The Windows Security Center Can't be Started. Help!

Twy86 · 11 Jun 2013

Hi,

I've recently had a virus on my laptop, AVG detected a few called trojan horse generic29.ajge
I think i've managed to remove them through various types of malware programs and such but it has left me unable to activate the Windows Security Center and also my Windows Firewall isn't using its recommended settings.

I know you computer experts usually require more information than that, so just let me know what you need.

Many thanks,

P.S i also had the blue screen of death today which has worried me!

Jacee · 11 Jun 2013

Trojanhorse Generic29.AJGE is also known as Sirefef, ZeroAccess, Rootkit.0access or Trojan.0access rootkit.

My best advice is to 'wipe' and do a 'clean' install.

VistaKing · 11 Jun 2013

RogueKiller for 32bit or RogueKiller for 64bit

Click on one of the links above that goes with your Windows 7 bit versions

Save to the Desktop.

Close all windows and browsers

Right click on

and choose

Press: SCAN

provide the RKreport.txt (Mode: Scan) in your reply.

Layback Bear · 11 Jun 2013

Jacee said:

Trojanhorse Generic29.AJGE is also known as Sirefef, ZeroAccess, Rootkit.0access or Trojan.0access rootkit.

My best advice is to 'wipe' and do a 'clean' install.

Agree 100% with Jacee.

Twy86 · 11 Jun 2013

sorry forget that last bit.
I've looked at a few forums already about such issues. I ran RogueKiller earlier with the following response:

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Adrian [Admin rights]
Mode : Scan -- Date : 06/11/2013 12:44:39
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 9 ¤¤¤
[TASK][SUSP PATH] Dealply.job : C:\Users\Adrian\AppData\Roaming\Dealply\UPDATE~1\UPDATE~1.EXE /Check [x] -> FOUND
[TASK][SUSP PATH] Dealply : C:\Users\Adrian\AppData\Roaming\Dealply\UPDATE~1\UPDATE~1.EXE /Check [x] -> FOUND
[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-21-4183057-2429295514-3557410841-1001\$20c6343bf07ac0e2f41117a0515252a3\n) [-] -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$20c6343bf07ac0e2f41117a0515252a3\n) [-] -> FOUND
[HJ INPROC][ZeroAccess] HKLM\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$20c6343bf07ac0e2f41117a0515252a3\n) [-] -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] n : C:\$recycle.bin\S-1-5-18\$20c6343bf07ac0e2f41117a0515252a3\n [-] --> FOUND
[ZeroAccess][FILE] n : C:\$recycle.bin\S-1-5-21-4183057-2429295514-3557410841-1001\$20c6343bf07ac0e2f41117a0515252a3\n [-] --> FOUND
[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-18\$20c6343bf07ac0e2f41117a0515252a3\@ [-] --> FOUND
[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-4183057-2429295514-3557410841-1001\$20c6343bf07ac0e2f41117a0515252a3\@ [-] --> FOUND
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$20c6343bf07ac0e2f41117a0515252a3\U --> FOUND
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-4183057-2429295514-3557410841-1001\$20c6343bf07ac0e2f41117a0515252a3\U --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-18\$20c6343bf07ac0e2f41117a0515252a3\L --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-4183057-2429295514-3557410841-1001\$20c6343bf07ac0e2f41117a0515252a3\L --> FOUND

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS725025A9A364 ATA Device +++++
--- User ---
[MBR] f16bc5a73d6a185b4762bf3538e4c89f
[BSP] e5db895ded9278d1d1d92d24eb3e28ac : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 225503 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 462239744 | Size: 12771 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_06112013_02d1244.txt >>
RKreport[1]_S_06112013_02d1244.txt

--------------------------------------------------------------------------------------------------------
The thread i looked at advised to delete all the threats so i did. after running the RogueKiller again this is its response:

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Adrian [Admin rights]
Mode : Scan -- Date : 06/11/2013 18:49:24
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS725025A9A364 ATA Device +++++
--- User ---
[MBR] f16bc5a73d6a185b4762bf3538e4c89f
[BSP] e5db895ded9278d1d1d92d24eb3e28ac : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 225503 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 462239744 | Size: 12771 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_06112013_02d1849.txt >>
RKreport[1]_S_06112013_02d1849.txt

VistaKing · 11 Jun 2013

Did you try to run TDSSKILLER ?

TDSSKILLER DOWNLOAD LINK

http://support.kaspersky.com/downloa...tdsskiller.exe

Double click on TDSSKILLER.exe to run the program

On the TDSSKILLER window click on Change Parameters and place a check next to Detect TDLFS FILE SYSTEM click the OK button.

Press Scan

It automatically selects an action (Cure or Delete) for Malicious objects. Leave the setting as it is.

It also prompts the User to select an action to apply to Suspicious objects (Skip, by default).
Leave the setting as it is.

After clicking 'Next/Continue', the tool applies the selected actions.

A Reboot Required prompt may appear after a disinfection.

Locate the log file inside C:\ . Called TDSSKILLER LOG.TXT

Jacee · 11 Jun 2013

@Twy86, what did you do to "solve" this ZA Rootkit?

cottonball · 11 Jun 2013

Twy86,

Removing malware like ZeroAccess and getting a computer back in working order is my reason for doing this kind of work, although there are different opinions about its removal. Some of us belong to the Wipe and Clean Club, and some of us belong to the Good Riddance Club.

In any event, using RogueKiller to remove ZeroAccess, and stopping there is a huge mistake.

If you wish to pursue the issue to completion, please follow VistaKing's instructions (Post #6) to run TDSSKiller, and provide the TDSSKiller report.

Also, do the following:

Please go to the Farbar Recovery Scan Tool Download
Select the 64-bit version.
Save it to your Desktop.
Double-click the downloaded file to run it.

When the tool opens click Yes to the disclaimer.
Press the Scan button.

FRST64 makes a log (FRST.txt) in the same directory from which the tool is run (Desktop).

Please provide the FRST.txt in your reply. <<---

The first time the tool is run, it also makes another log: Addition.txt
Also post the: Addition.txt in your reply. <<---

Next, download Farbar Service Scanner

Save to the Desktop

Make sure the following options are checked:
- Internet Services
- Windows Firewall
- System Restore
- Security Center
- Windows Update
- Windows Defender
Press: Scan
FSS creates a log, FSS.txt, on the Desktop.

Please provide the FSS.txt in your reply.