Jump to content

Windows Defender, Firewall, Update disabled


Recommended Posts

I had posted a report about this back in late October, but I had accidentally posted in the wro ng section, and then I never had the time to repost...until now.

Anyways,

this system that I am trying to diagnose had this problam appear back in October. I had noticed this when the computer had become extremely slow, so I checked Task Manager to see what the possible cause is. I spotted a process / service, name "Bitcoin [something], that was using 60-70%+ of the CPU. I did a bit of searching and discovered that it was a virus / malware.

I immdeiately performed anti-virus & Malwarebytes scans, and sure enough, threat detected. The threat was removed, but it had bits of files remain (i.e. run.dll).

The aftermath that I noticed is that all 'Windows Defender,' 'Windows Update,' and 'Windows Firewall' stopped working. Below are some images to illustrate what is happening

http://imageshack.us/a/img59/2706/img0027wsz.jpg

http://imageshack.us/a/img197/7623/img0028m.jpg

http://imageshack.us/a/img441/9553/img0029cf.jpg

Additionally, upon start-up a pop-up message will appear saying this:

http://imageshack.us/a/img694/889/img0026ba.jpg

I've search for any possible solutions here on the Malwarebytes Forums, and some say some Windows files had be damaged by the virus. So I've gone into my virus-free system and made a copy of the regiestry file, and replaced it on this problematic system. As a result, "Windows Update" is able to download the updates BUT not install them.

I have attached the two requested txt files below.

dds.txt

attach.txt

Link to post
Share on other sites

Run the following:

download Farbar Service Scanner and run it on the computer with the issue.

Make sure the following options are checked:

  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action Center
  • Windows Update
  • Windows Defender

  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Next,

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from the following link :-

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

  • Ensure that Combofix is saved directly to the Desktop <--- Very important
  • Disable all security programs as they will have a negative effect on Combofix, instructions available here http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.
  • Close any open browsers and any other programs you might have running
  • Double click the combofix.gif icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
  • Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required.
  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here http://thespykiller.co.uk/index.php?page=20 why disabling autoruns is recommended.

*EXTRA NOTES*

  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in next reply please...

Kevin

Link to post
Share on other sites

Hi Kevin,

Thank you for looking into this for me - I greatly appreciate it.

As requested, I have attached the two .txt files created by FSS and ComboFox.

After running the two programs, it seems to be my Windows is semi-fixed. Windows Firewall seems to be restored to working order. Windows Update is detecting, downloading, AND installing updates.

I'm still getting the pop-up message, as the image I had posted in my initial post, at start-up.

Windows Defender isn't exactly working yet. When I click on it, I get a message saying,

"The program is turned off

If you are using another program that checks for harmful or unwanted software, use the Action Center to check that program's status.

If you would like to use this program, click here to turn it on."

When I click it, I get this message;

" Access is denied. (Error Code: 0x80070005)"

FSS.txt

ComboFix.txt

Link to post
Share on other sites

Ah...oh no..

SORRY I just couldn't help to post another reply - it has become more serious than I thought.

So after what I did in my above post...

After the computer downloaded and installed the updates from Windows Updates, my internet connection stopped working. I'm getting the message,

"Windows could not automatically detect this network's proxy settings"

Looking at the "Network and Sharing Center" it is stuck on "Identifying" for my Network.

[PC]----[THIS icon "Identifying"]------X--------[internet]

I've checked some of the services under service.msc and some of them are off / stopped. Such as:

HDCP Client, DNS Client, Server, TCP/IP Netbios helper, and Workstation.

I can only assume that one of the Windows Update files was a malicous item, and it just damaged my computer even further. Why? It was working prior the installs. I have attempted a System Restore and it had a pop-up saying it has failed.

At this stage, I'm thinking of doing a fresh OS install on this system as a last resort.

Here are the latest dds, attach, FSS and ComboFix files...

attach.txt

dds.txt

FSS.txt

ComboFix.txt

Link to post
Share on other sites

Do the following:

download SystemLook from one of the links below and save it to your Desktop.

http://jpshortstuff.247fixes.com/SystemLook_x64.exe

http://jpshortstuff.247fixes.com/SystemLook_x64.exe

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    afd.sys


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Let me see that log..

Link to post
Share on other sites

Here is a "copy and paste" of the log.

