Jump to content

Virus/rootkit makes Windows firewall crash

IT_man

By IT_man
in Resolved Malware Removal Logs

 Share
Go to solution Solved by Maurice Naggar,

Recommended Posts

IT_man

IT_man

Posted
  • Author
Posted

Please find the MiniToolBox report attached.

Today, I had several dwm.exe crashes on idle, then this behavior stopped.

As stated in the initial post, the only malware which was detected on this computer was "Trojan:Perl/Flooder.A!MTB" once (never again since) in a full scan from Microsoft Safety Scanner. I have not been able to find technical details about this malware.

MawareBytes and Windows Defender don't find anything.

However, the behavior where the firewall fails to start and gets repaired by a Windows repair reinstallation then fails again is very suspicious. It looks more like malware than a bug (malware loves turning off security). What do you think ?

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

We can give the following procedure one try - to attempt to reset a few services that relate to the firewall service, using the Malwarebytes support tool, that is already on this machine.  Be sure you first Close/save any open work that you have. We want to do a Restart after this.

  • In your Downloads folder, open the mb-support-1.8.7.918.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, place a checkmark on all of the Repair System entries.
  • Then click on the Repair System button and allow it to run and restart the system.
     

image.png

 


Then Restart the computer. Wait for Windows to settle back in.

Link to post
Share on other sites
  • Solution
Maurice Naggar

Maurice Naggar

Posted
  • Solution
Posted

Good morning. I hope you are doing well and enjoying the weekend.
I am attaching a ZIP file with this. Need to save that to your system. Be sure to remember where it is saved.

SERV30.zip
The contents are 3 Windows 11 registry files related to the Windows 11 firewall services.
Need to open the zip-file and drill down into the contents. Drill down below the initial container folder. Below it there are 3 files that need to be extracted and saved to your system. I suggest making a new sub-folder on your disc for ease of work.
The 3 files are
bfe.reg
mpsdrv.reg
mpssvc.reg
Once you are sure the files are extracted and saved, we now need to get Windows into SAFE mode to do more work.
See how to https://www.elevenforum.com/t/boot-to-safe-mode-in-windows-11.538/
*
Now in safe mode, one by one for each of the 3 .reg files
Using mouse-pointer do a RIGHT-Click on reg-file and select MERGE
When prompted ( if prompted) allow it to proceed. click YES if so prompted to proceed

Be sure to merge each of the 3 .reg files.
Once all is done, then please do a Restart from the Windows Restart menu and be sure that normal Windows is restarted.

Link to post
Share on other sites
IT_man

IT_man

Posted
  • Author
Posted

Hello Maurice,

I was contacted through direct message earlier by @AdvancedSetup.  He guided me through steps which probably boil down to the same as what you are proposing because it was also about restoring registry hives. This did not require safe mode but a specialized tool to run the commands as the "TrustedInstaller" user. Also, there were not 3 but 5 hives (BFE, SecurityHealthService, mpssvc, RpcSs and wuauserv).

The proposed action plan worked like a charm. The registry got fixed and all the problems (firewall failing to start, 7024 events on the firewall, Windows Search not working, dwm.exe crashes) have disappeared.

Of course, I will be monitoring the system behavior in the next few days to make sure that everything is stable.

In the meantime, I want to thank you both very much for the hard work you put into this.

I don't know what caused such registry corruption in the first place, which is why I was convinced there was malware at work.

I mark your post as the solution.

IT_man

  • Like 1
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Good afternoon. Thank you !  So glad to hear this best news. I had you save the tool named SecurityCheck.exe. I would appreciate one new run.

Launch SecurityCheck.exe 

  • If Windows's  SmartScreen block that with a message-window, then
  • Click on the MORE INFO spot and over-ride that and allow it to proceed.

                               This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

Link to post
Share on other sites
IT_man

IT_man

Posted
  • Author
Posted

Hello Maurice,

I took some time to check the PC behavior and it is not OK:

- there was a dwm.exe crash (black screen + hangups on the first 2 reboots) today,

- there was also a crash of World of Warcraftg on the loading screen (image freezes and only a power cycle manages to do anything),

- the WindowsfFirewall notifications are still present,

- a right-click on a file to run a Windows Defender scan does nothing (but a MalwareBytes scan works).

On the plus side:

- Windows firewall is OK and the 7024 errors are gone,

- Windows Search works,

- the basic Windows tools such as Terminal or Notepad are OK.

So it is likely that the initial corruption still has some aftermath, although the main problems are fixed.

From what I saw on the internet, The dwm.exe issues are tricky and can have many causes (hardware, USB, drivers, etc.). But this is beyond a malware-focused forum.

Please find the SecurityCheck attached. It looks good.

IT_man

SecurityCheck.txt

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Hello. The SecurityCheck report indicates that Discord needs to be updated to the latest.
Discord v.0.0.309   Warning! Download Update

As to the other issues, and since these are not caused by malware, but rather more likely some form of 'glitch', I would recommend a Windows 11 in-place repair, as shown and listed on this guide at ElevenForum
https://www.elevenforum.com/t/repair-install-windows-11-with-an-in-place-upgrade.418/

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Please download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log may open in Notepad titled kprm-(date).txt.  I do not need it. Just close Notepad if it shows up.

Consider using PatchMyPC, keep all your software up-to-date - https://patchmypc.com/home-updater#download

I wish you all the best.

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.