MS Security Center stopped as well as Avast

Viruses and worms
1

My Windows Vista PC seems to have been hacked/attacked by a virus/malware.

My Windows Security Center has been disabled as well as Avast and cant turn it back on.

PC is very slow to boot and run programs. Cant access Control Panel and other items like its being blocked.

My PC is normally very tight clean as I have Avast, Spyware Blaster, Advanced System Clean, MalwareBytes, SuperAntiSpyware, etc updated and run regularly. Must have accidentally clicked on something on the net and got infected.

Running in safe mode but still seems slow and infected

I have run Kaspersky Recovery and Virus tools from DVD for 9 hrs scan of all files on my PC. It only found 1 item which was :
Adware.Win32.agent.aeph
cleaned it but still issues on my pc (slow/not the same as before when clean)

Ran AdwCleaner. and cleaned it. will reboot to see if any better.
Here is my log:

AdwCleaner v3.010 - Report created 01/11/2013 at 03:35:04

Updated 20/10/2013 by Xplode

Operating System : Windows ™ Vista Home Premium Service Pack 2 (64 bits)

Username : hidden for security

Running from : C:\Users*removedname\Downloads\adwcleaner.exe

Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Found : HKLM\SOFTWARE\Classes\AppID{5E50AE1D-BC76-418B-94C4-EFEAC0CEF80C}
Key Found : HKLM\SOFTWARE\Classes\AppID{F54A0D21-6A53-460C-8301-C694EC9E1033}
Key Found : HKLM\SOFTWARE\Classes\AppID{F7BCCFD4-2FA6-477D-A1B0-EF7500B3C49E}
Key Found : HKLM\SOFTWARE\Classes\AppID\NCTAudioCompress3.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\NCTAudioFile3.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\NCTAudioFormatSettings3.DLL
Key Found : HKLM\SOFTWARE\Classes\CLSID{03F14321-8FED-4CBC-B01A-4B57FC199062}
Key Found : HKLM\SOFTWARE\Classes\CLSID{2C6F7E96-73BC-47A5-9F51-B67F0BAFE24D}
Key Found : HKLM\SOFTWARE\Classes\CLSID{4C58EB04-7B72-4D3D-A36E-66167A99BC31}
Key Found : HKLM\SOFTWARE\Classes\CLSID{4EE0B011-604C-47F3-8F2B-39F79640B85E}
Key Found : HKLM\SOFTWARE\Classes\CLSID{CD5175E2-7CC1-418C-B66C-0AB95DAD4103}
Key Found : HKLM\SOFTWARE\Classes\TypeLib{43B4B831-F41F-4F73-8F14-4FFF0BA75B1B}
Key Found : HKLM\SOFTWARE\Classes\TypeLib{6C9945B7-1D19-46CB-88C0-45A24DF6CD6E}
Key Found : HKLM\SOFTWARE\Classes\TypeLib{84B9B044-17C0-48FB-A300-C9747D5DF29C}
Key Found : [x64] HKLM\SOFTWARE\Updater By Sweetpacks

***** [ Browsers ] *****

-\ Internet Explorer v9.0.8112.16514

-\ Mozilla Firefox v25.0 (en-US)

[ File : C:\Users*removedname\AppData\Roaming\Mozilla\Firefox\Profiles\enrsrp5c.default\prefs.js ]

[ File : C:\Users*removedname\AppData\Roaming\Mozilla\Firefox\Profiles\1hsijvgy.default\prefs.js ]

[ File : C:\Users*removedname\AppData\Roaming\Mozilla\Firefox\Profiles\wvqg0vfs.default\prefs.js ]

[ File : C:\Users*removedname\AppData\Roaming\Mozilla\Firefox\Profiles\marakxxr.default\prefs.js ]

-\ Google Chrome v30.0.1599.101

[ File : C:\Users*removedname\AppData\Local\Google\Chrome\User Data\Default\preferences ]

[ File : C:\Users*removedname\AppData\Local\Google\Chrome\User Data\Default\preferences ]

[ File : C:\Users*removedname\AppData\Local\Google\Chrome\User Data\Default\preferences ]

[ File : C:\Users*removedname\AppData\Local\Google\Chrome\User Data\Default\preferences ]