SystemLook 30.07.11 by jpshortstuff

Log created at 02:36 on 19/12/2012 by Allan

Administrator - Elevation successful

========== filefind ==========

Searching for "afd.sys"

C:\Windows\System32\drivers\AFD.SYS --a---- 22368 bytes [02:11 06/06/2012] [03:49 19/12/2012] 42B7E1AA0C7EC54652A50585793F1885

C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16385_none_33dd3439781e25f7\afd.sys --a---- 500224 bytes [23:21 13/07/2009] [23:21 13/07/2009] B9384E03479D2506BC924C16A3DB87BC

C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16937_none_34154fcd77f3bbda\afd.sys --a---- 499200 bytes [02:11 06/06/2012] [03:59 28/12/2011] DB9D6C6B2CD95A9CA414D045B627422E

C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.21115_none_34b263fe91032456\afd.sys --a---- 499200 bytes [02:11 06/06/2012] [04:01 28/12/2011] CCA39961E76B491DDF44B1E90FC8971D

C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17514_none_360e4801750ca991\afd.sys --a---- 499712 bytes [21:57 20/07/2012] [09:23 20/11/2010] D31DC7A16DEA4A9BAF179F3D6FBDB38C

C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17752_none_35e10b89752ee0f5\afd.sys --a---- 498688 bytes [02:11 06/06/2012] [03:59 28/12/2011] 1C7857B62DE5994A75B054A9FD4C3825

C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.21887_none_364f3a028e605345\afd.sys --a---- 498176 bytes [02:11 06/06/2012] [04:01 28/12/2011] 36A14FD1A23F57046361733B792CA8DB

-= EOF =-

I have attached the .txt file if it is too hard to read.

SystemLook.txt

Link to post
Share on other sites

OK, do the following:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the Codebox below into it:


FCopy::
C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17514_none_360e4801750ca991\afd.sys | C:\Windows\System32\drivers\AFD.SYS
ClearJavaCache::

Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe

CF3.jpg

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Re-boot your PC....

Post the ne log from Combofix, also run FSS again and post a new log from that

Link to post
Share on other sites

Wow!

Thank you Kevin!

My internet is finally up and working again.

ComboFix is quite a useful tool - I need to visit the MalwareBytes Forums more often. :lol:

Below is my newest ComboFix log (after doing what you instructed), but I have added an attachment of the log if reading is difficult on the reply post.

I'm getting a message saying my post is too long with the log directly copied onto my reply, so my only option is an attachment - sorry.

P.S. I realize that we live on opposite sides of the world, so immediate replies is not very possible due to time zone differences, but I'm thankful of you for taking your time to assist me.

Regards,

Victor

ComboFix.txt

Link to post
Share on other sites

Shoot!

I forgot to add the FFS.txt file to my previous post - my mistake.

Here it is:

Farbar Service Scanner Version: 10-12-2012

Ran by Allan (administrator) on 19-12-2012 at 14:13:08

Running from "C:\Users\Allan\Desktop"

Windows 7 Ultimate Service Pack 1 (X64)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Google.com is accessible.

Yahoo IP is accessible.

Yahoo.com is accessible.

Windows Firewall:

=============

Firewall Disabled Policy:

==================

System Restore:

============

System Restore Disabled Policy:

========================

Action Center:

============

Windows Update:

============

Windows Autoupdate Disabled Policy:

============================

Windows Defender:

==============

WinDefend Service is not running. Checking service configuration:

The start type of WinDefend service is set to Demand. The default start type is Auto.

The ImagePath of WinDefend service is OK.

The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:

==========================

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]

"DisableAntiSpyware"=DWORD:1

Other Services:

==============

File Check:

========

C:\Windows\System32\nsisvc.dll => MD5 is legit

C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit

C:\Windows\System32\dhcpcore.dll => MD5 is legit

C:\Windows\System32\drivers\afd.sys

[2012-06-05 18:11] - [2012-12-19 13:52] - 0022368 ____A (AVG Technologies CZ, s.r.o. ) 42B7E1AA0C7EC54652A50585793F1885

ATTENTION!=====> C:\Windows\System32\drivers\afd.sys IS INFECTED AND SHOULD BE REPLACED.

