Windows Firewall cannot be started

Status
Not open for further replies.
When i try to start my Windows Firewall, I got this error

"Windows Firewall settings cannot be displayed because the assosciated service is not running. Do you want to start the Windows Firewall/Internet Connection Sharing(ICS) service?"

When I clicked "Yes", the Windows Firewall is started but it turned off again after a few seconds.

I try to turn on the "Windows Firewall/Internet Connection Sharing(ICS) service" but it keep stopping itself.

I have tried "netsh firewall reset" and "netsh winsock reset" but nothing worked.

Anyone had any solution to solve this problem?
 
Hi,

If your using a 3rd party firewall,that will disable the Windows one.

If your not using a 3rd part firewall,look HERE

for a more detailed info on the netsh command,and a registry solution.

Don`t go on the Internet without a firewall of some sort,running.

Techspot recommends Comodo,Kerio or maybe Zone Alarm (it`s not as good as it used to be).

If none of that works, post a HijackThis log as an attachment.
 
Hi...nope I do not have any 3rd party firewall and I've try all the methods but the problem is still occurring...here is my log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:43:51 PM, on 12/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\winlogonws.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\system32\winlogonws.exe
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [WIndows Update] C:\WINDOWS\system32\winlogonws.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [WIndows Update] C:\WINDOWS\system32\winlogonws.exe
O4 - HKCU\..\RunServices: [WIndows Update] C:\WINDOWS\system32\winlogonws.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2E4A92AB-F2C0-456A-9935-B715439790D7} (Setup Class) - https://www.permissionresearch.com/Config/CSetup_xp.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176566122546
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176598568671
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://dist.globalgamecdn.com/dist/neffy/NeffyLauncher.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 7085 bytes
 
Well,you were meant to post it as an attachment.It`s easier for everyone.

As to the log itself,your computer has been pwned.See HERE

Delete every instance of winlogons.exe in HJT and check those against

the things listed in that thread.Do not connect that computer to the Internet,

until that stuff is gone.Then go HERE for the full Techspot treatment.
 
Yes,I mean winlogonws.exe.

That is exactly what spyware writers are trying to do,

when they name things close to legit names.

If you were to have deleted winlogon.exe, your computer would

never have booted again.:blush:There is another good page HERE
 
tootlim said:
"Windows Firewall settings cannot be displayed because the assosciated service is not running. Do you want to start the Windows Firewall/Internet Connection Sharing(ICS) service?"
I have tried "netsh firewall reset" and "netsh winsock reset" but nothing worked.

I had this problem once. I also tried netsh firewall reset, uninstall/reinstall Network services, follow Microsoft tech documents, none will work. So I re-install Windows XP in Repair Mode and it works perfectly without loosing any data or programs.

In order to re-install Windows in Repair Mode, you need to use the same version Windows CD with current Windows. Repair Mode is NOT Recovery Console. When setup detect your current Windows, it says: "To repair the current operating system, press R".

Hope this help.
 
Getting rid of winlogonws

Hi mate!

I realised that I had got that winlogonws crap too so while getting rid of it I documented what I did. Maybe you can have use for this guide.

For some stupid reason I am not allowed to post a link so here you are, interpret it yourself (this is the price for trying to be helpful :( ) :

http|colon||forwardslash||forwardslash|hem.passagen.se|forwardslash|smacked|forwardslash|

(replace the |character| with what it should be)


I don't know if this cure will help you get you Windows firewall started, but...

Considering the low amount of hits on Google you and I seem to be one of the first to get this crap into our computers.

Good luck!
 
Sorry it should be:

http|colon||forwardslash||forwardslash|hem.passagen.se|forwardslash|smacked|forwardslash|

...with NO spaces.
 
I did not read your hijack log. but I read the replies and I don't see one telling you to make sure the Service is running! Up until SP2, the firewall was called Internet Connection Firewall (ICF). Windows XP Service Pack 2 (SP2) includes the new Windows Firewall.

Since you are getting the message referring to ICS, it would appear that you have SP1 but not SP2, so the Service will be named differently:

Control Panel> Administrative Tools> Services> Right click on ICS> Change Startup mode to Automatic> Start the Service.

As with all Services, check the Dependencies tab to make sure any Service the ICS depends on is running.
 
