[Nedklaw]

Hi.
Sorry for the delay. I've been snowed under with revision for exams.

Download and run the ZoneAlarm Removal Tool and then restart your computer.
This will get rid of any remaining remnants of the firewall as you have now uninstalled ZoneAlarm and having two firewalls on your computer can cause problems.

[Advertisements]

No problem - your help has been great and I know you have stuff to do aside from help me. I myself am snowed under with SNOW!

I'll get to this tomorrow. Off to movies tonight. Just as an update - PC has been running perfectly! (thankfully)

Speak tomorrow.

[jems]

No problem - your help has been great and I know you have stuff to do aside from help me. I myself am snowed under with SNOW!

I'll get to this tomorrow. Off to movies tonight. Just as an update - PC has been running perfectly! (thankfully)

Speak tomorrow.

[Nedklaw]

Hi.
After consulting with other helpers, I think I now know why Security Center and Windows Firewall were not working.

A legitimate service called winmgmt was hijacked by the malware. When fixing your computer, OTL got rid of the service as well as the malware. The Windows Security Center (wscsvc) and Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) services are both dependent on winmgmt. The only way Security Center and Windows Firewall are going to function is to restore the winmgmt service.


Step 1

The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot perform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Backing Up Your Registry

• Download ERUNT.
  (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed).
• Install ERUNT by following the prompts.
  (Use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later).
• Start ERUNT.
  (Either by double clicking on the desktop icon or choosing to start the program at the end of the setup).
• Choose a location for the backup.
  (The default location is C:\WINDOWS\ERDNT which is acceptable).
• Make sure that at least the first two check boxes are ticked.
• Press OK.
• Press YES to create the folder.

Step 2

• Download the following file to your desktop:  winmgmt.reg   4.47KB   129 downloads
  
• Double-click winmgmt.reg and confirm the prompts.

Step 3

Just to clarify, what problems (if any) do you now have with your computer?

[jems]

Hi There,

I ran the Zone Alarm removal tool and restarted my PC.

I haven't been having any issues with the PC whilst running the new Personal Firewall.

I have a feeling that the windows security services you mentioned may have been removed the last time I had an issue with the PC - ie. not during this attack / clean up process. I say this because I now remember that the Windows Firewall was not running before and that the Security Center was not working. I did however think that last time my partner did a reinstall and I just presumed it was added back at that time - but maybe not.

As for your entry above - I installed ERUNT but there was no option to NOT have a folder on the start up folder. Basically it just asked me what I wanted to call the folder - but I had no option as to whether or not I wanted it. As such when I installed ERUNT it does appear on the start menu. As this goes against your instructions in step 1 I did not proceed to run the software (ie. I did 1 and 2 of Step 1 but nothing further).

Should I proceed onto to part 3 of step 1?

Thanks again for your ongoing assistance btw. Part of me is tempted to stop at this stage since I have a working firewall and anti-virus system. Can I ask - once the Windows Security Centre is workign again will it cause issues with the other software on the PC?

[Nedklaw]

Hi.
Go on ahead and proceed with the other steps.

[jems]

Hi There,

Just before I proceed .... today my PC ran it's automated anti-virus scan and picked up 2 items! Both high severity.

One: Win32:Reveton-LH [trj]
Two: JS:Runner-C [trj]

Both items were removed ( I chose 'delete' rather than 'move to chest'. I'm not sure how to get a text file of my avast scans so I can show you the file location etc. Any idea?

Avast recommended I do a boot-time scan so I have let that proceed and am off to bed. Tomorrow I'll see if it finds anything else and I'll update Malwarebytes and run it as well.

I thought I'd better post this information before making any changes to the registry as it appears there may still be a malware issue.

ETA: I couldn't sleep so am here again - the Avast Virus scan which ran on boot up was clean. SO was Malwarebytes scan.

What now?

Edited by jems, 20 January 2013 - 05:41 PM.

[Nedklaw]

Hi.
The items Avast found are most likely orphans (leftovers). I'm happy for you to proceed with the steps.

[Nedklaw]

Hi.
Are you still here? Have you peformed the steps?

[jems]

Hi there, sorry for the slow responses I have been away with work. I'll hopefully manage to get this done tomorrow and will report back.

Thanks for your patience and help.

[Nedklaw]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.