Resolved Security Center Service Disabled?

Status
Not open for further replies.
Benny26

Benny26

Posts: 1,393   +72
Hi Guys...Something very awful has just come over my windows 7 and i need help here badly please.

Windows Security Service keeps going disabled on me, no matter how many times i activate it. Also windows defender service has gone down aswell.

I've had this virus before on XP, and it wasn't nice. I've had a good go at trying to get it going again but i can't pin it down.

I'm sure someone's gotta dealt with this before (you virus busters)...Can anyone give me any concreate recovery options?...Cheers.

Benny

PS : System restore has somehow been turned off behind my back somewhere, so thats not an option.
 
All of what you describe can be caused by malware- and there is no 'this virus'!. We will need to identify it first in order to determine the best way to remove it.

Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

When you have finished, leave the logs for review in your next reply .

Important!
Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
 
Ok, my internet aint working too good...any attempt to update my programs isnt working properly, so ive done the best i can here.
GMER crashed my system 3 times before i found out why, but it come through..Here are the logs.

Malwarebytes log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

28/10/2010 16:59:17
mbam-log-2010-10-28 (16-59-17).txt

Scan type: Quick scan
Objects scanned: 115855
Time elapsed: 4 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER log :

GMER 1.0.15.15477 - http://www.gmer.net
Rootkit scan 2010-10-28 18:03:02
Windows 6.1.7600
Running: 7b8sxg57.exe; Driver: C:\Users\Benny\AppData\Local\Temp\pgdirpog.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwSaveKeyEx + 13B1 8306C8E9 1 Byte [06]
.text ntoskrnl.exe!KiDispatchInterrupt + 5A2 8308C3B2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\rundll32.exe[1748] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [758F5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[1748] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [758F5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[1748] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [758F5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[1748] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [758F5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[1748] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [758F5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[1748] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [758F5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001167203cad
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001167203cad@001b98b825f1 0x0E 0x98 0xBE 0x95 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001167203cad@0016b8e33e74 0x1A 0x87 0xD8 0x79 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001167203cad@68ebae4c87ae 0x63 0x15 0xAC 0xE9 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001167203cad (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001167203cad@001b98b825f1 0x0E 0x98 0xBE 0x95 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001167203cad@0016b8e33e74 0x1A 0x87 0xD8 0x79 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001167203cad@68ebae4c87ae 0x63 0x15 0xAC 0xE9 ...

---- EOF - GMER 1.0.15 ----

DDS log:


DDS (Ver_10-10-21.02) - NTFSx86
Run by Benny at 18:06:46.88 on 28/10/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.2047.1520 [GMT 1:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Benny\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Gathera.MyPlacesSearchBHO: {454dd25f-64e4-4b9f-9bd5-a37e1fe03dc6} - mscoree.dll
BHO: Gathera.GatheraBHO: {d5423c28-959d-4909-bb9b-431286b62483} - mscoree.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
EB: {AE07101B-6902-0272-AF68-0333EA26E113} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [Skytel] c:\program files\realtek\audio\hda\Skytel.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [MobileConnect] %programfiles%\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe /silent
dRunOnce: [DefaultP17MIDI] MidiDef.Exe
dRunOnce: [DefaultP17] P17Def.Exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

============= SERVICES / DRIVERS ===============

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-7-30 304464]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2009-8-6 239648]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\vodafone\vodafone mobile connect\bin\VMCService.exe [2009-9-18 9216]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-7-30 20952]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]

=============== Created Last 30 ================

2010-10-28 15:35:47 -------- d-----w- c:\windows\Internet Logs
2010-10-22 11:41:20 -------- d-----w- c:\users\benny\appdata\roaming\codeblocks
2010-10-22 11:40:48 -------- d-----w- c:\program files\CodeBlocks

==================== Find3M ====================


============= FINISH: 18:07:25.60 ===============

Attach log:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-10-21.02)

Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume2
Install Date: 23/01/2010 23:18:34
System Uptime: 28/10/2010 17:49:28 (1 hours ago)

Motherboard: ECS | | G41T-M5
Processor: Intel(R) Celeron(R) CPU E3200 @ 2.40GHz | CPU 1 | 2403/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 30 GiB total, 9.787 GiB free.
D: is FIXED (NTFS) - 45 GiB total, 3.207 GiB free.
G: is FIXED (NTFS) - 75 GiB total, 45.49 GiB free.
H: is CDROM ()
K: is Removable
L: is Removable
M: is Removable
N: is Removable

==== Disabled Device Manager Items =============

Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: USB SM Reader
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_SM_READER&REV_1.02#058F312D81B1&2#
Manufacturer: Generic
Name: M:\
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_SM_READER&REV_1.02#058F312D81B1&2#
Service: WUDFRd

Class GUID:
Description: USB camera
Device ID: USB\VID_0C45&PID_602C\5&33B0133D&0&2
Manufacturer:
Name: USB camera
PNP Device ID: USB\VID_0C45&PID_602C\5&33B0133D&0&2
Service:

