)\Encore\Hoyle\RegApp\encore_reg.exe /r "C:\Program Files (x86)\Encore\Hoyle\RegApp\encore_reg.rpd") -> FOUND[HJ POL][PUM] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowRun (0) -> FOUND[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_TrackProgs (0) -> FOUND[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND¤¤¤ Scheduled tasks : 0 ¤¤¤¤¤¤ Startup Entries : 0 ¤¤¤¤¤¤ Web browsers : 0 ¤¤¤¤¤¤ Particular Files / Folders: ¤¤¤[ZeroAccess][Junction] en-US : C:\Program Files\Windows Defender\en-US >> \systemroot\system32\config [-] --> FOUND¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤¤¤¤ External Hives: ¤¤¤¤¤¤ Infection : ZeroAccess ¤¤¤¤¤¤ HOSTS File: ¤¤¤--> %SystemRoot%\System32\drivers\etc\hosts¤¤¤ MBR Check: ¤¤¤+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ SCSI) (Standard disk drives) - WDC WD64 00AAKS-22A7B SCSI Disk Device +++++--- User ---[MBR] 18516f6067fcda58ed7c00e2d3df624f[BSP] e10c19537013babe50cba4b90ef42edc : Windows 7/8 MBR CodePartition table:0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 100 Mo1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 208896 | Size: 603207 Mo2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1235576832 | Size: 4095 Mo3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1243963392 | Size: 3073 MoUser = LL1 ... OK!Error reading LL2 MBR!Finished : << RKreport[0]_S_10052013_150315.txt >>
Link to post
Share on other sites

FRST.txt is still showing issues that need attention, it would seem that user names have been taken out and replaced with an asterisk, I cannot give a fix list without a full navigational address.

 

If you want me to continue run FRST one more time, copy and paste the log to your reply. Do not strike out user names and do not give links to 3rd party sites...

 

If you do not want to follow that instruction we can close out, your choice...

 

Kevin

Link to post
Share on other sites

Okay... Sorry I didn't know... I don't need any more help anyways though because you ended up removing the Zero Access virus fully and it fixed Windows Defender! I also found a few other programs like TFC (Temp File Cleaner) and Eset Online Scanner! Thank you for your understanding.

Link to post
Share on other sites

My own security set up is :-

 

Windows own Firewall, Microsoft Security Essentials and Malwarebytes Pro. Windows FW and MSE are free, MB does also have a free version, however I prefer the pro version as it provides auto updates and realtime protection. Cost is about £20 for a lifetime license.

 

As an extra layer I also use WinPatrol, the free version is adeqaute for general home use. Available here: http://www.winpatrol.com/download.html

 

For my browser I use Firefox with these addons: Web of Trust, Adblock Plus, Flash Block, NoScipt, Ghostery. When Firefox is open select these keys together :- Ctrl - Shift - A that will access Addons manger, this gives access to find addons, use, start, stop or disable those features etc....

Before using NoScript read from this link http://noscript.net/ makes it easy to understand....

 

Understanding Windows 7 Firewall - http://windows.microsoft.com/en-GB/windows7/Understanding-Windows-Firewall-settings

 

Understanding Microsoft Security Essentials - http://www.microsoft.com/en-gb/security/pc-security/mse.aspx

 

Understanding Malwarebytes, how to create an exclusion in MSE - http://forums.malwarebytes.org/index.php?showtopic=10138&st=0&p=162100entry162100

 

Understanding WinPatrol - http://www.winpatrol.com/features.html

 

I also use the Professional version of Sandboxie, I believe there is also free version available. Visit this link http://www.sandboxie.com/ for access to d/l, also make sure to use the "Help and FAQ" option to understand its uses, specifically how to run your browser sandboxed!.

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.