"Unable to connect the Service"

[Potato1337]

I am very careful when downloading programs, but got a virus anyway (I don't know what hit me, but I accepted a program I really thought isn't a virus), virus deleted malwarebytes and I couldn't use Windows Defender. First thing I did was downloading malwarebytes again, of course virus blocked it, I found a way to install it, but I can't start it. When I launch Malwarebytes, I get "Unable to start. Unable to connect the Service." message (this also happens when I launch it as an administrator). Does anybody know how to solve this problem? 

[Porthos]

Let's try and get some logs first so the team can review them and see if they can tell what may be causing your issues.... Please use an Administrator account when doing the following,

1. FIRST: Create and obtain Farbar Recovery Scan Tool (FRST) logs
2. Download FRST and save it to your desktop. Tell any program that blocks it to ignore or allow. It IS SAFE. It contains no info that can identify or harm you.
3. NOTE: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit
4. Double-click to run FRST and when the tool opens click "Yes" to the disclaimer
5. Press the "Scan" button
6. This will produce two files in the same location (directory) as FRST: FRST.txt and Addition.txt
   NOTE: These two files will be collected by the MB-Check Tool and added to the zip file for you
7. NEXT: Create and obtain an mb-check log
8. Download MB-Check and save to your desktop
9. Double-click to run MB-Check and within a few second the command window will open, then click "OK"
10. This will produce one log file on your desktop: mb-check-results.zip
11. Attach this file to your forum post by clicking on the "Drag files here to attach, or choose files..." or simply drag the file to the attachment area

[Potato1337]

8 minutes ago, Porthos said:

Let's try and get some logs first so the team can review them and see if they can tell what may be causing your issues.... Please use an Administrator account when doing the following,

1. FIRST: Create and obtain Farbar Recovery Scan Tool (FRST) logs
2. Download FRST and save it to your desktop. Tell any program that blocks it to ignore or allow. It IS SAFE. It contains no info that can identify or harm you.
3. NOTE: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit
4. Double-click to run FRST and when the tool opens click "Yes" to the disclaimer
5. Press the "Scan" button
6. This will produce two files in the same location (directory) as FRST: FRST.txt and Addition.txt
   NOTE: These two files will be collected by the MB-Check Tool and added to the zip file for you
7. NEXT: Create and obtain an mb-check log
8. Download MB-Check and save to your desktop
9. Double-click to run MB-Check and within a few second the command window will open, then click "OK"
10. This will produce one log file on your desktop: mb-check-results.zip
11. Attach this file to your forum post by clicking on the "Drag files here to attach, or choose files..." or simply drag the file to the attachment area

Hello, here are the files

Addition.txt

FRST.txt

mb-check-results.zip

[Porthos]

9 minutes ago, Potato1337 said:

Hello, here are the files

You are correct you are infected, I will have this post moved to the malware removal section. @Aura @AdvancedSetup

Edited January 13, 2018 by Porthos

[Potato1337]

Ok, I managed to fix the problem by myself, I downloaded Malwarebytes Chameleon and everything worked.

[Porthos]

5 minutes ago, Potato1337 said:

Ok, I managed to fix the problem by myself, I downloaded Malwarebytes Chameleon and everything worked.

I would let the experts still take a look.

[Potato1337]

7 minutes ago, Kebinu777 said:

Hello, I am having similar problems. Older versions of Malwarebytes open as well as Chameleon, but as soon as I install the latest version it won't open at all (Connect to services)  I have attached the mb-check-results.zip please help me solve this. I have a two year account with Malwarebytes so I'm not sure what keeps the new version from opening in windows 10. 

mb-check-results.zip

Now I checked and found out that only the "Chameleon" (or the older version) works. The latest version doesn't open, I still get that same error. Weird 

 

[Porthos]

@Potato1337 Please wait on staff to move your topic and a malware expert to get to you. 

 

@Kebinu777 I have asked staff to move your post to its own topic. Not all issues are the same. 

[Aura]

Hi Potato1337

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.

• As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
• As long as I'm assisting you on Malwarebytes Forums, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
• The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
• If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
• If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
• Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
• I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against Malwarebytes Forums's rules
• In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
• I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
  This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread
  

This being said, it's time to clean-up some malware, so let's get started, shall we?

