WMI Issues after ZeroAccess removal

S

SilverLeaf

Well-Known Member
Reaction score
152
Location
US
Can't seem to get WMI / Security Center Service to work correctly after ZA removal (Win7 HP x86). All required services start on boot, but EventViewer shows these errors

"The Windows Security Center Service was unable to establish event queries with WMI to monitor third party A/V.....

"failed to initialize WMI core or Provider Subsytem or Event Subsystem with error 0x080040154. This could be due to a badly installed version of WMI, WMI repository upgrade failure,...."

The associated individual security services (firewall, a/v, etc) all work, but the Security Center won't talk to WMI. Tried the D7 WMI repair tool, but the problem still exist. Any ideas?
 
Last edited:
I am working on the same exact issue right now on a Win 7 machine.

ZA virus, killed it. killemall, then did a full mbam, combofix, checked stuff with autoruns, did a bunch of stuff with D7. Found DVD dead, removed filters, thats ok now. MSSE won't start gets 0x80070424 so it could be firewall stuff. I'll get it but just posting what I did so far.

Will post more later.
 
Foolish Tech's KillZA did an excellent job of both removing ZA and repairing services.exe. Used D7 to repair the disabled security stuff (firewall, system restore, security center, Windows Update, etc) and had to uninstall/reinstall MS Security Essentials. Everything works now, but Security Center can't talk to WMI for some reason.

I did come across an article re: WMI and ZA here http://nakedsecurity.sophos.com/2012/06/06/zeroaccess-rootkit-usermode/ but the mentioned registry key are fine.
 
Yes, D7 saw the ZA rookit did the magic with killza and it came up nice. Still did a combo/mbam/etc to make sure I got the worst of it.

did repair win firewall, ms fixit windows update, Still same 0x error on manual start MSE.. now doing an SFC scannow.

Just trying the easy stuff first.
 
FoolishTech said:
I think ZA prunes some MSE reg keys, I've just had to reinstall it in the past after ZA removal... tried that yet?
Click to expand...

I uninstalled and was going to do a reinstall, but figured to do a SFC just in case. Could just be a corrupt MSE as everything seems ok so far.
 
Last edited:
SFC ran no integrity issues.

Reinstalled MSSE, updated fine. Rebooted even though didnt have to. MSSE came up fine. Now running full scan.

So it was just a screwed up MSSE for me (after the ZA and other viruses were cleaned). Will do all the usual post virus checks and cleanups but so far it looks good.

Most of this could be done via D7 so as I said before every tech should have a registered copy. I can do so much more now that I have a easy GUI to do it instead of remembering all the things and how to run them or syntax to use.
 
NYJimbo said:
So it was just a screwed up MSSE for me (after the ZA and other viruses were cleaned). Will do all the usual post virus checks and cleanups but so far it looks good.
Click to expand...

I thought I was in the clear as well at this point. Then I ran D7 again, and the System Info tab indicated that the items I repaired (A/V, system restore, etc) were not running. They actually are running fine. My investigation of this discrepancy led me to discover that WMI and Security Center aren't on speaking terms at the moment. There may be other issues at play here, but WMI seems to be a suspect at the moment.


NYJimbo said:
Most of this could be done via D7 so as I said before every tech should have a registered copy. I can do so much more now that I have a easy GUI to do it instead of remembering all the things and how to run them or syntax to use.
Click to expand...

Absolutely! Bought mine this morning actually.
 
I didnt just find ZA, there were two others. Run a combofix and tdsskiller and see if they find more. Also do a ccleaner and look at the startup stuff for any lame entries. It seems like its always more than one virus on these peoples machines

Right now my ZA'd machine is running fine but I always scrub the hell out of them with scanners and other programs where I can poke around.
 
I'm having the same exact issue as well. Win 7 Ult. I used D7 for the removal/post-removal including the SecurityCenter repair, and I uninstalled/re-installed MSE, both with no luck. MSE appears to run, but then i get a pop up telling me there's problems with the Security Center and to turn on either Defender or MSE. D7 reports the computer as having no A/V installed.
 
Well, you got more work to do. Check event logs, services, try to run WU manually see if it works. Cant tell what else without knowing what you already checked or ran.

ps - Am I the only one seeing a weird link to the words "security center" in the above post ? Leads to some unrelated amazon.com "Security Console for Jeep Wrangler"
 
Last edited:
In the last 10 days, I've had 6 machines with ZeroAccess on them (most were part of Live Security Platinum, but there were a few others).

The sequence below works pretty well for me. (I was able to clean the last machine in under an hour)

1. Use RKILL to kill the current malware process and allow pgms to run. (On some infections, you may have to use safe mode.)
RKILL will tell you the location of the offenders; so turn on "show hidden" and delete the file(s).

