windows firewall can't turn on

Viruses and worms
1

I have been infected by something that has put an executable file on my desktop that is called “Privacy Protection”. Since this happened I noticed that my Windows 7 firewall was turned off. I am unable to turn it back on. Avast has been picking up potential threats but it says “privacy protection” is clean yet it pops up every a few times a day and tells me I need to “activate the removal software”. I need some help please! :frowning:

2

Hi Flipper9,

Remove following instructions given here: http://www.bleepingcomputer.com/virus-removal/remove-privacy-protection

polonus

3

Thanks for the help polonus!

tried it all… it removed the “privacy protection” but i still can’t turn on windows firewall. So I am still getting malware 7 threats. I have followed all steps provided by Microsoft for manually turning on firewall and I keep getting an “error 1068: the dependency service or group failed to start”
Any other suggestions would be appreciated!

4

Manual removal failing, then on to the assisted approach. :wink:

Follow this guide>>http://forum.avast.com/index.php?topic=53253.0, then post the resulting logs back here as attachments and wait for essexboy to look at them.

5

Thanks! I will give it a shot.

6

Here is the MBAM log.

Malwarebytes’ Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8116

Windows 6.1.7601 Service Pack 1 (Safe Mode)
Internet Explorer 9.0.8112.16421

08/11/2011 1:48:07 PM
mbam-log-2011-11-08 (13-48-07).txt

Scan type: Full scan (C:|D:|)
Objects scanned: 530065
Time elapsed: 42 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 23

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Privacy Protection (Exploit.Drop.Gen) → Value: Privacy Protection → Quarantined and deleted successfully.
HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4Y3Y0C3AYF7W0E5DHHDLQ (Trojan.Spyeyes) → Value: 4Y3Y0C3AYF7W0E5DHHDLQ → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Backdoor.Agent) → Value: Shell → Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\Recycle.Bin (Trojan.Spyeyes) → Quarantined and deleted successfully.

Files Infected:
c:\programdata\privacy.exe (Exploit.Drop.Gen) → Quarantined and deleted successfully.
c:\programdata\B590.tmp (Exploit.Drop.Gen) → Quarantined and deleted successfully.
c:\programdata\D50D.tmp (Exploit.Drop.Gen) → Quarantined and deleted successfully.
c:\Users\administrator.phill01\AppData\Local\Temp\0.2154529405218547.exe (Trojan.Inject.adb) → Quarantined and deleted successfully.
c:\Users\administrator.phill01\AppData\Local\Temp\0.7044912839181757.exe (Trojan.Inject.adb) → Quarantined and deleted successfully.
c:\Users\administrator.phill01\AppData\Local\Temp\A7FB.tmp (Exploit.Drop.Gen) → Quarantined and deleted successfully.
c:\Users\administrator.phill01\AppData\Local\Temp\B0DF.tmp (Exploit.Drop.Gen) → Quarantined and deleted successfully.
c:\Users\administrator.phill01\AppData\Local\Temp\D4ED.tmp (Exploit.Drop.Gen) → Quarantined and deleted successfully.
c:\Users\administrator.phill01\AppData\Local\Temp\E5E6.tmp (Exploit.Drop.Gen) → Quarantined and deleted successfully.
c:\Users\administrator.phill01\AppData\Local\Temp~!#680E.tmp (Trojan.Agent) → Quarantined and deleted successfully.
c:\Users\administrator.phill01\AppData\Local\Temp~!#7D43.tmp (Trojan.Inject) → Quarantined and deleted successfully.
c:\Users\administrator.phill01\AppData\Local\Temp~!#809F.tmp (Trojan.Agent) → Quarantined and deleted successfully.
c:\Users\administrator.phill01\AppData\Local\Temp~!#8D5C.tmp (Trojan.Inject) → Quarantined and deleted successfully.
c:\Users\administrator.phill01\AppData\Local\Temp~!#C8CD.tmp (Exploit.Drop.Gen) → Quarantined and deleted successfully.
c:\Users\administrator.phill01\AppData\Local\Temp~!#CFC0.tmp (Trojan.Agent) → Quarantined and deleted successfully.
c:\Users\administrator.phill01\AppData\Local\Temp~!#D296.tmp (Trojan.Agent) → Quarantined and deleted successfully.
c:\Users\administrator.phill01\AppData\LocalLow\Sun\Java\deployment\cache\6.0\11\2dff028b-22a19cf4 (Trojan.Inject.adb) → Quarantined and deleted successfully.
c:\Users\administrator.phill01\AppData\LocalLow\Sun\Java\deployment\cache\6.0\9\e814d49-4839cb2c (Trojan.Inject.adb) → Quarantined and deleted successfully.
c:\Users\administrator.phill01\AppData\Local\Temp\0.4143448418927945.exe (Exploit.Drop.2) → Quarantined and deleted successfully.
c:\Users\administrator.phill01\AppData\Local\Temp\0.6428196549692389.exe (Exploit.Drop.2) → Quarantined and deleted successfully.
c:\Recycle.Bin\b6232f3ae3f.exe (Trojan.Spyeyes) → Quarantined and deleted successfully.
c:\Recycle.Bin\d8b0f07c2685ad1 (Trojan.Spyeyes) → Quarantined and deleted successfully.
c:\Users\administrator.phill01\Desktop\eXplorer.exe (Heuristics.Reserved.Word.Exploit) → Quarantined and deleted successfully.

