Windows Firewall + Defender Services deactivated from system, no hangs

gabriolinari · 25 Feb 2013

hi guys,

just last week i noticed that on my win 7 laptop, i could not switch on "network discovery" & "file and printer sharing", after further analysis, windows firewall and windows defender services have gone completely from the services list (services.msc) and that made me wonder that i got some sort of spyware/malware on my system.

after doing a bit of cleaning/fixing, i managed to restore network discovery, file sharing, firewall and defender services, ran a few scans and eventually found a trojan (actually defender found it!!) and another threat in a keygen file i found on my PC and i deleted everything, the PC however has been working perfectly, i never had any BSOD or strange hangs, redirects etc etc.

i ran the sfc /scannow and finished OK although it found a few corrupt files that i couldn't fix in any way, nothing seems to affect the pc in though.

now, since something obviously happened i changed the password of my machine but i was wondering:

- would it be best to format the machine and install win7 fresh?
- is there a list of "dangerous ports" so that i can check if there's still someone listening where they shouldn't?

thanks a lot
gab

cottonball · 25 Feb 2013

gabriolinari,

Let's see what your system shows with the following short scan...

Please download RogueKiller:
Tlcharger RogueKiller (Site Officiel)

When you get to the website, go to where it says:
(Download link) Lien de téléchargement:

Select the version for your system: 64-bit (button with x64)
Click the applicable dark-blue button to download.
Save to the Desktop.

Close all windows and browsers.
Right-click the downloaded file and select: Run as Administrator

At the program console, wait for the prescan to finish. (Under Status, it says: Prescan finished)

Press: SCAN

When done, a report opens on the Desktop: RKreport.txt

Please provide the RKreport.txt (Mode: Scan) in your reply.

~~~~
Also, download Farbar Service Scanner

Save to the Desktop

Make sure the following options are checked:
- Internet Services
- Windows Firewall
- System Restore
- Security Center
- Windows Update
- Windows Defender
Press: Scan
FSS creates a log, FSS.txt, on the Desktop.

Please provide the FSS.txt in your reply.

gabriolinari · 25 Feb 2013

hi there,

i have attached the reports, please have a look and thanks a lot for the help! i haven't applied any action, but it seems i have this "Zeroaccess" infection...when you exit RogueKillerX64 he is asking to delete files, shall i go for it?

thanks
gabrio

cottonball · 25 Feb 2013

Please run RogueKiller once again:
Wait until Prescan finishes
(The Status box shows: PreScan Finished )

Click on: Delete

Wait until the Status box shows: Deleting Finished

Click on Report and provide the content of the new Rkreport (Mode: Remove) in your reply.

gabriolinari · 26 Feb 2013

hi Cottonball,

i had to run another scan to get the "delete" button to work, anyway, please have a look at the 2 files, number 4 is the report after the deletion, then i restarted and ran it again, hence another report, 5. seems clean now!

good idea to change win 7 password again now yeah?

gab

cottonball · 26 Feb 2013

Let's take an additional step...

Please download Malwarebytes Anti-Rootkit:
Malwarebytes : Malwarebytes Anti-Rootkit
Save to the Desktop (easy to find)

Right-click the file and select: Extract here...

Follow ithe Usage instructions on the website from Step 3 to Step 7.
For now, please stop at Step 7.

When the program is done, two reports are created in the mbar folder:
1. system-log.txt
2. mbar-log-2013-02-18 (20-13-32).txt (corresponds to mbar-log-year-month-day (hour-minute-second).txt)

Please provide the mbar-log containing information on what was detected and removed.

gabriolinari · 26 Feb 2013

quite shockingly, mbar found something and then cleaned it, then restarted and no more infection...

please see attached files, one is pre infection and one after with the cleaning done..

seriously, do you think that it's safe to run the system moving forward or a good old format would be best? i am thinking we're playing cat and mouse here....

thanks a lot!!!
gabrio

cottonball · 26 Feb 2013

gabriolinari,

Have read different opinions on removing, or not removing Rootkits.
There are quite a number of forums that deal with Rootkits on a daily basis, successfully! The option to reformat is always there, but, there seem to be more Users cleaning the computer (with assistance from the forums) than doing a wipe and clean install.

There are tools available to remove Rootkits that do a great job, and experts agree that more than one should be used to confirm removal.

Bottom line appears to be that it is up to you whether to clean the computer, or do a total wipe and clean install.

My goal is to clean the infection using tools that target the issue.

If you wish to proceed, let's do the following...

Please download the latest version of TDSSKiller:
http://support.kaspersky.com/downloa...tdsskiller.exe
Save to the Desktop. <<<---

Right-click the file and select: Run as Administrator

In the TDSSKiller console, click on: Change parameters
Check the box besides: Detect TDLFS file system
Click: OK

Press the button: Start Scan

When the scan is over, the tool outputs a list of detected objects: (Malicious or Suspicious)

If suspicious entries are detected, the default action is Skip. Click on: Continue
If malicious objects are found, they show in the Scan results.
Ensure Cure (default) is selected, then click: Continue > Reboot now to finish the cleaning process.
If Cure is not available, select: Skip
Please, do not select: Delete

By default, the tool outputs its log to the system disk root folder (the disk with the Windows operating system,
normally C:\).

Logs have a name like:
C:\TDSSKiller.2.4.7_22.02.2013_15.31.43_log.txt

Please post the TDSSKiller log in your reply.

If you wish to think this over, or reformat, that is fine also! :)

gabriolinari · 27 Feb 2013

hi Cotton,

once again, thanks for your patience, i just scanned with tdsskiller and reports shows "no threats found" therefore no correction action was presented....attached report..

now it seems all clear, only thing left was few corrupt files that sfc /scannow found which i mentioned at the beginning (but i can live with that if there's no issue), the first one was "iassdo.dll.mui" corrupted, i ran the same on my other desktop pc (same OS) and same error came up, plus seems many users have that error.

i searched a bit and it seemed to be the language pack files C:\Windows\System32\en-US so i tried to replace that folder from the win7 dvd but without success and it seems i cannot reinstall the language pack files either since is the main language of the system.

that being said, i don't have any hangs or weird things and PC is actually fast so we could leave it like it is...

thanks!
gabrio

cottonball · 27 Feb 2013

gabrio,

On theiassdo.dll.mui issue...

Looked at a few places, and the only success stories found involved a Repair Install of Windows:
Repair Install

Don't know if you want to go that route or not.

On the malware, use the computer for a week or two, and if you experience any problems, come back and we will take it from there.

Good luck, gabrio!