TechSpot

Security Center Service Disabled?

Resolved
By Benny26
Oct 28, 2010
  1. Hi Guys...Something very awful has just come over my windows 7 and i need help here badly please.

    Windows Security Service keeps going disabled on me, no matter how many times i activate it. Also windows defender service has gone down aswell.

    I've had this virus before on XP, and it wasn't nice. I've had a good go at trying to get it going again but i can't pin it down.

    I'm sure someone's gotta dealt with this before (you virus busters)...Can anyone give me any concreate recovery options?...Cheers.

    Benny

    PS : System restore has somehow been turned off behind my back somewhere, so thats not an option.
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    All of what you describe can be caused by malware- and there is no 'this virus'!. We will need to identify it first in order to determine the best way to remove it.

    Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .

    Important!
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  3. Benny26

    Benny26 TechSpot Paladin Topic Starter Posts: 1,578   +47

    Ok, my internet aint working too good...any attempt to update my programs isnt working properly, so ive done the best i can here.
    GMER crashed my system 3 times before i found out why, but it come through..Here are the logs.

    Malwarebytes log:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4052

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    28/10/2010 16:59:17
    mbam-log-2010-10-28 (16-59-17).txt

    Scan type: Quick scan
    Objects scanned: 115855
    Time elapsed: 4 minute(s), 9 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    GMER log :

    GMER 1.0.15.15477 - http://www.gmer.net
    Rootkit scan 2010-10-28 18:03:02
    Windows 6.1.7600
    Running: 7b8sxg57.exe; Driver: C:\Users\Benny\AppData\Local\Temp\pgdirpog.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntoskrnl.exe!ZwSaveKeyEx + 13B1 8306C8E9 1 Byte [06]
    .text ntoskrnl.exe!KiDispatchInterrupt + 5A2 8308C3B2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Windows\system32\rundll32.exe[1748] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [758F5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\system32\rundll32.exe[1748] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [758F5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\system32\rundll32.exe[1748] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [758F5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\system32\rundll32.exe[1748] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [758F5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\system32\rundll32.exe[1748] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [758F5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\system32\rundll32.exe[1748] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [758F5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001167203cad
    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001167203cad@001b98b825f1 0x0E 0x98 0xBE 0x95 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001167203cad@0016b8e33e74 0x1A 0x87 0xD8 0x79 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001167203cad@68ebae4c87ae 0x63 0x15 0xAC 0xE9 ...
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001167203cad (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001167203cad@001b98b825f1 0x0E 0x98 0xBE 0x95 ...
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001167203cad@0016b8e33e74 0x1A 0x87 0xD8 0x79 ...
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001167203cad@68ebae4c87ae 0x63 0x15 0xAC 0xE9 ...

    ---- EOF - GMER 1.0.15 ----

    DDS log:


    DDS (Ver_10-10-21.02) - NTFSx86
    Run by Benny at 18:06:46.88 on 28/10/2010
    Internet Explorer: 8.0.7600.16385
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.2047.1520 [GMT 1:00]


    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\taskeng.exe
    C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
    C:\Windows\system32\rundll32.exe
    C:\Windows\system32\svchost.exe -k bthsvcs
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskhost.exe
    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Users\Benny\Desktop\dds.scr
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    BHO: Gathera.MyPlacesSearchBHO: {454dd25f-64e4-4b9f-9bd5-a37e1fe03dc6} - mscoree.dll
    BHO: Gathera.GatheraBHO: {d5423c28-959d-4909-bb9b-431286b62483} - mscoree.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    EB: {AE07101B-6902-0272-AF68-0333EA26E113} - No File
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
    mRun: [Skytel] c:\program files\realtek\audio\hda\Skytel.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    mRun: [MobileConnect] %programfiles%\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe /silent
    dRunOnce: [DefaultP17MIDI] MidiDef.Exe
    dRunOnce: [DefaultP17] P17Def.Exe
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

    ============= SERVICES / DRIVERS ===============

    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-7-30 304464]
    R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2009-8-6 239648]
    R2 VMCService;Vodafone Mobile Connect Service;c:\program files\vodafone\vodafone mobile connect\bin\VMCService.exe [2009-9-18 9216]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-7-30 20952]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]

    =============== Created Last 30 ================

    2010-10-28 15:35:47 -------- d-----w- c:\windows\Internet Logs
    2010-10-22 11:41:20 -------- d-----w- c:\users\benny\appdata\roaming\codeblocks
    2010-10-22 11:40:48 -------- d-----w- c:\program files\CodeBlocks

    ==================== Find3M ====================


    ============= FINISH: 18:07:25.60 ===============

    Attach log:


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-10-21.02)

    Microsoft Windows 7 Ultimate
    Boot Device: \Device\HarddiskVolume2
    Install Date: 23/01/2010 23:18:34
    System Uptime: 28/10/2010 17:49:28 (1 hours ago)

    Motherboard: ECS | | G41T-M5
    Processor: Intel(R) Celeron(R) CPU E3200 @ 2.40GHz | CPU 1 | 2403/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 30 GiB total, 9.787 GiB free.
    D: is FIXED (NTFS) - 45 GiB total, 3.207 GiB free.
    G: is FIXED (NTFS) - 75 GiB total, 45.49 GiB free.
    H: is CDROM ()
    K: is Removable
    L: is Removable
    M: is Removable
    N: is Removable

