Hello,
Few days ago my PC was attacked by viruses. Avast,SAS, and MBAM fully cleared all those things and its all component runs smoothly.But one thing has happened that attacked is MS security center’s some option has been disabled, but it’s not create any problem for working with my PC.But one thing i want to know that, is it possible to recover all disable thing and fix the problem.i mean any download or any other option to fix the problem,is it possible???
Thank you,
English is bad…sorry.
If you can post the scan logs so we can see what was found and get the virus name
Then we may fiend out what the virus did and how to revert it
Also follow this guide from essexboy and post the logs
http://forum.avast.com/index.php?topic=53253.msg451454#msg451454
essexboy is the malware ekspert in here, and he have probably seen this before and know how to fix it
hi,
pondus
Here is the log file of MBAM.
Malwarebytes’ Anti-Malware 1.44
Database version: 3515
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
1/8/2010 6:16:03 PM
mbam-log-2010-01-08 (18-16-03).txt
Scan type: Quick Scan
Objects scanned: 120537
Time elapsed: 10 minute(s), 12 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 14
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface{4b66e1df-4de3-4cda-83b5-11673eadab0b} (Trojan.FakeAlert) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{9692be2f-eb8f-49d9-a11c-c24c1ef734d5} (Trojan.FakeAlert) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{ca3eb689-8f09-4026-aa10-b9534c691ce0} (Adware.Ecobar) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{39fc2065-c9c7-49cd-8942-44cc2dedc844} (Trojan.Downloader) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{39fc2065-c9c7-49cd-8942-44cc2dedc844} (Trojan.Downloader) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{39fc2065-c9c7-49cd-8942-44cc2dedc844} (Trojan.Downloader) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{39fc2065-c9c7-49cd-8942-44cc2dedc844} (Trojan.Downloader) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\LEO0WTUNO7 (Trojan.FakeAlert) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\4VDD85L8NF (Trojan.FakeAlert) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Zeldar (Trojan.FakeAlert) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SSHNAS (Trojan.Renos) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\J8RPLTROBQ (Trojan.FakeAlert) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\B1RQJ7YJ0U (Trojan.FakeAlert) → Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\DelUS.bat (Malware.Trace) → Quarantined and deleted successfully.
C:\WINDOWS\Tasks{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) → Quarantined and deleted successfully.
C:\WINDOWS\Tasks{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) → Quarantined and deleted successfully.
Make sure Security Center service is active and set to Automatic start:
http://www.winhelponline.com/articles/33/1/How-to-restore-the-missing-Security-Center-service-in-Windows-XP-SP2.html <== works in XP SP3 as well
Make sure that your system date and time are correct.
A reboot will be necessary to activate Security Center service.
Make sure Security Center service is active and set to Automatic start: http://www.winhelponline.com/articles/33/1/How-to-restore-the-missing-Security-Center-service-in-Windows-XP-SP2.html <== works in XP SP3 as wellMake sure that your system date and time are correct.
A reboot will be necessary to activate Security Center service.
Thank u YoKenny,
But it’s didn’t work…Security Center service is still not working properly.
one silly question i am asking, how could i know that the SC service is active and set it Automatic start?? :-X
English is bad…sorry
How do I know Security Center service is not active and not set to automatic is because I checked my XP Pro system.
You will need essexboy’s help just like Pondus said in his post.
Hi the first thing I would like now is which option has been disabled - could you post a screenshot ?
To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.
Download OTS to your Desktop
[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[*]Under Additional Scans check the following:
[*]Reg - Shell Spawning
[*]File - Lop Check
[*]File - Purity Scan
[*]Evnt - EvtViewer (last 10)
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
/md5stop
%systemroot%*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32*.dll /lockedfiles
%systemroot%\Tasks*.job /lockedfiles
[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.
Thank you,
essexboy
Here is the screenshot.
He needs the OTS log not a screenshot and use REPLY not QUOTE.
Try this first as it may cure the problem
To resolve the problem, download wscsvcfix.zip from the following link, and save the file to Desktop.
Unzip the file and double-click to run it.
Click the Inspect and Fix button once.