Follow the instructions in the thread below. Make sure to download the MBAR version linked in it. Let me know if you're not able to launch it and run a scan.
 
https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes/
 
If you manage to run a scan, delete everything it finds, and then copy/paste the content of the mbar-log-DATE-(TIME).txt log that is located in the MBAR folder here after. 
 

[Potato1337]

Hello, Yoan.

I managed to run a scan, it said there are no viruses. I am really not sure if I have them on my computer or not. As I wrote in this thread, I managed to run Malwarebytes Chameleon, so I removed all the threats. Anyway, here are the mbar-log.txt file contents:

Malwarebytes Anti-Rootkit BETA 1.10.3.1001
www.malwarebytes.org

Database version:
  main:    v2018.01.13.05
  rootkit: v2017.10.14.01

Windows 10 x64 NTFS
Internet Explorer 11.576.14393.0
Admin :: DESKTOP-L4A24CR [administrator]

14.01.2018 1:24:53
mbar-log-2018-01-14 (01-24-53).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 230101
Time elapsed: 7 minute(s), 52 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)
 

[Aura]

Good. Now follow the instructions below.

Farbar Recovery Scan Tool (FRST) - Scan mode
Follow the instructions below to download and execute a scan on your system with FRST, and provide the logs in your next reply.

• Download the right version of FRST for your system:
  
  • FRST 32-bit
  • FRST 64-bit
    Note: Only the right version will run on your system, the other will throw an error message. So if you don't know what your system's version is, simply download both of them, and the one that works is the one you should be using.
    
• Move the executable (FRST.exe or FRST64.exe) on your Desktop
• Right-click on the executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
• Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds
• Make sure the Addition.txt box is checked
• Click on the Scan button
  
• On completion, two message box will open, saying that the results were saved to FRST.txt and Addition.txt, then open two Notepad files
• Copy and paste the content of both FRST.txt and Addition.txt in your next reply
  

[Potato1337]

Hello, here are the files. 

Addition.txt

FRST.txt

[Aura]

Alright, follow the instructions below.

Farbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

• Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located)
• Right-click on the FRST executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
• Click on the Fix button
  
• On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
• Copy and paste its content in your next reply
  

fixlist.txt

[Potato1337]

Hello, here is the log file. 

Fixlog.txt

[Aura]

Awesome! How's your system behaving now? Are there any other issues to address?

[Potato1337]

I don't think there is something wrong with my system now, but I still need to fix the original problem. I posted a screenshot of the error I was getting when trying to launch latest version of Malwarebytes. Of course I can use Mb Chameleon, but I want to use the latest version.

[Aura]

Alright, can you simply uninstall and reinstall Malwarebytes, and see if that works? We removed the infection (CertLock) on your system preventing Malwarebytes from working properly, so a simple reinstall should do the trick.

[Potato1337]

Unfortunately, this didn't work. Same error 

[Aura]

Alright, follow the instructions below.

AdwCleaner - Fix Mode

• Download AdwCleaner and move it to your Desktop
• Right-click on AdwCleaner.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
• Accept the EULA (I accept), then click on Scan
• Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all active processes
  
• Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
• After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply
  

RogueKiller

• Download the right version of RogueKiller for your Windows version (32 or 64-bit)
• Once done, move the executable file to your Desktop, right-click on it and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
• Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner)
• Wait for the scan to complete
• On completion, the results will be displayed
• Check every single entry (threat found), and click on the Remove Selected button
• On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
• This will open the report in Notepad. Copy/paste its content in your next reply
  

Your next reply(ies) should therefore contain:

• Copy/pasted AdwCleaner clean log
• Copy/pasted RogueKiller clean log
  

[Potato1337]

Hi, here is a adwcleaner log:

# AdwCleaner 7.0.6.0 - Logfile created on Mon Jan 15 15:06:05 2018
# Updated on 2017/21/12 by Malwarebytes 
# Database: 01-11-2018.1
# Running on Windows 10 Enterprise 2016 LTSB (X64)
# Mode: scan
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

No malicious folders found.

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\Interface\{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C}

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries.