2. Run D7, which will flag the ZA and remove it.

3. Run TDSSKiller to check for other rootkits

4. Use your standard tools like AutoRuns, HitmanPro (etc) to locate and clean out the infection itself, plus other possible rootkits.

At this point, the rootkit and the infection itself should be gone. Now it's time to locate/repair the damage. On almost all the machines, this included:
a) Firewall won't turn on; use D7 to repair it
b) Security center won't start; use D7 to repair it
c) Windows update won't work; use D7 to repair it
d) Security s/w won't turn on or work right; usually uninstall/re-install and all is OK
e) If Windows and/or D7 doesn't recognize the security s/w; use D7 to do the WMI repair
Most times I reboot between each of the items above

This has been the general procedure and has worked well for me. Often, the biggest hurdle has been been getting D7 to work in the first place (that's what RKILL, or safe mode, is for.)

Hope this helps somebody.
 
glricht said:
In the last 10 days, I've had 6 machines with ZeroAccess on them (most were part of Live Security Platinum, but there were a few others).

The sequence below works pretty well for me. (I was able to clean the last machine in under an hour)

1. Use RKILL to kill the current malware process and allow pgms to run. (On some infections, you may have to use safe mode.)
RKILL will tell you the location of the offenders; so turn on "show hidden" and delete the file(s).

2. Run D7, which will flag the ZA and remove it.

3. Run TDSSKiller to check for other rootkits

4. Use your standard tools like AutoRuns, HitmanPro (etc) to locate and clean out the infection itself, plus other possible rootkits.

At this point, the rootkit and the infection itself should be gone. Now it's time to locate/repair the damage. On almost all the machines, this included:
a) Firewall won't turn on; use D7 to repair it
b) Security center won't start; use D7 to repair it
c) Windows update won't work; use D7 to repair it
d) Security s/w won't turn on or work right; usually uninstall/re-install and all is OK
e) If Windows and/or D7 doesn't recognize the security s/w; use D7 to do the WMI repair
Most times I reboot between each of the items above

This has been the general procedure and has worked well for me. Often, the biggest hurdle has been been getting D7 to work in the first place (that's what RKILL, or safe mode, is for.)

Hope this helps somebody.
Click to expand...

This is the same route I took with this (was also Live Security Platinum btw). Everything works...except WMI. D7 seems to be succsesfull at the repair, but after reboot WMI fails with "Failed to intialize WMI core or provider subsytem or event subsytem..." error. Even tried a manual deletion of the WEBM repository without success.
 
glricht said:
1. Use RKILL to kill the current malware process and allow pgms to run.
Click to expand...

If I can just offer a note here. I have found that KillEmAll (its also in D7 in the malware section) is better than Rkill and gives you a much better idea of what it kills. Kills more and also finds files in suspicious areas.

Pretty much the first thing I run is KillEmAll if I have desktop control and am chasing viruses.
 
Back to the OP issue, I ran the latest ZA dropper I found on kernelmode.info on a Vista VM - duplicated the problem with WMI (or similar) but D7's repair WMI and repair Security Center functions fixed it. Maybe more damage was done and yours is a newer variant, I don't know...

Sorry I couldn't be of more help.........
 
FoolishTech said:
Back to the OP issue, I ran the latest ZA dropper I found on kernelmode.info on a Vista VM - duplicated the problem with WMI (or similar) but D7's repair WMI and repair Security Center functions fixed it. Maybe more damage was done and yours is a newer variant, I don't know...

Sorry I couldn't be of more help.........
Click to expand...

Thanks for the effort!

I've been working on it off and on, but still not found a solution. I suspect registry permission errors, however I have yet to successfully restore to default permissions. The D7 Repair Permission tool has been unsuccessful so far. It completes, but indicates failures numbering in the tens of thousands. Running subinacl from an elevated command prompt produces the same results (obviously, as I believe D7 uses subinacl as well). Is this normal behavior for subinacl? Maybe I should give secedit a try?

note also: I have edited my original post to reflect the correct O/S. I mistakenly typed Vista, actually it's Win7. Apologies :o
 
yes, D7 uses subinacl..... I was recently pointed out a MSKB that said not to use secedit on Vista/7 or unpredictable results would occur..... just a warning.
 
You must log in or register to reply here.

Similar threads

Big Jim
Anyone good with combo fix logs ?
Replies
1
Views
2K
nlinecomputers
nlinecomputers
T
A good Software List..must see!!
Replies
11
Views
8K
nesrinamb
N
T
strange network issues at work with printing..
Replies
6
Views
2K
ITMAN
I
Appletax
A Malware Removal Guide
2 3
Replies
56
Views
27K
glennd
glennd
Kitten Kong
  • Sticky
Questions and Answers relating to Microsoft Licencing Guidelines.
Replies
3
Views
12K
Rosco
Rosco
Back
Top