Virus/rootkit makes Windows firewall crash

[IT_man]

Hello,
My PC is running Windows 11.
A few weeks ago, a notification was displayed which said that the Windows Defender firewall was not started.
When trying to restore default Windows firewall settings through the control panel, I got either one or the other of the following errors:

Windows Defender Firewall can't change some of your settings.
Error code 0x8007045b

or:
[...]
Error code 0x800706d9

When looking at the Windows Defender firewall service, it appears that the service keeps trying to start then failing. The event viewer has plenty of messages saying that the firewall stopped due to an incorrect parameter.

I tried all the usual fixes for the Windows firewall but none worked. Besides, I found other problems in time, like the Windows Search button not working or the Start menu disappearing when I click on it, etc.

I downloaded an ISO image of Windows 11 and reinstalled while keeping data and applications. This got the firewall to work again but it failed on the first subsequent reboot and the other errors came back as well.

I ran many antivirus and anti rootkit programs. The only one which actually found something is Microsoft Safety Scanner which found this virus once with a full scan:
Trojan:Perl/Flooder.A!MTB

Now scans find nothing. Every time I reinstall Windows 11, the firewall gets back up and the other bugs disappear then everything fails again on the first reboot.

Any advice on how to find the culprit and fix this would be greatly appreciated.

Thanks.

 

[Maurice Naggar]

Hello. If this system does not have Malwarebytes for Windows installed, lets get it installed & then do a scan.
Malwarebytes for Windows  can detect and remove most malware with no further actions required for free.
go and install Malwarebytes for Windows.
See https://support.malwarebytes.com/hc/en-us/articles/360038479134-Download-and-install-Malwarebytes-for-Windows

After the setup has completed, run a Threat Scan, open Malwarebytes for Windows and click the blue Scan button.

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

[IT_man]

Thanks Maurice.

I had already installed Malwarebytes and run a scan but I did that again today. Nothing was detected. The report is attached. It is in French btw.

Fyi I also ran Malwarebytes rootkit scanner beta earlier and it didn't find anything either.

IT_man

mb__scan_report_20220424.txt

[Maurice Naggar]

Thank you for the information and Malwarebytes report. 

Take these actions so that Windows 11 is set to show all hidden files and folders.
Open File Explorer from the taskbar.

Select View > Show > Hidden items.

[   2   ]

• I would like a report set for review.   This is a report only.

Please download MALWAREBYTES MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 Have patience till the run has finished.

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

 

• Please attach  mbst-grab-results.zip    to your reply 

[IT_man]

Please find the requested reports attached. Let's hope it can provide something useful.

For your information, the current state of the computer is with Windows 11 reinstalled and the computer not rebooted, so that the system is working properly, at least on the surface.

 

mbst-grab-results.zip

[Maurice Naggar]

Thank you. Here are next actions. Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows trial    😃.

Close Malwarebytes.

>

This custom script is for  IT_Man  only / for this machine only.

Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. Next, a custom script to do  checks & some  cleanups. This is really just housekkeping.

We will use FRSTEnglish  on the Downloads  folder to run a custom script.    The system will be rebooted after the script has run.

This custom script has some specific things, plus some general aspect to help the system overall.  Hoping it will not exceed 60 minutes in execute time.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. .  It will rebuild the Winsock.  

NOTE-2: This should run a quick scan with MS Defender antivirus and remove outstanding action items, if any. 

NOTE-3: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. 

The following directories are emptied:

• Windows Temp
• Users Temp folders
• Edge, IE, FF, Chrome,  and Opera  & BRAVE caches, HTML5 storages, Cookies and History
• Recently opened files cache
• Flash Player cache
• Java cache
• Steam HTML cache
• Explorer thumbnail and icon cache
• Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

•  
• Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

• If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
• Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

Fixlist.txt         <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads   folder.

RIGHT click on FRSTENGLISH    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

• IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

• on the FRST window:

Click the Fix button just once, and wait.

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity.

[IT_man]

Hello,

Thanks for the action plan. I ran it as specified.

In the FRSTEnglish.exe, the "fix" button turned to "fixing" then the tool ran for about a minute and simply disappeared. There is no "FRSTEnglish.exe" process in the task manager (details, all users) and no log in the downloads folder.

The "FRSTEnglish.exe" and provided "Fixlist.txt" files are both in the downloads folder, as requested.

I have already had this kind of crash with other software since the issue appeared.

As a side note, from the first action, I got a notification that antivirus protection is disabled but I guess it is expected.

What can we do now ?

[Maurice Naggar]

I regret the trouble at hand. We will need to do a few more different tasks. At this point, let us do this. 