AdwCleaner[R0].txt - [54548 octets] - [13/09/2013 02:32:21]
AdwCleaner[R1].txt - [2749 octets] - [01/11/2013 03:13:22]
AdwCleaner[R2].txt - [2583 octets] - [01/11/2013 03:35:04]
AdwCleaner[S0].txt - [54566 octets] - [13/09/2013 02:36:34]

########## EOF - C:\AdwCleaner\AdwCleaner[R2].txt - [2704 octets] ##########

please advise

thanks for any/all help you can provide

2

Hi,

Re-run Adwcleaner, but make sure to click on clean after scanning. Attach that report…

Then…

Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Then…

Please download GMER, the AntiRootKit tool from the link below and save it to your Desktop:

Gmer download link
Note: file will be random named

Double-clicking to run GMER.

[*]Wait for initial scan to finish - if there is any query, click No;
[*]Click [ Scan ] button and wait until the full scan is complete;
[*]Click [ Save … ] button - save the report to the Desktop (named ARK );

Please attach here Gmer’s (ARK.txt) logreports.

3

Yes I had run the scan and clean yesterday

After cleaning, still same/similar issues

  • runs/boots very slow when not in safe mode
  • says my Microsoft Security Center is turned off for antivirus and wont let me turn it back on (avast)
  • Wont let me run certain install programs

I will do the other steps you recommended and get back to you.
thanks

Here was the logs after cleaning with Adwcleaner:

AdwCleaner v3.010 - Report created 01/11/2013 at 04:08:47

Updated 20/10/2013 by Xplode

Operating System : Windows ™ Vista Home Premium Service Pack 2 (64 bits)

Username : Admin - JAREDDELL

Running from : C:\Users*nameprotected*\Downloads\adwcleaner.exe

Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\NCTAudioCompress3.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\NCTAudioFile3.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\NCTAudioFormatSettings3.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID{5E50AE1D-BC76-418B-94C4-EFEAC0CEF80C}
Key Deleted : HKLM\SOFTWARE\Classes\AppID{F54A0D21-6A53-460C-8301-C694EC9E1033}
Key Deleted : HKLM\SOFTWARE\Classes\AppID{F7BCCFD4-2FA6-477D-A1B0-EF7500B3C49E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{03F14321-8FED-4CBC-B01A-4B57FC199062}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{2C6F7E96-73BC-47A5-9F51-B67F0BAFE24D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{4C58EB04-7B72-4D3D-A36E-66167A99BC31}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{4EE0B011-604C-47F3-8F2B-39F79640B85E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{CD5175E2-7CC1-418C-B66C-0AB95DAD4103}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib{43B4B831-F41F-4F73-8F14-4FFF0BA75B1B}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib{6C9945B7-1D19-46CB-88C0-45A24DF6CD6E}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib{84B9B044-17C0-48FB-A300-C9747D5DF29C}
Key Deleted : [x64] HKLM\SOFTWARE\Updater By Sweetpacks

***** [ Browsers ] *****

-\ Internet Explorer v9.0.8112.16514

-\ Mozilla Firefox v25.0 (en-US)

[ File : C:\Users*nameprotected*\AppData\Roaming\Mozilla\Firefox\Profiles\enrsrp5c.default\prefs.js ]

[ File : C:\Users*nameprotected*\AppData\Roaming\Mozilla\Firefox\Profiles\1hsijvgy.default\prefs.js ]

[ File : C:\Users*nameprotected*\AppData\Roaming\Mozilla\Firefox\Profiles\wvqg0vfs.default\prefs.js ]

[ File : C:\Users*nameprotected*\AppData\Roaming\Mozilla\Firefox\Profiles\marakxxr.default\prefs.js ]

-\ Google Chrome v30.0.1599.101

[ File : C:\Users*nameprotected*\AppData\Local\Google\Chrome\User Data\Default\preferences ]

[ File : C:\Users*nameprotected*\AppData\Local\Google\Chrome\User Data\Default\preferences ]

[ File : C:\Users*nameprotected*\AppData\Local\Google\Chrome\User Data\Default\preferences ]

[ File : C:\Users*nameprotected*\AppData\Local\Google\Chrome\User Data\Default\preferences ]

