Windows Security Center can't be started because of virus/malware

Page 4 of 13 FirstFirst ... 23456 ... LastLast

  1. Posts : 55
    Windows 7 Ultimate, 32bit
    Thread Starter
       #31

    Ok here is the result:

    Farbar Service Scanner Version: 16-01-2013
    Ran by siri1802 (administrator) on 28-01-2013 at 04:33:56
    Running from "C:\Users\siri1802\Downloads"
    Windows 7 Ultimate Service Pack 1 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Attempt to access Google IP returned error. Google IP is offline
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Action Center:
    ============
    wscsvc Service is not running. Checking service configuration:
    The start type of wscsvc service is set to Disabled. The default start type is Auto.
    The ImagePath of wscsvc service is OK.
    The ServiceDll of wscsvc service is OK.


    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Disabled. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.


    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1


    Other Services:
    ==============


    File Check:
    ========
    C:\Windows\system32\nsisvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\system32\dhcpcore.dll => MD5 is legit
    C:\Windows\system32\Drivers\afd.sys => MD5 is legit
    C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
    C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\system32\dnsrslvr.dll => MD5 is legit
    C:\Windows\system32\mpssvc.dll => MD5 is legit
    C:\Windows\system32\bfe.dll => MD5 is legit
    C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\system32\SDRSVC.dll => MD5 is legit
    C:\Windows\system32\vssvc.exe => MD5 is legit
    C:\Windows\system32\wscsvc.dll => MD5 is legit
    C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\system32\wuaueng.dll => MD5 is legit
    C:\Windows\system32\qmgr.dll => MD5 is legit
    C:\Windows\system32\es.dll => MD5 is legit
    C:\Windows\system32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\system32\svchost.exe => MD5 is legit
    C:\Windows\system32\rpcss.dll => MD5 is legit


    **** End of log ****


    It's still not possible to open Security Center, and I don't any kinds of errors or notices other than "Please turn on Security Center as it has been deactivated."
      My Computer


  2. Posts : 55
    Windows 7 Ultimate, 32bit
    Thread Starter
       #32

    I ran Windows Repair, and then FSS after restarting my computer:

    Farbar Service Scanner Version: 16-01-2013
    Ran by siri1802 (administrator) on 28-01-2013 at 04:53:43
    Running from "C:\Users\siri1802\Downloads"
    Windows 7 Ultimate Service Pack 1 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Attempt to access Google IP returned error. Google IP is offline
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Action Center:
    ============
    wscsvc Service is not running. Checking service configuration:
    The start type of wscsvc service is set to Disabled. The default start type is Auto.
    The ImagePath of wscsvc service is OK.
    The ServiceDll of wscsvc service is OK.


    Windows Update:
    ============
    wuauserv Service is not running. Checking service configuration:
    The start type of wuauserv service is OK.
    The ImagePath of wuauserv service is OK.
    The ServiceDll of wuauserv: "C:\Windows\system32\wuaueng.dll".


    Windows Autoupdate Disabled Policy:
    ============================


    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Disabled. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.


    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1


    Other Services:
    ==============


    File Check:
    ========
    C:\Windows\system32\nsisvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\system32\dhcpcore.dll => MD5 is legit
    C:\Windows\system32\Drivers\afd.sys => MD5 is legit
    C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
    C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\system32\dnsrslvr.dll => MD5 is legit
    C:\Windows\system32\mpssvc.dll => MD5 is legit
    C:\Windows\system32\bfe.dll => MD5 is legit
    C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\system32\SDRSVC.dll => MD5 is legit
    C:\Windows\system32\vssvc.exe => MD5 is legit
    C:\Windows\system32\wscsvc.dll => MD5 is legit
    C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\system32\wuaueng.dll => MD5 is legit
    C:\Windows\system32\qmgr.dll => MD5 is legit
    C:\Windows\system32\es.dll => MD5 is legit
    C:\Windows\system32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\system32\svchost.exe => MD5 is legit
    C:\Windows\system32\rpcss.dll => MD5 is legit


    **** End of log ****
      My Computer


  3. Posts : 2,470
    Windows 7 Home Premium
       #33

    Glad you did not go MIA!


    As a rule of thumb, first, get rid of the malware, then, do the repairs.

    Although the programs you already ran are coming up clean, malware could still be lurking somewhere, particularly if it is a Rootkit.

    So, let’s fall back, regroup, and take a look before Windows starts…


    Need some info from you:
    Do you have the Repair your computer option in the Advanced Boot Options menu?

    To find out:

    Restart the computer.
    As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Boot Options menu appears.
    Is the Repair your computer option listed?

    If you do not have the option, do you have your Windows installation CD/DVD available?

    And last, do you have a USB flash drive available, and access to another computer?
     


    Also, let’s check the Security status with the following:

    Download Security Check:
    http://screen317.spywareinfoforum.org/
    Save to your Desktop.

    Double-click SecurityCheck.exe

    Follow the onscreen instructions inside the black box.