This next tool ought to take something in the range of 15 - 25 minutes tops, depending on hardware speed.
get & run the Malwarebytes MBAR anti-rootkit tool to do 1 run with it.
Disregard the title subject of the topic.Run the MBAR tool as listed here 

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes

• when done, I need the MBAR logs.
• Upon completion of the scan or after the reboot, two files named mbar-log.txt and system-log.txt will be created.
• Both files can be found in the extracted MBAR folder on your Desktop.
• Please attach both files in your next reply.

[IT_man]

The rootkit scan ran without issue and found nothing. The requested log files are attached.

For your information, before that, the computer suddenly stopped and rebooted so now Windows firewall is down again.

IT_man

 

mbar-log-2022-04-25 (20-08-25).txt system-log.txt

[Maurice Naggar]

Thank you for the MBAR reports. Lets do a new script run with a new Fixlist

This custom script is for  IT_Man  only / for this machine only.

Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. Next, a custom script to do  checks & some  cleanups. This is really just housekkeping.

We will use FRSTEnglish  on the Downloads  folder to run a custom script.    The system will be rebooted after the script has run.

This custom script has some specific things, plus some general aspect to help the system overall.  Hoping it will not exceed 60 minutes in execute time.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

• If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
• Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

Fixlist.txt         <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads   folder.

RIGHT click on FRSTENGLISH    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

• IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

• on the FRST window:

Click the Fix button just once, and wait.

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity.

[IT_man]

Hello Maurice,

This time, the script ran without issues and prompted for a reboot. The "Fixlist.txt" file got deleted and replaced with "Fixlog.txt" which is attached here.

The computer has been experiencing more and more random crashes of late and this is beginning to cause some data loss (files which were open at the time of the crash).

Let's hope that the log will provide some clues.

IT_man

Fixlog.txt

[Maurice Naggar]

Hello. I regret to hear about "random aborts". Let us do 2 things. I would highly suggest to insure that this pc is all up-to-date with security updates & cumulative upates on Windows. select the Windows Start  button, and then go to Settings  > Update & Security  > Windows Update . and click Check for Updates.
Have much patience.

[  2  ]

Let's pause and make time and just get a set of fresh reports to see what is running, what is active. Your machine has the FRSTENGLISH report tool on the Downloads folder. We will use that. Go to Downloads folder. RIGHT-click on FRSTENGLISH and select 

Run as Administrator

and tap ENTER. And reply YES to allow to proceed.  

•  When the tool opens click Yes to the disclaimer.  And be very sure to TICK the box for Addition.txt
• Press the Scan button.

• It will make a log (FRST.txt & Addition.txt) in the same directory the tool is run
• Have patience since the run may take something like 10 or so minutes  (less depending on your hardware speed)
• Close Notepad IF those show up on Notepad.
• Just please Attach the 2 files FRST.txt +Addition.txt  with your next reply.

[IT_man]

Hello,

Windows updates were mostly already OK but I installed the latest April cumulative update (with reboot) for completeness. Now the search detects no new update.

The scan ran without issues. The result files are attached.

Before that, I had another random crash so I will run a MemTest86 just to be sure.

Addition.txt FRST.txt

[Maurice Naggar]

When there is a "random crash", are you jotting down all the detail ?  I am most interested in having the Microsoft error code itself, and the description as shown to you on-screen.

Thank you for the FRST reports.

[Maurice Naggar]

Let us see whether the windows firewall log has meaningful information that could help shed light on current issue.
First, be sure that Windows is set to show all folders, all files, including any 'hidden'
Take these actions so that Windows 11 is set to show all hidden files and folders.
Open File Explorer from the taskbar.

Select View > Show > Hidden items.

You can find the firewall log at:  C:\Windows\System32\LogFiles\Firewall
By default, the log is named pfirewall.log . Please attach that with next reply.

[Maurice Naggar]

One more note:  I am going to be re-focusing on the firewall issue. But I also need to make a note that there is repeated Windows aborts of another Windows component. There are repeated logged events like this. Error: (04/26/2022 04:18:04 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Nom de l’application défaillante dwm.exe, version : 10.0.22000.1, horodatage : 0x7cbe2305
Nom du module défaillant : dwmcore.dll, version : 10.0.22000.613, horodatage : 0x5aef2189
Code d’exception : 0x8898008d
Décalage d’erreur : 0x000000000011e676
ID du processus défaillant : 0x2830
Heure de début de l’application défaillante : 0x01d85978701eb142
Chemin d’accès de l’application défaillante : C:\WINDOWS\system32\dwm.exe
Chemin d’accès du module défaillant: C:\WINDOWS\system32\dwmcore.dll
ID de rapport : 58f2236b-3068-4bd6-abbc-fe1aae8ea110
Nom complet du package défaillant : 
ID de l’application relative au package défaillant :

Question : Are games being on or games played when this happens?

