Question about ESET and other security systems

[techinstructor 0]

Hi,

I'm running Windows 7 Home Premium (64 bit) and ESET Smart Security 5 Version 5.2.9.1.  Upon startup I had a red flag in my Windows Action Center that informed me that I needed to start the Windows Security Center.  I attempted to do this, but was not able to. 

 

Microsoft support led me to the Security Center Properties and told me to choose "Log On" and click "Browse" to enter the name of my computer (which is an Asus K52JC notebook, if that matters).  When I enter my computer name I get an error message, "An object (User or Built-in security principal) withe the following name cannot be found: "timobile". Check the selected object types and locations for accuracy (they look correct to me) and ensure that you have typed the object name correctly, (it is correct) or remove this object from the selection.  Windows support suggested the possibilty of malware if the service would not start after this step.

 

When I try to start the service, I get this message:  "Windows could not start the Security Center service on Local Computer.  Error 1068: The dependency service or group failed to start."

 

So after checking the ESET logs and seeing that all was well and up to date  - no evidence of any recent activity in the logs, I ran Malwarebytes (nothing found) and then Spybot Search and Destroy which found some registry issues, all of which it was able to fix except for 1 (HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSD\General\  -- I didn't understand what the threat was, only that it was unable to clean it.  Interestingly, when I looked this up in the registry, one of the items in the General folder was ComputerName.

 

So, my questions are:

 

1)  Should I even be concerned with this issue?  I wondered if I even needed to run Windows Security Center if I'm running ESET.

 

2)  If I do need to run Windows Security Center, then does anyone have any suggestions as to what steps I could try from this point?

 

Thank you for your help.

 

 

[Arakasi 549]

Windows Security center monitors the protection on your computer.

My first suggestion is to run a chkdsk /f from the command prompt for your windows drive, reboot if you have to.

Then run sfc /scannow from an elevated command prompt after the chkdsk.

 

When security center service is no longer starting, it is definitely an indication of problems, but not necessarily malware.

It is usually a result of corrupted registry entries that may need to be imported back in.

Did you install ESET after the fact to clean up malware, or have you always had ESET installed and this just started happening ?

 

Please let us know what the chkdsk says, and the sfc scan says at the end.

Its at least a first start and good course of action toward repairing your issues.

[Marcos 5,070]

 

Upon startup I had a red flag in my Windows Action Center that informed me that I needed to start the Windows Security Center

 

Please post a screen shot of this message as I don't recall seeing anything like that so far.

[techinstructor 0]

Windows Security center monitors the protection on your computer.

My first suggestion is to run a chkdsk /f from the command prompt for your windows drive, reboot if you have to.

Then run sfc /scannow from an elevated command prompt after the chkdsk.

 

When security center service is no longer starting, it is definitely an indication of problems, but not necessarily malware.

It is usually a result of corrupted registry entries that may need to be imported back in.

Did you install ESET after the fact to clean up malware, or have you always had ESET installed and this just started happening ?

 

Please let us know what the chkdsk says, and the sfc scan says at the end.

Its at least a first start and good course of action toward repairing your issues.

 

Ran chkdsk /f --- I did this on restart and watched it through stage 4, but missed seeing it do all of stage 5.  As far as I know it only found 1 thing in Stage 4, Verifying file data.  "Windows replaced bad clusters in file 3349 of name \USERS\TECHIN~1\NTUSER~1.REG"

 

Ran sfc/ scannow as admin -- Results:  "Windows Resource Protection did not find any integrity violations"

 

I've run ESET on this computer since it was new.  I did have an issue with a trojan back in November https://forum.eset.com/topic/1365-win32kryptikbojt-trojan-variant-found/#entry7652.  More on that in the next post.

Edited February 12, 2014 by techinstructor

[techinstructor 0]

 

 

Upon startup I had a red flag in my Windows Action Center that informed me that I needed to start the Windows Security Center

 

Please post a screen shot of this message as I don't recall seeing anything like that so far.

