Aftermath of Troj_SIREFEF.ERO -- no windows firewall

featherwind · ‎06-13-2012

After getting help removing the trojan yesterday, today I discovered my firewall was down or not even there maybe. At least I cannot make changes in it which tells me somethings is really wrong. (Tuneup Utilities alerted me to it being down.)

Control panel - to Win firewall. Try to update settings and get: Win firewall can't change settings error 0x8007024.

Searched and went here: http://blogs.technet.com/b/asiasupp/archive/2011/12/27/error-code-0x80070424-with-windows-firewall-a...

Checked services.msc first just to see and BFE was there and started. Windows Firewall wasn't even listed.

Did those steps on above link plus also gave permission for Everyone on mpssvc. (that wasn't said to do but I did it anyway since the first part didn't work).

This still didn't work but Windows Firewall was now listed. Trying to start it gave me the error: could not start, review system log and whatever.

Checked the log: The Windows Firewall service teminated with service-specific error Access is denied.. event id 7024

Before that there was a log on the Firewall service entered the stopped state. event id 7036 (if that means anything)

Okay, so tried those. I also tried Microsoft Fix it for Firewall which couldn't turn it on.

Next I went to systerm restore -- Oh boy --- we cleaned that out last night and put in "Clean" for the new one. So there was nothign to restore to.

Ran Malwarebytes, Hitman Pro, Microsoft scanner something or other, all in safe mode and nothing found.

So I'm back begging for help for you again. Remember I'm not that computer savvy.

Win7 Pro 64bit

TM Titanium Max Sec 2012

featherwind · ‎06-13-2012

Tried this: http://support.microsoft.com/kb/2530126

Method 2 & 3 didn't work.

Tried SFC /scannow command system file checker. Nothing found. (that was way back at the start)

malwarekiller · ‎08-08-2011

OK..i can determine and fix that for u..

run farbar service scanner

download link can also be found here: http://forum.avast.com/index.php?topic=94552.msg756660#msg756660

Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

featherwind · ‎06-13-2012

I just installed Comodo Firewall (not that I have a clue on it). But I wanted a firewall up. Here's the log:

Farbar Service Scanner Version: 09-06-2012 Ran by Nancy biz (administrator) on 16-06-2012 at 00:47:06 Running from "C:\Users\Nancy biz\Desktop" Microsoft Windows 7 Professional Service Pack 1 (X64) Boot Mode: Normal ****************************************************************

Internet Services: ============

Connection Status: ============== Localhost is accessible. LAN connected. Attempt to access Google IP returned error: Google IP is offline Attempt to access Google.com returned error: Google.com is offline Yahoo IP is accessible. Yahoo.com is accessible.

Windows Firewall: ============= MpsSvc Service is not running. Checking service configuration: The start type of MpsSvc service is OK. The ImagePath of MpsSvc service is OK. The ServiceDll of MpsSvc service is OK.

Firewall Disabled Policy: ==================

System Restore: ============

System Restore Disabled Policy: ========================

Action Center: ============

Windows Update: ============

Windows Autoupdate Disabled Policy: ============================

Windows Defender: ============== WinDefend Service is not running. Checking service configuration: The start type of WinDefend service is set to Demand. The default start type is Auto. The ImagePath of WinDefend service is OK. The ServiceDll of WinDefend: "%ProgramFiles(x86)%\Windows Defender\mpsvc.dll".

Windows Defender Disabled Policy: ========================== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender] "DisableAntiSpyware"=DWORD:1

File Check: ======== C:\Windows\System32\nsisvc.dll => MD5 is legit C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit C:\Windows\System32\dhcpcore.dll => MD5 is legit C:\Windows\System32\drivers\afd.sys => MD5 is legit C:\Windows\System32\drivers\tdx.sys => MD5 is legit C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit C:\Windows\System32\dnsrslvr.dll => MD5 is legit C:\Windows\System32\mpssvc.dll => MD5 is legit C:\Windows\System32\bfe.dll => MD5 is legit C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit C:\Windows\System32\SDRSVC.dll => MD5 is legit C:\Windows\System32\vssvc.exe => MD5 is legit C:\Windows\System32\wscsvc.dll => MD5 is legit C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit C:\Windows\System32\wuaueng.dll => MD5 is legit C:\Windows\System32\qmgr.dll => MD5 is legit C:\Windows\System32\es.dll => MD5 is legit C:\Windows\System32\cryptsvc.dll [2012-06-13 05:07] - [2012-04-23 23:37] - 0184320 ____A (Microsoft Corporation) 4F5414602E2544A4554D95517948B705