Question : Have you over-clocked the machine system-board ?

*

This is a good point to emphasize not playing online games or games in general, while the case is on-going.
I would also emphasize to reduce the auto-started applications that start with Windows down to the absolute minimum. Which would basically be just security applications.
Apply these principles now from the following How-to
How to perform a clean boot in Windows
https://support.microsoft.com/en-us/help/929135/how-to-perform-a-clean-boot-in-windows

I would like you to ( for the time being ) disable the auto-starting of Overwolf & PowerDVD19Agent  ( there are 2 auto-starts for that. set both to be disabled)

Thank you.  I will re-focus on the windows firewall.

 

 

[Maurice Naggar]

I hae 3 prior replies from before this. I hope I do not over-whelm you. This here is intended to help with the firewall service & other Windows serices.

This custom script is for  IT_Man  only / for this machine only.

Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. Next, a custom script to do  checks & some  cleanups. This is really just housekkeping.

We will use FRSTEnglish  on the Downloads  folder to run a custom script.    The system will be rebooted after the script has run.

• Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

Fixlist.txt         <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads   folder.

RIGHT click on FRSTENGLISH    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

• IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

• on the FRST window:

Click the Fix button just once, and wait.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity. Thank you  

[IT_man]

Hello Maurice,
Thanks again for all the action plans. Here are the answers and results.
- First of all, I ran a 5-hour MemTest86, i.e. 2 full passes using all 8 CPU cores. No error was found so the RAM and CPU seem fine.
- The random crashes I experience harldy ever produce a blue screen (it must have happened once or twice and not recently). Generally, the screen turns black or freezes and I have to forcibly reboot or the computer reboots by itself.
- There is no firewall log: the "C:\Windows\System32\LogFiles\Firewall" folder exists but it is empty. As far as I know, firewall logging needs to be turned on explicitely.
- The dwm.exe (Desktop Windows Manager) process crashes seem consistent with the fact that the screen turns to black or freezes. However, I have not yet managed to link the crashes to a particular action or software.
- Nothing is overclocked on this machine. I am always very conservative with hardware settings.
- I performed the steps for a clean boot and disabled everything (even MalwareBytes) just to be sure.
- After the reboot, I ran the provided fix script. It ran fine and rebooted. The resulting "Fixlog.txt" log is attached.

Fixlog.txt

[Maurice Naggar]

Thank you. Let us make time and do this please.
I would highly suggest to insure that this pc is all up-to-date with security updates & cumulative upates on Windows. select the Windows Start  button, and then go to Settings  > Update & Security  > Windows Update . and click Check for Updates.
Have much patience. And, once it has completed, please do one Windows Restart.

[IT_man]

I have clicked the "check for updates" and rebooted  several times already. There are no new updates available right now.

However, new things have happened.

Since dwm.exe crashed (it crashed once again today with a black screen), I tried to uninstall the graphics driver and install the one from NVidia instead of the default one from Windows. For this, I began by restarting in safe mode (through msconfig) but safe mode was completely bugged (the screen kept blinking and the start menu was not there). Same after another restart (in safe mode). I reverted to normal startup but many things were still wrong (no start menu, network not up, etc.) so in the end I had to reenable all the startup services to regain stability.

I then used DDU (display driver uninstaller) twice to clean up my driver (with the Ethernet cable unplugged to block Windows update of the driver) then installed the latest NVidia driver (driver only, by updating from the device manager). I now have driver version 30.0.15.1259 (2022/04/20) instead of 30.0.14.7196 (2021/08/27).

We will see if the dwm.exe crashes disappear with the latest drivers but considering the recent behavior of this computer, my hopes are low.

[Maurice Naggar]

For my concern, I hope we are not drifting and losing focus on the original issue of this case. I think it is best to re-group.

Remind me if the Windows firewall has been having aborts today ?

and

Let us get a couple of reports.

Download   Farbar's Service Scanner utility

and Save to your Desktop.

Right-Click on fss.exe and select Run As Administrator.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are check-marked:

• Internet Services
  Windows Firewall
  System Restore
  Security Center/Action Center
  Windows Update
  Windows Defender
  Other services

  

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.   Please attach that file.  

I would recommend getting a readout report as to update the status of some key apps.

• Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe

 

• and save the tool on the desktop.
• If Windows's  SmartScreen block that with a message-window, then
• Click on the MORE INFO spot and over-ride that and allow it to proceed.

                               This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

[IT_man]

Yes, sadly, the 7024 events on the firewall are still present in huge numbers.

Please find attached the reports from Farbar's service scanner and glax24x's SecurityCheck.

The latter gives a warning about VdhCoApp but I did purchase VideoDownloadHelper so it's not a mistake and I have been using it for years.