    When done, a Notepad report opens automatically, called: checkup.txt

    Please post its contents in your reply.

    Note:
    SecurityCheck may produce some false warning(s). Please do not take any corrective actions!


    Signing off for tonight @ 11:42PM CST 27Jan2013
      My Computer


  4. Posts : 55
    Windows 7 Ultimate, 32bit
    Thread Starter
       #34

    Yeah, just had a lot to do this weekend, but I'm back now :)

    Luckily I've got the Repair your computer option, because I don't have access to my Windows installation CD at the moment. I have a USB flash drive but only access to one computer I'm afraid.

    Here is the result from the SecurityCheck :)

    Results of screen317's Security Check version 0.99.57
    Windows 7 Service Pack 1 x86 (UAC is enabled)
    Internet Explorer 9
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Security Center service is not running! This report may not be accurate!
    WMI entry may not exist for antivirus; attempting automatic update.
    `````````Anti-malware/Other Utilities Check:`````````
    Malwarebytes Anti-Malware versjon 1.70.0.1100
    Java(TM) 6 Update 35
    Java 7 Update 11
    Adobe Flash Player 11.5.502.146
    Mozilla Firefox (18.0.1)
    Google Chrome 24.0.1312.52
    Google Chrome 24.0.1312.56
    ````````Process Check: objlist.exe by Laurent````````
    Malwarebytes Anti-Malware mbamservice.exe
    Malwarebytes Anti-Malware mbamgui.exe
    Malwarebytes' Anti-Malware mbamscheduler.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C:
    ````````````````````End of Log``````````````````````
      My Computer


  5. Posts : 143
    32 bit
       #35

    Hi,

    The infected files that disables security center are

    c:\windows\Tasks\IKOPXBS.job
    c:\windows\system32\deskperfm.dll

    I have given you both the answer.Now delete files using one of the tools you have used.:)
      My Computer


  6. Posts : 2,470
    Windows 7 Home Premium
       #36

    @shawn77,

    Thank you for the suggestion.

    c:\windows\system32\deskperf.dll is normally associated with: Advanced Display performance properties. (Corrected name of .dll)

    @Crumble,

    Please submit the following for analysis to VirusTotal:
    http://www.virustotal.com/

    c:\windows\Tasks\IKOPXBS.job
    c:\windows\system32\deskperfm.dll

    Use the Browse button to navigate to the location of each file.
    Send the file, and wait for the results.

    If you get a message saying: 'File has already been analyzed', click: Reanalyze file now

    When done, please provide the address to the results page in your reply.
    Last edited by cottonball; 28 Jan 2013 at 17:36.
      My Computer


  7. Posts : 143
    32 bit
       #37

    Are you sure cottonball?

    I thought deskperf.dll was responsible and not deskperfm.dll :P

    Just joking.This is one type of redirect DLLs that in first look seems to be a legitimate one but differs from legitimate DLLs by a single letter.
    Last edited by shawn77; 28 Jan 2013 at 17:57.
      My Computer


  8. Posts : 2,470
    Windows 7 Home Premium
       #38

    @shawn77,

    You are correct.

    C:\Windows\System32\deskperf.dll is normally associated with: Advanced Display performance properties. (Corrected name of .dll in post above)

    Thanks for bringing that to our attention.
      My Computer


  9. Posts : 55
    Windows 7 Ultimate, 32bit
    Thread Starter
       #39

    Thanks to both of you :) This is really helpful!
    I've got one problem though - I am not able to submit the c:\windows\Tasks\IKOPXBS.job file for analysis; my computer says that I am not allowed to open the file and that I have to ask the owner of the file or the administrator, which is weird as I AM the administrator...hmm

    And regarding the other file; I couldn't find it. I only found the file called c:\windows\system32\deskperf.dll (without the m in the end). So I just analysed it to make sure. Here's the result:

    https://www.virustotal.com/file/f1ee...is/1359429020/
      My Computer


  10. Posts : 2,470
    Windows 7 Home Premium
       #40

    Let's do the following:

    1. Open Notepad ('Start' > 'R', type: notepad Click: OK)

    2. Copy/paste the text inside the code box below to it:

    Code:
    File::
    c:\windows\Tasks\IKOPXBS.job
    c:\windows\system32\deskperfm.dll
    3. In Notepad:
    Click File > Save as..., and save to the Desktop
    In the File Name box, type: CFScript.txt
    Click: Save

    4. Close all open windows so that you are at the Desktop.

    5. Referring to the picture below, using your mouse (left button), ...drag... CFScript.txt and drop over the ComboFix.exe file on your Desktop



    6. Do not mouse-click the ComboFix window while it is running. It may cause CF to stall.

    7. When finished, the log produced is located at C:\ComboFix.txt

    Please post the new ComboFix.txt in your reply.

    Also, give Security Center another check, and set it to: Automatic (Delayed Start)
    Press: Start

    Tell us how it goes.
      My Computer


 
Page 4 of 13 FirstFirst ... 23456 ... LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 12:45.
Find Us