TechSpot

Windows Firewall cannot be started

By tootlim
Dec 31, 2007
Topic Status:
Not open for further replies.
  1. When i try to start my Windows Firewall, I got this error

    "Windows Firewall settings cannot be displayed because the assosciated service is not running. Do you want to start the Windows Firewall/Internet Connection Sharing(ICS) service?"

    When I clicked "Yes", the Windows Firewall is started but it turned off again after a few seconds.

    I try to turn on the "Windows Firewall/Internet Connection Sharing(ICS) service" but it keep stopping itself.

    I have tried "netsh firewall reset" and "netsh winsock reset" but nothing worked.

    Anyone had any solution to solve this problem?
  2. Po`Girl

    Po`Girl TS Rookie Posts: 668

    Hi,

    If your using a 3rd party firewall,that will disable the Windows one.

    If your not using a 3rd part firewall,look HERE

    for a more detailed info on the netsh command,and a registry solution.

    Don`t go on the Internet without a firewall of some sort,running.

    Techspot recommends Comodo,Kerio or maybe Zone Alarm (it`s not as good as it used to be).

    If none of that works, post a HijackThis log as an attachment.
  3. tootlim

    tootlim TS Rookie Topic Starter

    Hi...nope I do not have any 3rd party firewall and I've try all the methods but the problem is still occurring...here is my log:


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:43:51 PM, on 12/31/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\winlogonws.exe
    C:\WINDOWS\system32\brsvc01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\brss01a.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\system32\winlogonws.exe
    O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [WIndows Update] C:\WINDOWS\system32\winlogonws.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
    O4 - HKCU\..\Run: [WIndows Update] C:\WINDOWS\system32\winlogonws.exe
    O4 - HKCU\..\RunServices: [WIndows Update] C:\WINDOWS\system32\winlogonws.exe
    O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
    O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
    O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
    O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {2E4A92AB-F2C0-456A-9935-B715439790D7} (Setup Class) - https://www.permissionresearch.com/Config/CSetup_xp.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176566122546
    O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176598568671
    O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://dist.globalgamecdn.com/dist/neffy/NeffyLauncher.cab
    O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

    --
    End of file - 7085 bytes
  4. Po`Girl

    Po`Girl TS Rookie Posts: 668

    Well,you were meant to post it as an attachment.It`s easier for everyone.

    As to the log itself,your computer has been pwned.See HERE

    Delete every instance of winlogons.exe in HJT and check those against

    the things listed in that thread.Do not connect that computer to the Internet,

    until that stuff is gone.Then go HERE for the full Techspot treatment.
  5. tootlim

    tootlim TS Rookie Topic Starter

    do you mean winlogonws.exe or winlogon.exe or should I delete both?
  6. Po`Girl

    Po`Girl TS Rookie Posts: 668

    Yes,I mean winlogonws.exe.

    That is exactly what spyware writers are trying to do,

    when they name things close to legit names.

    If you were to have deleted winlogon.exe, your computer would

    never have booted again.:blush:There is another good page HERE
  7. mike_ny

    mike_ny TS Rookie

    I had this problem once. I also tried netsh firewall reset, uninstall/reinstall Network services, follow Microsoft tech documents, none will work. So I re-install Windows XP in Repair Mode and it works perfectly without loosing any data or programs.

    In order to re-install Windows in Repair Mode, you need to use the same version Windows CD with current Windows. Repair Mode is NOT Recovery Console. When setup detect your current Windows, it says: "To repair the current operating system, press R".

    Hope this help.
  8. axxies

    axxies TS Rookie

    Getting rid of winlogonws

    Hi mate!

    I realised that I had got that winlogonws crap too so while getting rid of it I documented what I did. Maybe you can have use for this guide.

    For some stupid reason I am not allowed to post a link so here you are, interpret it yourself (this is the price for trying to be helpful :( ) :

    http|colon||forwardslash||forwardslash|hem.passagen.se|forwardslash|smacked|forwardslash|

    (replace the |character| with what it should be)


    I don't know if this cure will help you get you Windows firewall started, but...

    Considering the low amount of hits on Google you and I seem to be one of the first to get this crap into our computers.

    Good luck!
  9. axxies

    axxies TS Rookie

    Sorry it should be:

    http|colon||forwardslash||forwardslash|hem.passagen.se|forwardslash|smacked|forwardslash|

    ...with NO spaces.
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I did not read your hijack log. but I read the replies and I don't see one telling you to make sure the Service is running! Up until SP2, the firewall was called Internet Connection Firewall (ICF). Windows XP Service Pack 2 (SP2) includes the new Windows Firewall.

    Since you are getting the message referring to ICS, it would appear that you have SP1 but not SP2, so the Service will be named differently:

    Control Panel> Administrative Tools> Services> Right click on ICS> Change Startup mode to Automatic> Start the Service.