 

FSS.txt SecurityCheck.txt

[Maurice Naggar]

Hello @IT_man 

The FSS report shows that Microsoft Defender is in good state; as does the SecurityCheck report. Microsoft Defender and its services are up-to-date and running.
Now as to SecurityCheck: these apps need your attention to insure they hae the latest releases.
Oracle VM VirtualBox 6.1.18 v.6.1.18   Warning! Download Update
------------------------------ [ ArchAndFM ] ------------------------------
7-Zip 19.00 (x64) v.19.00   Warning! Download Update
Uninstall old version and install new one.
-------------------------- [ IMAndCollaborate ] ---------------------------
Discord v.0.0.309   Warning! Download Update
-------------------------------- [ Media ] --------------------------------
VLC media player v.3.0.16   Warning! Download Update
*
If you do not have a paid-license for Malwarebytes, then I suggest that you set it so that it does not auto-startup with Windows.
If I recall properly, start Malwarebyes, click Settings, then click Account tab. Then Under the License key field, click "Deactivate".
( You will still be able to start & use it on-demand ).
Also EXIT out of real-time Malwarebytes protections. See https://support.malwarebytes.com/hc/en-us/articles/360038524254-Quit-Malwarebytes-for-Windows-services
*
Consider doing a full backup of your system to offline media. Backup is your best friend.
I suggest a Backup before doing this next procedure.
*
While Windows 11 is operable, by using it and special procedures, you may do a "repair install".
Repair install Windows 11 with an in-place Upgrade. Please read fully all of Shawn's how-to at Elevenforum
https://www.elevenforum.com/t/repair-install-windows-11-with-an-in-place-upgrade.418/

{ Bookmark Elevenforum. It is a very good resource for all things Windows 11. }

[IT_man]

Hello Maurice,

As usual, let us take this point by point.

First about the dwm.exe crashes:
- There is always exactly one crash per day, no more, no less (tested from April 25 to 29). It happens when the computer is idle. I baited one today and it occurred after a few minutes.
- Updating the graphics driver or starting with all non-Microsoft services disabled makes no difference: the crash still takes place.
- When a crash happens and the screen is black, a short press of the power button initiates a clean shutdown. Nothing else works (e.g. Ctrl-Alt-Del or Ctrl-Alt-Esc).

Now the pre-reinstallation actions:
- VirtualBox, 7-zip, Discord and VLC Media Player have been updated. Strangely enough, VLC update check menu option showed no new version although one is available on the website.
- MalwareBytes license has been deactivated. I also unchecked "Start MalwareBytes with Windows" before closing the program from the notification area.
- I backed up my essential data to external media. Let's hope that it introduced no malware into that media.
- More and more programs are becoming inaccessible. For instance, when I try to run Notepad, I get an error saying I don't have permissions to "C:\Program File\WinodwsApps\Microsoft.WindowsNotepad_11.2112.32.0_x64_8weky....". Same with Terminal, etc.

And the repair reinstallation:
- Windows 11 repair install performed as instructed.
- For your information, this has been done 3-4 times already to try to fix the issue, the only difference being that updates were downloaded immediately as per the default option. FYI also, the media creation tool does not work for this (download does not proceed), probably because the firewall is broken. So mounting an ISO image is the only option.
- Usually, the firewall works after reinstallation and fails again on the first subsequent reboot.
- This time, a dwm.exe crash occurred during the last reinstallation reboot. On the next reboot, the screen was black with strange artifacts (like a multicolored dotted horizontal line). I have already encountered this behavior previously. Another forced reboot enabled Windows to start. But the firewall is still failing, maybe due to the extra reboot.

For the record, long sessions of video gaming never caused a single crash so a hardware issue on the graphics card is unlikely.

IT_man

 

[Maurice Naggar]

Good morning. I appreciate the detail. Though, basically, if there is not a malware infection at this point, I will need to refer you elsewhere. Possibly the BSOD section, or else, possibly to the Sysnative forum. They are better suited to look at the aborts / abends happening on this system.
My 2 questions at this point are:
Does Malwarebytes for Windows report a malware ?
Does Microsoft Defender antivirus report a malware ?
and then, for the purpose of seeing most recent system events, the following

Please download MiniToolBox save it to your desktop and run it.

Checkmark the following check-boxes:

• Flush DNS
• Report IE Proxy Settings
• Reset IE Proxy Settings
• Report FF Proxy Settings
• Reset FF Proxy Settings
• List content of Hosts
• List IP configuration
• List Winsock Entries
• List last 10 Event Viewer log
• List Installed Programs
• List Devices
• List Users, Partitions and Memory size.
• List Minidump Files

Click Go and post the result (MTB.txt). A copy of MTB.txt will be saved in the same directory the tool is run.

Note: When using Reset FF Proxy Settings option Firefox should be closed.