Jump to content

Malware disabled by firewall, can't get it back up


Recommended Posts

Hi all. First, let me say I love malwarebytes, it has saved me from many frustrating moments in the past. I have a Windows 7 machine that usually blocks everything pretty well, but yesterday I got one of those stupid fake anti-virus things, and it took me a little while to clear it out. Malwarebytes did find it and took care of it, but I am still having a re-direct problem, but that's not my biggest concern... My firewall is disabled (the fake anti-virus took it down so that it wouldn't block it)

So here's the thing... Only 1 of the 2 services that the firewall depends on is running (BFE)... The Windows Firewall Authorization Driver won't start when I click start (I get the error that it cant create a file when the file already exists... and when I move the file somewhere else (mpsdrv.sys under system32 folder) then it says it can't find the file...) and I know that the file itself isn't corrupt, so why won't this Windows Firewall Authorization start up with the correct driver file? I tried microsofts fix, it didn't work... Their stupid command prompt won't let a sfc /scannow finish, it keeps giving me a windows protection error after like 56% through...

Here's my log file from my fake anti-virus removal

Malwarebytes' Anti-Malware


Database version: 7562

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

8/25/2011 4:33:52 AM

mbam-log-2011-08-25 (04-33-52).txt

Scan type: Quick scan

Objects scanned: 171832

Time elapsed: 2 minute(s), 32 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\Security Protection (Rogue.Spypro) -> Value: Security Protection -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Users\Bobby\AppData\Local\Temp\8BFE.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

c:\Users\Bobby\AppData\Local\Temp\jucheck.exe (Trojan.Tracur) -> Quarantined and deleted successfully.

I ran a full scan afterwards and it found 0 items infected.

Thanks in advance!

Link to post
Share on other sites

hello and welcome .

yep , it seems that you have some problems as a result of an infection .

we do not work on malware/infection issues in this forum .

go to this link and follow the directions and complete what steps you can :


if you have a "paid for" version of malwarebytes you can go to the help desk for more timely instructions .

the best of luck to you .

Link to post
Share on other sites

you may still be infected .

it is better to be safe rather than sorry . ;)

i suggest that you go through the cleaning steps with an expert and once the "all clear" is given and if you are still having issues with the re-direct (etc) post back here .

Link to post
Share on other sites

Hello, and Welcome to Malwarebytes

More than likely the infection made some changes to your computer that is preventing the firewall from starting up, and the re-direct problem tells you that there is still an infection active.

Because you are infected, here are the steps needed to get your computer cleaned....

Please read the following so that you can begin the cleaning process:

You have 3 Options that you can choose from as listed below:

  • Option 1 —— Free Expert advice in the Malware Removal Forum
  • Option 2 —— Paying customer -- Contact Support via email
  • Option 3 —— Premium, Fee-Based Support


As we don't deal with malware removal in the
General Malwarebytes' Anti-Malware Forum
, you need to start a topic in the
Malware Removal forum
so a qualified helper can help you fix any malware related problems/infections you may have.

  • Please read and follow the
    , skipping any steps you are unable to complete. Then post a

  • After posting your new post, make sure under
    , you select
    Track this topic
    and choose
    Immediate Email Notification
    , so that you're alerted when someone has replied to your post.

  • One of the
    there will give you one-on-one assistance when one becomes available.

  • Please refrain from making any further changes to your computer such as (Install/Uninstall programs, use special fix tools, delete files, edit the registry, etc...) unless advised by a malware removal helper. Doing so can result in system changes which may hinder the attempts by a helper to clean your machine.

Please DO NOT post back to (bump) your topic within the first 48 hours.

Replying to your own posts changes the post count and helpers are looking for topics with zero replies. If you reply to your own post helpers may think that you're already being helped and thus overlook your post.
    • If there is no reply from any experts after 48 hours, you can reply to the topic, asking for help again.


    • You may send a Private Message to a Moderator asking for assistance.