    As with all Services, check the Dependencies tab to make sure any Service the ICS depends on is running.
  11. Po`Girl

    Po`Girl TS Rookie Posts: 668

    The HJT definitely says SP2, and winlogonws.exe is a trojan.

    It`s reasonable to assume that the trojan disabled the firewall.

    tootlim said he had tried all the methods I linked to.

    It is posssible he/she didn`t read the whole link,though.
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I am puzzled by these entries on your log:
    First) O4 - HKCU\..\Run: [WIndows Update] C:\WINDOWS\system32\winlogonws.exe
    Second)O4 - HKCU\..\RunServices: [WIndows Update]******C:\WINDOWS\system32\winlogonws.exe

    These are each one line, but for some reason, I can't copy them on one line. I am concerned about [Windows Update] which appears with each line. And I am further concerned about the change of case in "WIndows"

    Did you do a complete copy and paste of this? Because it shouldn't show "WIndows"- it should be "Windows"

    It makes me wonder about just what malware you do have!

    And there is a direction to delete all "winlogons.exe" That is malware but it's not what your log shows.

    The URL you found is the same and only one I opened:
    http://hem.passagen.se/smacked/

    It's a Swedish site and I am not sure of the accuracy. We need to verify your spellings "exactly"!

    NOTE: No spelling corrections have been made.

    Edit to delete extra lines.
  13. axxies

    axxies TS Rookie

    Sorry folks, since this website prohibits postings with URLs before the number of postings reach three, I have to make this dumb posting. Please read my next posting.
  14. axxies

    axxies TS Rookie

    Ok, now I have made three postings so this posting should be allowed now:

    I am the creator of that webpage, http://hem.passagen.se/smacked/ . I just documented what I did when I cleaned out the trash from my PC and I have posted it on my website for others to use.

    Despite me being swedish, I have documented everything in english. The only swedish you will find on that page are some of the screendumps where some of the headlines are in swedish (due to a swedish installation of Windows XP).

    Please let me know if I can assist you, I'll gladly help.
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Thanks for filling us in! However, it doesn't solve the malware problem. You seem to be one of the few who show this process. There's nothing to go on from security sites- no name for the type of malware, no information whatsoever!

    It appears this "winlogonws.exe." hasn't been documented by any of the security companies we usually rely on. So, bottom line- what is it? Where did it come from? How to remove it?

    I did not mean to disparage you in any way regarding the Swedish content. I only meant to point out that the only other sites that come up with a search are foreign, none of which I wanted to access. This is usually a good clue that the search word is malware.

    I would like to to confirm the letter case I pointed out though- in the two lines from you log, I see "WIndows" instead of "Windows". Could this be a typing error or was this an exact copy and paste? Where malware is involved, the slightest spelling or case difference can be significant!
  16. axxies

    axxies TS Rookie

    Bobbye,

    I had a look in my PC again and I can confirm that I also have an entry named like that "WIndows Update" under "CurrentVersion\Run" pointing to...
    Yes, winlogonws.exe (which is erased in my PC).

    I will update my webpage accordingly with this information.

    I have no clue whether this is the problem why the windows firewall isn't activated though...

    I'll contact some of those security companies and see what they say. Do you have any good connections/mail addresses I can use?
  17. Reapers

    Reapers TS Rookie

    firewall

    all it should require

    go run then cmd

    netsh firewall reset

    then go run then firewall.cpl

    and you should be able to access and activate it
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, case confirmed. How strange this "malware" shows after "WIndows Update"!

    Since you have already attempted the netsh command without success, we've got to find the culprit. There is two things I'd like you to do:

    1. Check the Event Viewer. Look for Error occurring at same time you get the firewall message. Maybe there's something we can track down there:

    Follow this path:
    Control Panel> Administrative Tools> Event Viewer> Click on System & Apps, one at a time on the left> look for Errors on the right> right click error> Properties> note description of error, Event# and Source.

    There is a "copy" button below the up/down arrows. Click that, then go to any place that allows you to type (ie. notepad, wordpad, this board) and you can paste (use CTRL-V) the entire event details there. It makes for easy reporting of the event.

    If you want to paste the Event here, you do not need to include the lines of code that follow the Description- but paste all else. You will be looking for Error that occurs at the time of the problem. Please ignore Warnings.

    2.Suggest you do 'routine' scans with you anti-virus program and at least 2 spyware/adware programs- update each right before the scan.

    I say 'routine' in place of the entire malware cleanup. I'd like to see what shows up if anything.
  19. axxies

    axxies TS Rookie

    Just in case someone want to have a look at my guide on how to get rid of the "winlogonws" trojan horse, I must tell you that I had to move it...

    New location: http://myhost.selfip.org/smacked/
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.