C:\Windows\System32\drivers\tdx.sys => MD5 is legit

C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit

C:\Windows\System32\dnsrslvr.dll => MD5 is legit

C:\Windows\System32\mpssvc.dll => MD5 is legit

C:\Windows\System32\bfe.dll => MD5 is legit

C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit

C:\Windows\System32\SDRSVC.dll => MD5 is legit

C:\Windows\System32\vssvc.exe => MD5 is legit

C:\Windows\System32\wscsvc.dll => MD5 is legit

C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit

C:\Windows\System32\wuaueng.dll => MD5 is legit

C:\Windows\System32\qmgr.dll => MD5 is legit

C:\Windows\System32\es.dll => MD5 is legit

C:\Windows\System32\cryptsvc.dll => MD5 is legit

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit

C:\Windows\System32\ipnathlp.dll => MD5 is legit

C:\Windows\System32\iphlpsvc.dll => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

FSS.txt

Link to post
Share on other sites

mmm, we`ve just replaced afd.sys with a clean replacement and FSS is flagging it as infected.... OK do the following:

Upload a File to Virustotal

Go to http://www.virustotal.com/

  • Click the Browse... button
  • Navigate to the file C:\Windows\System32\drivers\afd.sys or just copy/paste it in.
  • Click the Scan it tab
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Copy and paste the results back here please.

Next,

Run Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page http://www.eset.com/home/products/online-scanner/ to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    Click Start
  • When asked, allow the add/on to be installed
    Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
  • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
    Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

When the scan is complete

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

If threats were found

  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish

close program

copy and paste the report here

Thanks,

Kevin....

Link to post
Share on other sites

Yep obviously something not quite right, ok leave the last instruction for ESET alone and do the following:

UNinstall AVG from your system,

Next,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the Codebox below into it:


FCopy::
C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16937_none_34154fcd77f3bbda\afd.sys | C:\Windows\System32\drivers\AFD.SYS

Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe

CF3.jpg

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Post the CF log and fresh FSS log..

Kevin

Link to post
Share on other sites

I've uninstalled AVG anti-vrius and ran ComboFix with the new code.

It seems to me that once ComboFix is ran, the internet will temporary work again. Once I shut down the computer, it stops working.

(currently the computer is on and only been through the reboots after running ComboFix and internet is connected fine)

I've attached both the FSS and ComboFix log files.

Victor

ComboFix.txt

FSS.txt

Link to post
Share on other sites

OK that looks better, leave AVG off your system for now. See if you can install Microsoft Securty Essentials, it will want to turn on the windows Firewall, let that happen;

To keep safe when online you need a good Antivirus/Antspyware/Antimalware/Anti-Rootkit combination application. Microsoft Security Essentials covers all of those bases, but better still it is free. Go here http://www.microsoft...ity_essentials/ Select your OS version, download and follow the prompts. Once installed it will want to update and carry out a quick scan, allow that to happen. Let me know if it finds anything from the scan...

Give an update on current status etc.... I`m off to bed, pick up your thread later...zzzzzzzzzzzzz

Link to post
Share on other sites

Oh damn, 8 hour difference.

Just an update:

That "Run DLL" pop-up that I was getting initially is now resolved.

Internet is fully working again.

Windows Update and Windows Firewall is working.

Windows Defender...I can access the Menu, but when I try to turn Defnder on, I get the "Acess Denied (Erorr Code: 0x80070005). It also says to check the Status of Windows Defender in the Action Center. Odd thing is, there is nothing about Windows Defender IN the Action Center menu.

At this stage, the PC that we were working on seems to be fine without Defender

- MS Security Essentials is working fine

- MalwareBytes is up-to-date and working

- Windows Update is enabled and fully functioning

- Windows Firewall is up and good

Link to post
Share on other sites

Windows Defender is turned OFF, it does actually show that way in the FSS logs as follows:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]

"DisableAntiSpyware"=DWORD:1

It does not make any difference to the sytem now as Microsoft Security Essentials is installed, MSE would have done exactly the same if WD was active. The Windows Defender definitions are bulit into and included with MSE...

Run the following and post the log..

Download Security Check by screen317 from either of the following:

http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe

Save it to your Desktop.

Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Kevin

Link to post
Share on other sites

Oh sorry Kevin - been a little busy with family things going on...

I haven't downloaded Security Check yet, but I'll get that done tomorrow.

Other than that, I think the system is 110% okay now. I don't believe I need any more further assistance.

Thanks for taking the time to help me out to resolve the issues I has having.

Victor

Link to post
Share on other sites

Thanks for the update Victor, Yep a busy time of the year for all,

Just need to remove CF etc....

Remove Combofix now that we're done with it

  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
    CF_Uninstall-1.jpg
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

The above procedure will delete the following:

  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.

It is very important that you get a successful uninstall because of the extra functions done at the same time, let me know if this does not happen.