 

I would gladly post a screen shot but the message is no longer there.  (No, I didn't make it up.)  However, it would have been more accurate for me to say there was a red circle with an x in it beside the Flag in the notifications area.  I am not very diligent about checking these notifications and since the message seems to come and go at random, I suspect this is an old problem.  I did recheck to see if the Security Center had somehow "started" but it had not and will not.  I am posting a screen shot of the error message that occurs when I try to start it.

 

Someone else suggested that I check the dependencies for the Security Center for Windows for Windows Management Instrumentation and Remote Procedure Call.  There were no dependencies listed.  Remote Procedure Call had been started but Windows Management Instrumentation had been stopped and could not be restarted.  (I'm posting a screenshot of that error message as well.) 

 

I think Windows Management Instrumentation may need to be running for the Security Center to function, so this may be the problem. 

 

I reread the thread on the trojan that infected my computer last November.  I had this message from Stackz:

 

 

There's a service entry in the registry most likely related to the infection -

Services:

"Windows Management Instrumentation" = "c:\progra~3\etfq4h.pss" Automatic ; Stopped ; ( 5: Unknown ) ;

 

and this from me stating my actions:

 

 

Upon investigation I found this file in eSet's quarantine.  Further seaching revealed three other files etfq4h.reg,  etfq4h.bxx, and etfq4h.fvv.  I was able to quarantine the first two and the third I was able to delete after reboot with the help of Hijack This.  I also deleted the registry entry.

 

I really didn't know anything about the Windows Management Instrumentation service, so I didn't do anything at the time to try to get it running again.  It's probably been stopped since then.  The only other lingering issue from that time that I know of is with the ASUS Control Deck, which tries to start up and then quits working everytime I restart the notebook.  I haven't noticed anything else not working.

 

So does anyone have any suggestions as how I can get these services operating again?

[Arakasi 549]

Hey tech,

 

WMI should always be running. There are several different ways to attack this problem.

The core resolution is to restore the files missing or corrupt in windows\system32 & to make sure your registry entries and indexing are pointing to the right location to assist in building the services and make sure they are running.

 

A good start for the DIY in my opinion would be starting with Microsoft. Trustful.

Try this WMI diag tool from Microsoft and see if it sheds some light for you.

The WMI Diagnosis Utility

 

Another route, is finding a good exported registry of the keys, or maybe i can give you mine to import assuming you are on either windows 8 32bit or windows 7 home prem. 64bit

 

I also can direct you to another 'manual' repair of WMI if you feel up to some heavy reading and learning. However i would recommend contacting ESET Customer Care by phone before attempting this manual guide.

Manually Repair WMI

 

At any rate we can do our best to assist you here as well if its more preferable and comfortable for you.

[Aryeh Goretsky 378]

Hello,

 

Just to check, have you tested the hard disk drive in the Asus K52JC notebook using the HDD manufacturer's bootable diagnostic CD/USB?

Regards,

Aryeh Goretsky

[Marcos 5,070]

Please create a SysInspector log and send it to me attached to a personal message. I'll check if you have all dependent services running.

[Arakasi 549]

I agree with the sysinstpector log.

WMI and RPC are the only dependencies.

However tech has mentioned :

Someone else suggested that I check the dependencies for the Security Center for Windows for Windows Management Instrumentation and Remote Procedure Call.  There were no dependencies listed.  Remote Procedure Call had been started but Windows Management Instrumentation had been stopped and could not be restarted.

There will be so much more we can see if you provide Marcos with these logs.

[techinstructor 0]

I've tried to reply to this thread twice now and the post has just disappearred.  I really appreciate the offers of help and I will respond shortly, but right now I'm so frustrated I could cry.

 

I need to calm down and then I think things will work better.

[techinstructor 0]

A good start for the DIY in my opinion would be starting with Microsoft. Trustful.

Try this WMI diag tool from Microsoft and see if it sheds some light for you.