The HJT definitely says SP2, and winlogonws.exe is a trojan.

It`s reasonable to assume that the trojan disabled the firewall.

tootlim said he had tried all the methods I linked to.

It is posssible he/she didn`t read the whole link,though.
 
I am puzzled by these entries on your log:
First) O4 - HKCU\..\Run: [WIndows Update] C:\WINDOWS\system32\winlogonws.exe
Second)O4 - HKCU\..\RunServices: [WIndows Update]******C:\WINDOWS\system32\winlogonws.exe

These are each one line, but for some reason, I can't copy them on one line. I am concerned about [Windows Update] which appears with each line. And I am further concerned about the change of case in "WIndows"

Did you do a complete copy and paste of this? Because it shouldn't show "WIndows"- it should be "Windows"

It makes me wonder about just what malware you do have!

And there is a direction to delete all "winlogons.exe" That is malware but it's not what your log shows.

The URL you found is the same and only one I opened:
http://hem.passagen.se/smacked/

It's a Swedish site and I am not sure of the accuracy. We need to verify your spellings "exactly"!

NOTE: No spelling corrections have been made.

Edit to delete extra lines.
 
Sorry folks, since this website prohibits postings with URLs before the number of postings reach three, I have to make this dumb posting. Please read my next posting.
 
Bobbye said:
The URL you found is the same and only one I opened:
http://hem.passagen.se/smacked/

It's a Swedish site and I am not sure of the accuracy. We need to verify your spellings "exactly"!

Ok, now I have made three postings so this posting should be allowed now:

I am the creator of that webpage, http://hem.passagen.se/smacked/ . I just documented what I did when I cleaned out the trash from my PC and I have posted it on my website for others to use.

Despite me being swedish, I have documented everything in english. The only swedish you will find on that page are some of the screendumps where some of the headlines are in swedish (due to a swedish installation of Windows XP).

Please let me know if I can assist you, I'll gladly help.
 
Thanks for filling us in! However, it doesn't solve the malware problem. You seem to be one of the few who show this process. There's nothing to go on from security sites- no name for the type of malware, no information whatsoever!

It appears this "winlogonws.exe." hasn't been documented by any of the security companies we usually rely on. So, bottom line- what is it? Where did it come from? How to remove it?

I did not mean to disparage you in any way regarding the Swedish content. I only meant to point out that the only other sites that come up with a search are foreign, none of which I wanted to access. This is usually a good clue that the search word is malware.

I would like to to confirm the letter case I pointed out though- in the two lines from you log, I see "WIndows" instead of "Windows". Could this be a typing error or was this an exact copy and paste? Where malware is involved, the slightest spelling or case difference can be significant!
 
Bobbye,

I had a look in my PC again and I can confirm that I also have an entry named like that "WIndows Update" under "CurrentVersion\Run" pointing to...
Yes, winlogonws.exe (which is erased in my PC).

I will update my webpage accordingly with this information.

I have no clue whether this is the problem why the windows firewall isn't activated though...

I'll contact some of those security companies and see what they say. Do you have any good connections/mail addresses I can use?
 
firewall

all it should require

go run then cmd

netsh firewall reset

then go run then firewall.cpl

and you should be able to access and activate it
 
Okay, case confirmed. How strange this "malware" shows after "WIndows Update"!

Since you have already attempted the netsh command without success, we've got to find the culprit. There is two things I'd like you to do:

1. Check the Event Viewer. Look for Error occurring at same time you get the firewall message. Maybe there's something we can track down there:

Follow this path:
Control Panel> Administrative Tools> Event Viewer> Click on System & Apps, one at a time on the left> look for Errors on the right> right click error> Properties> note description of error, Event# and Source.

There is a "copy" button below the up/down arrows. Click that, then go to any place that allows you to type (ie. notepad, wordpad, this board) and you can paste (use CTRL-V) the entire event details there. It makes for easy reporting of the event.

If you want to paste the Event here, you do not need to include the lines of code that follow the Description- but paste all else. You will be looking for Error that occurs at the time of the problem. Please ignore Warnings.

2.Suggest you do 'routine' scans with you anti-virus program and at least 2 spyware/adware programs- update each right before the scan.

I say 'routine' in place of the entire malware cleanup. I'd like to see what shows up if anything.
 
Status
Not open for further replies.
Back