Next,

  • Download OTC by OldTimer and save it to your desktop. Alternative mirror
  • Double click OTC_Icon.jpg icon to start the program.
    If you are using Vista or Windows 7 accept UAC
  • Then Click the big CleanUp.jpg button.
  • You will get a prompt saying "Begining Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
  • This will remove tools we have used and itself.

Next,

Go here http://www.filehippo.com/updatechecker/ (Use the Stand Alone Version, not the installer) Run the FileHippo Update Checker, update all applications as suggested by the Update Checker. Ignore any Beta updates.

If Java or Adobe are updated please check under Start > Control Panel > Programs and Featues, ensure any old versions are removed. <--- Very Important

Next,

Download tfc_icon.png TFC to your desktop, from either of the following links

http://oldtimer.geekstogo.com/TFC.exe

http://itxassociates.com/OT-Tools/TFC.exe

  • Save any open work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program. Vista or Windows 7 users accept the UAC alert.
  • If prompted, click "Yes" to reboot.

TFC will automatically close any open programs, including your Desktop. Let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. TFC may re-boot your system, if not Re-boot it yourself to complete cleaning process <---- Very Important

Keep TFC it is an excellent, run weekly utility to keep your system optimized, it empties all user temp folders, Java cache etc etc. Always remember to re-boot after a run, even if not prompted

Let me know if the above compltes ok.

Seasons greeting to yourself and your family, hope you all have a great time....

Kevin...

Link to post
Share on other sites

Hey Kevin,

Seasons greeting to you as well! Thank you!

I've followed your above steps, and everything went quite smoothly.

Yep, I think I'll keep TFC installed in the system (might just have on all my other systems as well).

Thanks again, and happy holidays!

:lol:

- Victor

Link to post
Share on other sites

Thanks for the update, here is my closure:

Here are some tips to reduce the potential for malware infection in the future:

Make proper use of your antivirus and firewall

Antivirus and Firewall programs are integral to your computer security. However, just having them installed isn't enough. The definitions of these programs are frequently updated to detect the latest malware, if you don't keep up with these updates then you'll be vulnerable to infection. Many antivirus and firewall programs have automatic update features, make use of those if you can. If your program doesn't, then get in the habit of routinely performing manual updates, because it's important.

You should keep your antivirus and firewall guard enabled at all times, NEVER turn them off unless there's a specific reason to do so. Also, regularly performing a full system scan with your antivirus program is a good idea to make sure you're system remains clean. Once a week should be adequate. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

Install and use WinPatrol from here http://www.winpatrol.com/download.html This will inform you of any attempted unauthorized changes to your system.

WinPatrol features explained here http://www.winpatrol.com/features.html

Go here http://www.filehippo.com/updatechecker/ run the FileHippo Update Checker, update all applications as suggested by the Update Checker. Ignore any Beta updates. (Use stand alone version, not a full install)

If Java or Adobe are updated please check under Start > Control Panel > Add/Remove Programs, ensure any old versions are removed. <--- Very important

Use a safer web browser

Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a few good free alternatives:

FireFox http://www.mozilla.com/en-US/,

Opera http://www.opera.com/, and

Chrome http://www.google.com/chrome.

All of these are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial here http://www.bleepingcomputer.com/tutorials/tutorial102.html which will help you to make IE MUCH safer.

These browser add-ons will help to make your browser safer:

Web of Trust warns you about risky websites that try to scam visitors, deliver malware or send spam. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous ones:

Available for Firefox and Internet Explorer.

Green to go,

Yellow for caution, and

Red to stop.

Available for Firefox only. NoScript helps to block malicious scripts and in general gives you much better control over what types of things webpages can do to your computer while you're browsing.

These are just a couple of the most popular add-ons, if you're interested in more, take a look at this article:

http://browsers.about.com/od/addonsplugi2/tp/browser_security_privacy.htm

Here a couple of links by two security experts that will give some excellent tips and advice.

So how did I get infected in the first place by Tony Klein

How to prevent Malware by Miekiemoes

Finally this link http://www.geekstogo.com/forum/topic/38-free-antivirus-and-antispyware-software will give a comprehensive upto date list of free Security programs. To include - Antivirus, Antispyware, Firewall, Antimalware, Online scanners and rescue CD`s.

Don`t forget, the best form of defense is common sense. If you don`t recognize it, don`t open it. If something looks to good to be true, then it aint.

Take care,

Kevin

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.