Alternatively, as a paying customer, you can contact the help desk at


If you would like to use our Malwarebytes Premium Services, Comprehensive solutions to all your computer support needs—from installation and set-up to troubleshooting and tune-ups go to our
support site.

Please be patient, someone will assist you as soon as it is possible.

PS: Please use the "ADDREPLY" Add-Reply.png button instead of other ones when you start replying. :)

Link to post
Share on other sites

Running combofix cleared the problem right up. Here is the log file of what it removed, in case anybody else has this problem with malwarebytes not fulling removing a redirect virus

08:21:20 1,682 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-LADSPA_plugins-win_is1.reg.dat

08:21:19 1,380 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Adobe Shockwave Player.reg.dat

08:21:11 80 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-SynTPEnh.reg.dat

08:21:11 92 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-Locked.reg.dat

08:21:05 534 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-MCODS.reg.dat

08:21:05 546 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-mcmscsvc.reg.dat

08:20:59 104 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-Toolbar-Locked.reg.dat

08:13:38 16,396 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

08:07:14 51 ----a-w- C:\Qoobox\Quarantine\catchme.log

04:16:31 5,956 ----a-w- C:\Qoobox\Quarantine\C\Users\Bobby\AppData\Local\{D05021AB-A171-474C-901E-6B4C656A7F81}\chrome\content\overlay.xul.vir

04:16:31 2,122 ----a-w- C:\Qoobox\Quarantine\C\Users\Bobby\AppData\Local\{D05021AB-A171-474C-901E-6B4C656A7F81}\chrome\content\_cfg.js.vir

04:16:31 764 ----a-w- C:\Qoobox\Quarantine\C\Users\Bobby\AppData\Local\{D05021AB-A171-474C-901E-6B4C656A7F81}\install.rdf.vir

04:16:31 122 ----a-w- C:\Qoobox\Quarantine\C\Users\Bobby\AppData\Local\{D05021AB-A171-474C-901E-6B4C656A7F81}\chrome.manifest.vir

01:39:46 31,744 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\consrv.dll.vir

13:44:20 855,040 ----a-w- C:\Qoobox\Quarantine\C\install.exe.vir

A few of the registry backups were McAfee, which I don't even use... I don't have google chrome... and the consrv.dll I have no clue what that was. Needless to say, right after Combofix rebooted my computer, my internet works fine (no redirects) and my firewall is working again. Yay :)

Link to post
Share on other sites

I'm glad your PC is working correctly again :).

Just for future reference, it is recommended that you never run ComboFix without expert guidance as it is not a general malware removal/fix tool and can render a computer unbootable if something should go wrong, and you'd likely need expert assistance to get it back up and running again if that were to happen.

If you do have any further issues, please don't hesitate to follow Firefox's instructions above and we'll provide you with free, one on one expert assistance :).

Thanks :)

Link to post
Share on other sites

Thank you exile. I'm sorry, I was just getting a bit impatient, seeing as how my firewall was down and I had a backdoor trojan :( . To be honest I was coming close to just re-installing Windows 7 with my recovery discs (since I'm on a laptop). Would you happen to have a list of the programs that are commonly used to create logs and run for malware scans? Looking through these forums (and other similar malware forums) it seems that each moderator has a different one that they are asking people to run to create logs and check for problems. What are the best few, so that I can keep them on hand and not have to re-download them everytime I have a problem like this? Thanks in advance! ;)

Link to post
Share on other sites

I understand your frustration, I just needed to post that for your sake and for the sake of anyone else who might come across this thread so that they don't end up doing more harm than good by running such a powerful tool without any guidance.

Each helper generally has their own preferences as to which logs they like to see, that's why you'll see different forums/helpers using different tools. It wouldn't be too useful to have the tools on hand, as they are updated quite frequently and a helper will always want you to run the latest version of the tools they have you use.

Manually removing malware using such tools isn't a simple task in general, and requires training on how to handle it properly, so pretty much all of the knowledgeable helpers out there have attended one of the schools listed here and completed the training.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.