Class GUID:
Description: Bluetooth Peripheral Device
Device ID: BTHENUM\{00000002-0000-1000-8000-0002EE000002}_VID&00000000_PID&C053\8&26440F29&0&0016B8E33E74_C00000000
Manufacturer:
Name: Bluetooth Peripheral Device
PNP Device ID: BTHENUM\{00000002-0000-1000-8000-0002EE000002}_VID&00000000_PID&C053\8&26440F29&0&0016B8E33E74_C00000000
Service:

Class GUID:
Description: USB camera
Device ID: USB\VID_0C45&PID_613C\5&1813445F&0&1
Manufacturer:
Name: USB camera
PNP Device ID: USB\VID_0C45&PID_613C\5&1813445F&0&1
Service:

Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: USB CF Reader
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_CF_READER&REV_1.01#058F312D81B1&1#
Manufacturer: Generic
Name: L:\
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_CF_READER&REV_1.01#058F312D81B1&1#
Service: WUDFRd

Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: USB MS Reader
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_MS_READER&REV_1.03#058F312D81B1&3#
Manufacturer: Generic
Name: N:\
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_MS_READER&REV_1.03#058F312D81B1&3#
Service: WUDFRd

Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: USB SD Reader
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_SD_READER&REV_1.00#058F312D81B1&0#
Manufacturer: Generic
Name: K:\
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_SD_READER&REV_1.00#058F312D81B1&0#
Service: WUDFRd

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
ALWIL Software Security 4.8.1296.0
µTorrent
CCleaner (remove only)
ChessAnalyse 2.5
CodeBlocks
EncryptOnClick
Java Auto Updater
Java(TM) 6 Update 18
KC Softwares VideoInspector
Malwarebytes' Anti-Malware
Mozilla Thunderbird (3.1.3)
NVIDIA Drivers
NVIDIA Stereoscopic 3D Driver
PC Inspector File Recovery
Realtek High Definition Audio Driver
SAMSUNG CDMA Modem Driver Set
Samsung Mobile phone USB driver Drive Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio
Starships Unlimited v3
VC 9.0 Runtime
Vodafone Mobile Connect Lite
Yahoo! BrowserPlus 2.9.8

==== Event Viewer Messages From Past Week ========

28/10/2010 17:50:07, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000008e (0xc0000005, 0x0000d858, 0x9a09faa4, 0x00000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 102810-31496-01.
28/10/2010 17:40:42, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000008e (0xc0000005, 0x83060308, 0x8282ba44, 0x00000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 102810-35396-01.
28/10/2010 16:47:07, Error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
28/10/2010 16:22:13, Error: Service Control Manager [7016] - The NVIDIA Display Driver Service service has reported an invalid current state 32.
28/10/2010 14:49:57, Error: Service Control Manager [7000] - The Security Center service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.

==== End Of File ===========================

The last error on the file above was my fault for trying to lockout the system from disabling the service...but the service wouldn't start.
 
Please describe the problem more clearly. You subject is :Security Center Disabled, but in reference to that error, you say it was user caused. The bit of info says the internet doesn't work and you can't update.

There are no restore points and very little content in the logs.
 
It dosen't matter anymore now, i did a fresh install to kill it (got rid of my google redirect aswell)

i couldn't sit around for days with that on my system, not for what i need my PC for anyway. I searched the internet for any look on this problem for an hour but didn't find a scrap on it so...

Here was the problem anyways:

The service that allows security center to work was stopped and set to disabled (it should be on auto demand start)

When i myself set it to automatic and then started the service, it would last for around 52 seconds and then stop. When i went to see why it had stopped, "something" in the system has set it to disabled again. I can keep trying to set it to auto but it just kept going back to disabled again.

That error (on the log above) was me setting the service to automatic, then trying to change the user profile so the "something" couldn't set it to disabled again. However the service needs the user profile of the system (default) to work properly, hence the service would not start and that error was produced. Also i do think it was the "something" that turned off system restore (thats why there's no logs)

Anyways, i've upgraded security on my system now so hopefully i won't see that again. Cheers for trying to get involved Bobbye anyway (and showing me the 8 steps).

Benny
 
Thank you for the explanation and update. It was most likely a malware infection. We see entries in the logs that disable the security center- then we look for the malware causing it. Depending on the nature and type of infection, most of the time we can get it working again.
 
Status
Not open for further replies.

Similar threads

midian182
Elon Musk disabled Starlink during Ukraine attack on Russian ships over fears of nuclear...
2
Replies
26
Views
1K
kinetix
K
J
Wrestling with AI and the AIpocalypse we should be worried about
Replies
12
Views
327
poohbear
P
yRaz
My current switch from Microsoft to Linux, de-googling my life and what it takes.
Replies
2
Views
2K
yRaz
yRaz

Latest posts

Back