The WMI Diagnosis Utility

 

Another route, is finding a good exported registry of the keys, or maybe i can give you mine to import assuming you are on either windows 8 32bit or windows 7 home prem. 64bit

 

I also can direct you to another 'manual' repair of WMI if you feel up to some heavy reading and learning. However i would recommend contacting ESET Customer Care by phone before attempting this manual guide.

Manually Repair WMI

 

 

I am slowly working my way through the utility manual and the information on how to do the manual repair.  This information pointed me to the Event Viewer where I discovered another Service, Application Virtualization Client that was also stopped on 11/11/13 and has an error message when I try to restart it.  I suspect it too is dependent on WMI.  I havn't run the tool yet; I'll post more when I do and know more. I may also call Customer Care as soon as I know enough to know what to ask. 

 

As to the registry, I would take you up on the offer if you think it will help.  I'm very unsure of my knowledge and skills in this area so I definately need guidance.  I am running Windows 7 Home Premium 64 bit.

 

 

Just to check, have you tested tshe hard disk drive in the Asus K52JC notebook using the HDD manufacturer's bootable diagnostic CD/USB?

The only bootable disk I have for the ASUS is the Recovery DVD that I created when I first got it.  I have never tried to use it as it is designed to wipe my drive and reinstall the OS.

 

********************************************************************************************************************************

 

I created a SysInspector log and sent it to Marco.  Hopefully it will shed some more light on this issue.

 

 

I do appreciate all of your help and patience.  I won't have time to work on these problems tomorrow but I'll get back on it over the weekend.

 

One other question:

I have some other issues with this notebook that occurred prior to the November trojan infection (problems with the Elan trackpad, Windows Updater, and some other issues that I have been unable to resolve).  I have seriously considered wiping the C drive and doing a system recovery.  Were I to do that would it reset the registry as well?  I realize that this would require the reinstallation of software and drivers.

 

Thank you again.

[TomFace 539]

techinstructor have faith!

 

You have some pretty smart minds on board. B) Hang in there and remember to breath.

 

It's just a machine and (for now) they still serve us.

Edited February 14, 2014 by TomFace

[stackz 112]

Seeing as that Trojan hijacked the WMI service, it's likely that the Winmgmt (WMI) service information in the registry just needs to be repaired.

Open Notepad, then copy/paste the complete content of the following code box. Then select File >  'Save as...'

• Save as type: All Files (*.*)
• File name: Fix_Winmgmt.reg

Select a convenient place like Desktop or My Documents.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Winmgmt]
"DisplayName"="@%Systemroot%\\system32\\wbem\\wmisvc.dll,-205"
"ImagePath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"Description"="@%Systemroot%\\system32\\wbem\\wmisvc.dll,-204"
"ObjectName"="localSystem"
"ErrorControl"=dword:00000000
"Start"=dword:00000002
"Type"=dword:00000020
"DependOnService"=hex(7):52,00,50,00,43,00,53,00,53,00,00,00,00,00
"ServiceSidType"=dword:00000001
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
  00,01,00,00,00,c0,d4,01,00,01,00,00,00,e0,93,04,00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Winmgmt\Parameters]
"ServiceDllUnloadOnStop"=dword:00000001
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  77,00,62,00,65,00,6d,00,5c,00,57,00,4d,00,49,00,73,00,76,00,63,00,2e,00,64,\
  00,6c,00,6c,00,00,00
"ServiceMain"="ServiceMain"

Double click on Fix_Winmgmt.reg and allow it to merge with the registry. (I assume you're running from an admin account). If it successfully merges, reboot your PC. Let me know how things go.

 

[shocked 60]

why don't you use the latest version of ess?

its greatly improved since version 5.

[Arakasi 549]

stackz, is that for win7 64bit home prem ?

If it is, then it would be safe to import tech.

[Arakasi 549]

why don't you use the latest version of ess?

its greatly improved since version 5.

 

Using version 7is a good idea, but he has OS issues at the moment alex

[Arakasi 549]

Reinstalling the OS is not a bad idea techinstructor.

Some people are so hesitant to do that.

 

Make sure you back up your data.