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

featherwind · ‎06-13-2012

Scan with Comodo exited:

Farbar Service Scanner Version: 09-06-2012 Ran by Nancy biz (administrator) on 16-06-2012 at 00:51:56 Running from "C:\Users\Nancy biz\Desktop" Microsoft Windows 7 Professional Service Pack 1 (X64) Boot Mode: Normal ****************************************************************

Internet Services: ============

Connection Status: ============== Localhost is accessible. LAN connected. Google IP is accessible. Google.com is accessible. Yahoo IP is accessible. Yahoo.com is accessible.

Windows Firewall: ============= MpsSvc Service is not running. Checking service configuration: The start type of MpsSvc service is OK. The ImagePath of MpsSvc service is OK. The ServiceDll of MpsSvc service is OK.

Firewall Disabled Policy: ==================

System Restore: ============

System Restore Disabled Policy: ========================

Action Center: ============

Windows Update: ============

Windows Autoupdate Disabled Policy: ============================

Windows Defender: ============== WinDefend Service is not running. Checking service configuration: The start type of WinDefend service is set to Demand. The default start type is Auto. The ImagePath of WinDefend service is OK. The ServiceDll of WinDefend: "%ProgramFiles(x86)%\Windows Defender\mpsvc.dll".

Windows Defender Disabled Policy: ========================== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender] "DisableAntiSpyware"=DWORD:1

File Check: ======== C:\Windows\System32\nsisvc.dll => MD5 is legit C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit C:\Windows\System32\dhcpcore.dll => MD5 is legit C:\Windows\System32\drivers\afd.sys => MD5 is legit C:\Windows\System32\drivers\tdx.sys => MD5 is legit C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit C:\Windows\System32\dnsrslvr.dll => MD5 is legit C:\Windows\System32\mpssvc.dll => MD5 is legit C:\Windows\System32\bfe.dll => MD5 is legit C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit C:\Windows\System32\SDRSVC.dll => MD5 is legit C:\Windows\System32\vssvc.exe => MD5 is legit C:\Windows\System32\wscsvc.dll => MD5 is legit C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit C:\Windows\System32\wuaueng.dll => MD5 is legit C:\Windows\System32\qmgr.dll => MD5 is legit C:\Windows\System32\es.dll => MD5 is legit C:\Windows\System32\cryptsvc.dll [2012-06-13 05:07] - [2012-04-23 23:37] - 0184320 ____A (Microsoft Corporation) 4F5414602E2544A4554D95517948B705

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

malwarekiller · ‎08-08-2011

Please attach it [log] here..dont copy paste

featherwind · ‎06-13-2012

malwarekiller · ‎08-08-2011

Please do so:

Go to run.

type in services.msc

in new window,scroll down and select the windows firewall service

right click and select properties

move the startup type to automatic and click apply

reboot the machine

featherwind · ‎06-13-2012

That is what it already was.

malwarekiller · ‎08-08-2011

u mean it is on automatic already?

Malware Discussions

Aftermath of Troj_SIREFEF.ERO -- no windows firewall

Re: Aftermath of Troj_SIREFEF.ERO -- no windows firewall

Re: Aftermath of Troj_SIREFEF.ERO -- no windows firewall

Re: Aftermath of Troj_SIREFEF.ERO -- no windows firewall

Re: Aftermath of Troj_SIREFEF.ERO -- no windows firewall

Re: Aftermath of Troj_SIREFEF.ERO -- no windows firewall

Re: Aftermath of Troj_SIREFEF.ERO -- no windows firewall

Re: Aftermath of Troj_SIREFEF.ERO -- no windows firewall

Re: Aftermath of Troj_SIREFEF.ERO -- no windows firewall

Re: Aftermath of Troj_SIREFEF.ERO -- no windows firewall