    ==== Disabled Device Manager Items =============

    Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
    Description: USB SM Reader
    Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_SM_READER&REV_1.02#058F312D81B1&2#
    Manufacturer: Generic
    Name: M:\
    PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_SM_READER&REV_1.02#058F312D81B1&2#
    Service: WUDFRd

    Class GUID:
    Description: USB camera
    Device ID: USB\VID_0C45&PID_602C\5&33B0133D&0&2
    Manufacturer:
    Name: USB camera
    PNP Device ID: USB\VID_0C45&PID_602C\5&33B0133D&0&2
    Service:

    Class GUID:
    Description: Bluetooth Peripheral Device
    Device ID: BTHENUM\{00000002-0000-1000-8000-0002EE000002}_VID&00000000_PID&C053\8&26440F29&0&0016B8E33E74_C00000000
    Manufacturer:
    Name: Bluetooth Peripheral Device
    PNP Device ID: BTHENUM\{00000002-0000-1000-8000-0002EE000002}_VID&00000000_PID&C053\8&26440F29&0&0016B8E33E74_C00000000
    Service:

    Class GUID:
    Description: USB camera
    Device ID: USB\VID_0C45&PID_613C\5&1813445F&0&1
    Manufacturer:
    Name: USB camera
    PNP Device ID: USB\VID_0C45&PID_613C\5&1813445F&0&1
    Service:

    Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
    Description: USB CF Reader
    Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_CF_READER&REV_1.01#058F312D81B1&1#
    Manufacturer: Generic
    Name: L:\
    PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_CF_READER&REV_1.01#058F312D81B1&1#
    Service: WUDFRd

    Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
    Description: USB MS Reader
    Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_MS_READER&REV_1.03#058F312D81B1&3#
    Manufacturer: Generic
    Name: N:\
    PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_MS_READER&REV_1.03#058F312D81B1&3#
    Service: WUDFRd

    Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
    Description: USB SD Reader
    Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_SD_READER&REV_1.00#058F312D81B1&0#
    Manufacturer: Generic
    Name: K:\
    PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_SD_READER&REV_1.00#058F312D81B1&0#
    Service: WUDFRd

    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================

    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    ALWIL Software Security 4.8.1296.0
    ĀµTorrent
    CCleaner (remove only)
    ChessAnalyse 2.5
    CodeBlocks
    EncryptOnClick
    Java Auto Updater
    Java(TM) 6 Update 18
    KC Softwares VideoInspector
    Malwarebytes' Anti-Malware
    Mozilla Thunderbird (3.1.3)
    NVIDIA Drivers
    NVIDIA Stereoscopic 3D Driver
    PC Inspector File Recovery
    Realtek High Definition Audio Driver
    SAMSUNG CDMA Modem Driver Set
    Samsung Mobile phone USB driver Drive Software
    SAMSUNG Mobile USB Modem 1.0 Software
    SAMSUNG Mobile USB Modem Software
    Samsung PC Studio
    Starships Unlimited v3
    VC 9.0 Runtime
    Vodafone Mobile Connect Lite
    Yahoo! BrowserPlus 2.9.8

    ==== Event Viewer Messages From Past Week ========

    28/10/2010 17:50:07, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000008e (0xc0000005, 0x0000d858, 0x9a09faa4, 0x00000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 102810-31496-01.
    28/10/2010 17:40:42, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000008e (0xc0000005, 0x83060308, 0x8282ba44, 0x00000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 102810-35396-01.
    28/10/2010 16:47:07, Error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
    28/10/2010 16:22:13, Error: Service Control Manager [7016] - The NVIDIA Display Driver Service service has reported an invalid current state 32.
    28/10/2010 14:49:57, Error: Service Control Manager [7000] - The Security Center service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.

    ==== End Of File ===========================

    The last error on the file above was my fault for trying to lockout the system from disabling the service...but the service wouldn't start.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please describe the problem more clearly. You subject is :Security Center Disabled, but in reference to that error, you say it was user caused. The bit of info says the internet doesn't work and you can't update.

    There are no restore points and very little content in the logs.
     
  5. Benny26

    Benny26 TechSpot Paladin Topic Starter Posts: 1,578   +47

    It dosen't matter anymore now, i did a fresh install to kill it (got rid of my google redirect aswell)

    i couldn't sit around for days with that on my system, not for what i need my PC for anyway. I searched the internet for any look on this problem for an hour but didn't find a scrap on it so...

    Here was the problem anyways:

    The service that allows security center to work was stopped and set to disabled (it should be on auto demand start)

    When i myself set it to automatic and then started the service, it would last for around 52 seconds and then stop. When i went to see why it had stopped, "something" in the system has set it to disabled again. I can keep trying to set it to auto but it just kept going back to disabled again.

    That error (on the log above) was me setting the service to automatic, then trying to change the user profile so the "something" couldn't set it to disabled again. However the service needs the user profile of the system (default) to work properly, hence the service would not start and that error was produced. Also i do think it was the "something" that turned off system restore (thats why there's no logs)

    Anyways, i've upgraded security on my system now so hopefully i won't see that again. Cheers for trying to get involved Bobbye anyway (and showing me the 8 steps).

    Benny
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Thank you for the explanation and update. It was most likely a malware infection. We see entries in the logs that disable the security center- then we look for the malware causing it. Depending on the nature and type of infection, most of the time we can get it working again.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.