Restart Windows for the changes to take effect.
Note that this utility requires administrator credentials to run correctly.
http://windowsxp.mvps.org/wscsvcfix.htm
Thank you
essexboy,
Its didn’t work.the problem was same.i am very happy that you spend your precious time to my small problem.
thank u again.
English is bad…sorry
No problems with the language - you are quite good ;D
In that case could you run the OTS programme for me and attach the log it produces
OK i will try it.
Edit
I see some remnants of Norton and McAfee - they could be affecting the security centre also some old malware
Start OTS. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Registry - Safe List]
< HOSTS File > (140 bytes and 2 lines) -> C:\WINDOWS\system32\drivers\etc\HOSTS
YN -> notepad<system folder>\driver\etc\hosts127.0.0.1 go.www.google.com.ar ->
YN -> notepad<system folder>\drivers\etc\hosts127.0.0.1 go.mail.ru ->
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {02478D38-C3F9-4efb-9B51-7695ECA05670} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> "{B99F805C-F0B1-48EA-8C8B-753BFCBED913}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-1409082233-261478967-725345543-1004\] > -> HKEY_USERS\S-1-5-21-1409082233-261478967-725345543-1004\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{472734EA-242A-422B-ADF8-83D1E48CC825}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{4B3803EA-5230-4DC3-A7FC-33638F3D3542}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{71576546-354D-41C9-AAE8-31F2EC22BF0D}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{B99F805C-F0B1-48EA-8C8B-753BFCBED913}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{C17590D2-ECB4-4B15-8820-F58798DCC118}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab [Reg Error: Key error.]
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*GinaDLL* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\GinaDLL
YY -> C:\WINDOWS\system32\awgina.dll -> C:\WINDOWS\system32\awgina.dll
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YY -> PCANotify -> C:\WINDOWS\System32\PCANotify.dll
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
YN -> "{4F07DA45-8170-4859-9B5F-037EF2970034}" [HKLM] -> Reg Error: Key error. [OA Shell Helper]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YY -> "C:\Documents and Settings\All Users\Application Data\csrss.exe" -> C:\Documents and Settings\All Users\Application Data\csrss.exe [C:\Documents and Settings\All Users\Application Data\csrss.exe:*:Enabled:svchost]
YY -> "C:\Program Files\AVG\AVG8\avgnsx.exe" -> C:\Program Files\AVG\AVG8\avgnsx.exe [C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe]
YY -> "C:\Program Files\AVG\AVG8\avgupd.exe" -> C:\Program Files\AVG\AVG8\avgupd.exe [C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe]
YY -> "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -> C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe [C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe:*:Enabled:Kaspersky Anti-Virus]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> \{d6ec90f3-fc17-11de-9a11-0019d16f460e}\sHeLl\AutoRun\command\\"" -> [tmp\winfix.exe]
YN -> \{d6ec90f3-fc17-11de-9a11-0019d16f460e}\sHeLl\OpEn\cOMmAnD\\"" -> [tmp\winfix.exe]
YN -> \{ef9cd14e-c2f6-11de-9717-0019d16f460e}\Shell\AutoRun\command\\"" -> [winsys/winavg.exe]
YN -> \{ef9cd14e-c2f6-11de-9717-0019d16f460e}\Shell\explore\command\\"" -> [winsys/winavg.exe]
YN -> \{ef9cd14e-c2f6-11de-9717-0019d16f460e}\Shell\open\command\\"" -> [winsys/winavg.exe]
[Files/Folders - Modified Within 30 Days]
NY -> edacded0.dat -> C:\WINDOWS\System32\edacded0.dat
NY -> bcdadac7.xml -> C:\WINDOWS\System32\bcdadac7.xml
[Files - No Company Name]
NY -> edacded0.dat -> C:\WINDOWS\System32\edacded0.dat
NY -> bcdadac7.xml -> C:\WINDOWS\System32\bcdadac7.xml
NY -> comodo internet security.INI -> C:\WINDOWS\comodo internet security.INI
[Custom Scans]
NY -> 3 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp
[Empty Temp Folders]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.
I will review the information when it comes back in.
Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.