7

Monitoring - but give this a go first

Download Windows Repair (all in one) from www.tweaking.com/content/page/windows_repair_all_in_one.html
Install the programme then run

Go to step 2 and allow it to run Disc check

http://i1224.photobucket.com/albums/ee362/Essexboy3/Capture3.gif

Once that is done then go to step 3 and allow it to run SFC

http://i1224.photobucket.com/albums/ee362/Essexboy3/Capture.gif

On the start repairs tab select advanced mode and click start

http://i1224.photobucket.com/albums/ee362/Essexboy3/Capture1.gif

Select the items ticked(remove the ticks from the rest ) and tick restart system when finished

8

See attachments for OTL info

9

Attached is the aswMBR file

10

OK I see it from the aswMBR log. Once combofix has completed could you re-run OTL with the same script please (only one log this time)

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

11

here is the completed aswMBR log. I thought it had finished but I guess it was just hung up for a while. I just noticed it had completed its scan.

12

Got a problem now. Combofix said it was going to reboot about 15 mins ago. my screen is black with just my mouse curser showing and the computer has not rebooted. What’s the deal?
Combofix started as you have shown in the images of your post but it then switched to a screen that looked like DOS only blue. It ran thru scan only to show line after line of "completed stage 1 … to about stage 50 something then is said it was deleting files, then folders, then it came up and said it was going to reboot. And here I sit… a little nervous.

13

Hi Flipper9,

Stay calm, essexboy is a renowned qualified malware cleanser here and he will lead you out of this problem, no doubt, just follow his instructions to the dot, as he will come back on,

polonus

P.S. When everything else fails in this case you may fix this problem by restoring the registry hive files from the C:\Windows\ERDNT\Hive-backup folder. This folder is available in the Recovery Console. But await essexboy’s instructions first.

D

14

thanks for the reassurance. I will wait to hear from essexboy

15

Essexboy,
computer has rebooted and Combofix blue screen is up and says…

Preparing Log Report

Do not run any programs until Combofix is finished

Access is Denied.

What happened was my Avast antivirus came back on when the computer rebooted. I have disabled it again.
What should I be doing now?

Flipper9

16

here is the Combofix Log

17

Essexboy,
Thanks for all your help. This has worked and my firewall is up and running!
Appreciate all the help received!

Flipper9

18

Combofix does sometimes take a while to remove this one as there are several registry keys that need to be changed at the same time as the file is being deleted

What problems remain ?

19

So far no issues. Thanks again for your help.
Greatly appreciated!!!

20

OK if you are still happy tomorrow - let me know and I will remove my tools