Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot start Windows Security center after TDSS rootkit infection.


  • This topic is locked This topic is locked
2 replies to this topic

#1 sussex

sussex

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 07 March 2011 - 09:39 PM

Hi, I'm new here.

My i7 laptop is running Win7 Home Premium 64 bit and I have just managed to remove several instances of the TDSS rootkit (I hope!).

However, the rootkit has somehow disabled the windows security center service and with it, microsoft security essentials.

I have looked for problems in the registry and cannot find anything, including the psuedo graphics entry which is mentioned elsewhere on the web.

I have also tried to make windows security center automatic and start in the services manager, but after a few seconds it stops and gets set back to disabled. I have checked it's dependencies and they all seem to be running ok.

I have also searched the net, but cannot find a fix to this particular problem.

I have run several malwarebytes scans in safe mode, but it finds nothing. Trend Micro |Housecall fails to find anything too.

I have run a Sophos rootkit scan before the rootkit was eliminated, but now when I try to run it it tells me that windows needs to restart to enable sophos to remove some files. The problem is, the machine has been restarted several times and still sophos is saying the same thing, it appears to be stuck in mid-removal. Also, the scan running processes checkbox is greyed out - i think this is related to the earlier rootkit infection.

I have run GMER, but it finds nothing at all - I find this very odd, I have never had GMER return a completely blank screen to me before|! Also, in GMER, most of the checkboxes are greyed out, such as sections and services and IAT.

Kaspersky TDSSkiller was completely useless and achieved nothing.

The rootkit had damaged the MBR and I could not boot into windows or any of the safemodes - I just got a bsod just after the MS splash screen which was saying that iastor.sys was damaged. Luckily, I run a dual boot system and Linux was ok, which meant I could get on the net and research the problem.

I think the problems I now have are just fallout from the rootkit infection, I'm pretty sure I have killed the rootkit itself.

Does anyone know how I might get the security service up and running again?

Finally, getting rid of the rootkit was pretty involved and it was something I worked out for myself - I have not seen any consistant method to remove the rootkit on the net - most people seem to go for a re-format after days of trying. Would it be useful for me to post my symptoms and removal method here in the hope of helping others?

Thanks guys, in advance :)

BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:30 PM

Posted 13 March 2011 - 07:00 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.
If you are unable to create a log because your computer cannot start up successfully please provide detailed information about the Windows version you are using: What we in particular need to know is version, edition and if it is a 32bit or a 64bit system. [/b]
If you are unsure about any of these caracteristics, just let us know and we'll help you figuring it out. Please also tell us if you have your Windows CD/DVD handy.


Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • In the custom scan box paste the following:
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    wininit.exe
    hlp.dat
    /md5stop
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:30 PM

Posted 03 April 2011 - 07:35 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users