[Marcos 5,070]

You have the following error logged in the system event log:

The Windows Management Instrumentation service terminated with the following error: The system cannot find the file specified." 13/02/2014 08:04:07

 

I'd suggest capturing operations using Process monitor while running the command "sc start winmgmt" as an admistrator. When done, compress the log, upload it to a safe location and pm me the download link.

[stackz 112]

stackz, is that for win7 64bit home prem ?

If it is, then it would be safe to import tech.

The long answer is yes. I'll reserve the short answer for another time.

Edited February 14, 2014 by stackz

[Arakasi 549]

You have the following error logged in the system event log:

The Windows Management Instrumentation service terminated with the following error: The system cannot find the file specified." 13/02/2014 08:04:07

 

I'd suggest capturing operations using Process monitor while running the command "sc start winmgmt" as an admistrator. When done, compress the log, upload it to a safe location and pm me the download link.

 

Thanks stackz for helping though, that is definitely close to what he may have needed.

 

WMI needs this :

 

C:\Windows\system32\svchost.exe -k netsvcs

 

svchost may be corrupted or gone.

Edited February 14, 2014 by Arakasi

[stackz 112]

The reason it can't find the file, if you refer to https://forum.eset.com/topic/1365-win32kryptikbojt-trojan-variant-found/#entry7652 is that the service is looking for c:\progra~3\etfq4h.pss. So repairing the registry entry should work.

Edited February 14, 2014 by stackz

[techinstructor 0]

Seeing as that Trojan hijacked the WMI service, it's likely that the Winmgmt (WMI) service information in the registry just needs to be repaired.

Open Notepad, then copy/paste the complete content of the following code box. Then select File >  'Save as...'

• Save as type: All Files (*.*)
• File name: Fix_Winmgmt.reg

Select a convenient place like Desktop or My Documents.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Winmgmt]
"DisplayName"="@%Systemroot%\\system32\\wbem\\wmisvc.dll,-205"
"ImagePath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"Description"="@%Systemroot%\\system32\\wbem\\wmisvc.dll,-204"
"ObjectName"="localSystem"
"ErrorControl"=dword:00000000
"Start"=dword:00000002
"Type"=dword:00000020
"DependOnService"=hex(7):52,00,50,00,43,00,53,00,53,00,00,00,00,00
"ServiceSidType"=dword:00000001
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
  00,01,00,00,00,c0,d4,01,00,01,00,00,00,e0,93,04,00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Winmgmt\Parameters]
"ServiceDllUnloadOnStop"=dword:00000001
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  77,00,62,00,65,00,6d,00,5c,00,57,00,4d,00,49,00,73,00,76,00,63,00,2e,00,64,\
  00,6c,00,6c,00,00,00
"ServiceMain"="ServiceMain"

Double click on Fix_Winmgmt.reg and allow it to merge with the registry. (I assume you're running from an admin account). If it successfully merges, reboot your PC. Let me know how things go.

 

Hallelujah!  It worked!  I follwed these instructions and upon restart, Window Management Instrumentation Service had been started.  I was then able to "Start" the Security Center with no errors.

 

I tried installing a few Windows updates with the Windows Updater and they did NOT failed.  I suspect the WMI problem was causing my installation errors before.  I am so glad to have that working again.

 

Thank you so much for your help.

Edited February 16, 2014 by techinstructor

[Arakasi 549]

Excellent, the registry entry had become corrupt.

 

Might i add this is a hit or miss type of repair, i'm glad you are fixed and back up and going.

[stackz 112]

Excellent, the registry entry had become corrupt.

As shown in the original SysInspector log, the malware that ESET removed had hijacked the WMI service. Hence, there was no hit or miss about the Winmgmt registry entry needing to be repaired.

 

@techinstructor, I'm pleased we could help.

[Arakasi 549]

Still disagree stackz

 

1. I did not see the link to the original Sysinspector log.

 

2. Importing registry entries do not always fix the issues involved. This is a fact

I have been doing this a long time my friend, 15-17 years.

 

But you believe what you want

 

I too am glad things are closed here and he is fixed.