*************************

C:/AdwCleaner/AdwCleaner[C0].txt - [3061 B] - [2018/1/13 17:7:34]
C:/AdwCleaner/AdwCleaner[S0].txt - [3189 B] - [2018/1/13 17:6:44]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt ##########

 

And RogueKiller log:

RogueKiller V12.12.0.0 (x64) [Jan 15 2018] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.14393) 64 bits version
Started in : Normal mode
User : Admin [Administrator]
Started from : I:\Downloads\RogueKiller_portable64.exe
Mode : Delete -- Date : 01/15/2018 17:19:32 (Duration : 00:31:49)

¤¤¤ Processes : 1 ¤¤¤ **I actually need this, this isn't a virus or anything harmful**
[VT.Detected] AAct.dll(8156) -- C:\Activators\AAct v3.2 Portable\AAct.dll[7] -> Found

¤¤¤ Registry : 7 ¤¤¤
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-2292250545-2329621696-241518076-1001\Software\IM -> Deleted
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-2292250545-2329621696-241518076-1001\Software\IM -> Deleted
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main | Start Page : http://ovgorskiy.ru  -> Replaced (http://go.microsoft.com/fwlink/p/?LinkId=255141)
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main | Start Page : http://ovgorskiy.ru  -> Replaced (http://go.microsoft.com/fwlink/p/?LinkId=255141)
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main | Start Page : http://ovgorskiy.ru  -> Replaced (http://go.microsoft.com/fwlink/p/?LinkId=255141)
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main | Start Page : http://ovgorskiy.ru  -> Replaced (http://go.microsoft.com/fwlink/p/?LinkId=255141)
[Adw.Eszjuxuan] (X64) HKEY_USERS\S-1-5-21-2292250545-2329621696-241518076-1001\Control Panel\Desktop | SCRNSAVE.EXE : C:\ProgramData\DreamScreen\DreamCompress.scr [x] -> Replaced (C:\Windows\system32\logon.scr)

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 2 ¤¤¤ **I need both of these, they aren't viruses as well**
[PUP.HackTool][File] C:\Windows\KMSAuto.exe -> Not selected
[PUP.uTorrentAds][File] C:\Users\Admin\AppData\Roaming\uTorrent\updates\3.5.0_43804\utorrentie.exe -> Not selected

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : session.startup_urls [http://youtube.com/] -> Deleted

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] cf5296ad1c4b687ed4277604615018bc
[BSP] 65c5ca946977dabbd5f4e7bbcdbe5e0a : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 500 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1026048 | Size: 113971 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1:  +++++
--- User ---
[MBR] 5a024813e487fb91a452b50282bb43f7
[BSP] 303b5ff7fce5f7a645d99d7329e97e9e : Empty|VT.Unknown MBR Code
Partition table:
0 - Basic data partition | Offset (sectors): 2048 | Size: 2861608 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2:  +++++
Error reading User MBR! ([15] ?????????? ?? ??????. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] ????? ?????? ?? ??????????????. )

+++++ PhysicalDrive3:  +++++
Error reading User MBR! ([15] ?????????? ?? ??????. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] ????? ?????? ?? ??????????????. )

+++++ PhysicalDrive4:  +++++
Error reading User MBR! ([15] ?????????? ?? ??????. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] ????? ?????? ?? ??????????????. )

+++++ PhysicalDrive5:  +++++
Error reading User MBR! ([15] ?????????? ?? ??????. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] ????? ?????? ?? ??????????????. )

 

[Aura]

Alright. Are you able to launch Malwarebytes now, or are you getting the same error?

[Potato1337]

Unfortunately, I get the same error when trying to launch it 

[Aura]

Configure a clean boot and restart your computer. Once done, see if you can open Malwarebytes.

http://www.thewindowsclub.com/what-is-clean-boot-state-in-windows

[Potato1337]

I did this, but I still get the same error.

[Potato1337]

Hello, I remember I was trying to fix the problem by myself and came across this forum https://www.technibble.com/forums/threads/malwarebytes-cannot-connect-to-the-service.76034/ where a person had the exact same problem as me, but I didn't really understand how the problem was solved. The solution says something about WMI or other services not working correctly and when trying to start the Malwarebytes service in service list, it gives a "Windows could not start the Malwarebytes service on the local computer. Error code: 1068. The dependency service or group failed to start." error. I think some services doesn't work properly so it results in an error when launching Malwarebytes. I would like to know which services must be working to launch Malwarebytes and how to fix the service not being able to run.