Some of you have experienced the Windows Security Center failing to start after the removal of the ZeroAccess rootkit. Here is how you fix it:
Always be sure to double check by running a firewall reset, you can do this by opening command prompt as administrator and typing the following command:
netsh firewall reset
You should see something like this if it is working:
If it is off or broken by the infection, you will see an error that says “The Service has not been Started.” Here is what you need to do:
1. Download the missing registry entries here and extract the .reg files to the desktop. You need to restore all of the registry entries for the following services:
Base Filtering Engine - HKLM\System\CurrentControlSet\Services\BFE
Windows Security Center Service - HKLM\System\CurrentControlSet\Services\WscSvc
Windows Shared Access - HKLM\System\CurrentControlSet\Services\SharedAcccess
Windows Defender Service - HKLM\System\CurrentControlSet\Services\WinDefend
Windows Firewall Service - HKLM\System\CurrentControlSet\Services\MpsSvc
IP Helper Service - HKLM\System\CurrentControlSet\Services\iphlpsvc
You can find these service registry keys in the downloaded zip file or you can export them from a machine in which these services are functioning correctly. Just importing these registry entries is not enough to get all of these services back and running correctly, some of these entries need special permissions to run.
Import the registry keys by double-clicking each of the files for their respective service. Reboot the PC once you have all of the registry keys imported.
Important Note: After importing registry keys for these services, you need to reboot so that they can start correctly.
2. Now that you have all of the registry entries imported, you can start the Windows Security Center Service and the Windows Defender Service. In order to start the firewall service, you need to have the Base Filtering Engine Service up and running correctly. You’ll notice when you try to start “BFE” that you will get an error with error code 5 which means “Access Denied”. To fix this, you need to allow access to the proper account. Open up regedit and navigate here:
Right-click and select “Permissions”. Click “Add…”
You want to add the account “NT Service\BFE” like this:
Once added, you should allow the “BFE” account “Full Control” as pictured above. Do not edit any of the other permissions for that service, you will do that next.
3. Run CMD as Administrator and copy/paste the following command (or have fun typing it out) You need to make sure that the command is all on one line and that there are no spaces between the sets of brackets (sorry for the word wrap but I only have so much space...)
sc sdset bfe D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWRPWPDTLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
This command resets the default security descriptors for the service and set all the permissions according to factory specs.
4. Now you need to do the same for the Windows SharedAccess Service. So, in regedit, navigate to HKLM\System\CurrentControlSet\Services\SharedAccess. There are 4 subkeys that need to have permissions reset, as well as some sub-subkeys (yea, it’s a word now, I just made it up) Here are the keys that you need to set permissions on:
For each of the above keys, right-click and click “Permissions” than click on “Add…” just like you did above.
For the SharedAccess service, you need to add a different account which is called “NT Service\MpsSvc”
Also just like the BFE service, add “Full Control” and click “Apply” You will need to run another command to ensure that all other permissions are correct. Run CMD as Administrator and copy\paste this command to do it automatically:
sc sdset sharedaccess D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWRPWPDTLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
You should be able to start the all of the services correctly now. If not, check your dependencies and make sure all dependent services are started. You may also want to check your ICS service. For some reason, it helps me get the firewall running in some cases. Disable it again after you get the firewall service running. I recommend rebooting to make sure that all of the services are starting up Automatically as they should. Email me if you have any questions/comments.