AdwCleaner[R0].txt - [54548 octets] - [13/09/2013 02:32:21]
AdwCleaner[R1].txt - [2749 octets] - [01/11/2013 03:13:22]
AdwCleaner[R2].txt - [2788 octets] - [01/11/2013 03:35:04]
AdwCleaner[S0].txt - [54566 octets] - [13/09/2013 02:36:34]
AdwCleaner[S1].txt - [2735 octets] - [01/11/2013 04:08:47]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [2795 octets] ##########

4

Ok, I still need other reports…

5

I spoke to my company IT person today for some ideas.
They said Malwarebytes, which I already use and ran with no luck to clean it off.
After some prodding, got him to give me Semantec End Point Protection. Said I could run it to create a bootable recovery/fix disk to clean up my PC. Sadly it wouldnt let me install it under Safe Mode and when I ran in regular mode it did let me install it (after a long time booting and trying to load up the program) but when I tried to do anything in the program it (the malware/virus on my PC) wouldnt let me do anything with the application so I couldnt create anything or do a scan.

Ok so I just ran OTL as suggested in the general cleaning guide available on this site.

Unforunately the OTL and Extras logs are too long and it says I can onlyt post 1000 lines max. I tried to post them separately and had the same issue

Please advise where can I post/email these?

I will run the other program you suggested in your last post and get back to you.
OK please advise

thanks for your help and support

lerxt

6

Why are you then seeking help here when your company have people that are paid to sort these kind of problems… ???

7

Ran Farbar
Here are the FRST and Addition logs:

See attached as they are too long to post inline

8

No this is my home PC that is infected not my work one
I was just asking their advise “off line as a favor”

Sorry. Im here with you guys all the way. Just looking at all my options. They were of no help so…
onward

9

Ok Im attaching the OTL and OTL Extras Logs here as they were too large to post inline

See attached

user names changed to protect the innocent :slight_smile:

10

Ok getting closer
GMER found some suspicious activity/changes
See attached ARK.txt log file

I ran the quick scan first
will post the full scan of the C: next

11

OK the FULL GMER scan of the entire C: drive finally finished. Similar results from the quick scan.
Only 1-2 more line entries than before.

See below:

GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-11-02 05:02:53
Windows 6.0.6002 Service Pack 2 x64 \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD7501AALS-75J7B0 rev.05.00K05 698.64GB
Running: GMER.exe; Driver: C:\Users\Admin\AppData\Local\Temp\awdiypow.sys

---- Kernel code sections - GMER 2.1 ----

INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification
.text C:\Windows\System32\win32k.sys!W32pServiceTable fffff9600017f800 3 bytes [C0, 82, 02]
.text C:\Windows\System32\win32k.sys!W32pServiceTable + 4 fffff9600017f804 3 bytes [41, BC, FA]
INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification
INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification
INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification
INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification

---- EOF - GMER 2.1 ----

Please advise on next steps

12

… waiting on directions/help on what to do next
thanks
lerxt

13

Download TDSSKiller and save it to your desktop

Execute TDSSKiller.exe by doubleclicking on it.
Confirm “End user Licence Agreement” and “KSN Statement” dialog box by clicking on Accept button.

[*] Press Start Scan
[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt

Please post the contents of that log in your next reply.

14

Unfortunately, nothing was found with TDSSKiller

See attached log

15

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

C:\ProgramData\imgdoc2.dll
C:\Users\Public\AlexaNSISPlugin.5872.dll
C:\Users\User-ga\AppData\Local\Temp
cmd: ipconfig /flushdns

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

Then…

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

16

Im sorry.
I messed up a bit
In your instructions for the code to copy into and then run FRST64, the user name in the code was one I had changed in one of my output logs to protect the actual name. the username “User-ga” is incorrect as shown in red text below
(See 1st set of code text listed below)

When I ran FRST64 it encountered an error (See 2nd set of code text below that)

When I ran FRST64 I was in Safe Mode with networking but when it rebooted after running the FRST Fix, I let it boot up in normal (non-safe mode).

Please advise which mode I need to run these in. Im trying to prevent / minimize the amt of access the malware has access to the PC under “normal” mode, so I am unplugging the net cable when not needed.

Another reason is because In normal mode it takes a LONG to boot/load and let me do anything due to the malware control over the pc

Question:
so, can I re-run FRST64 now that I know what the actual/correct user name is if I go and fix that code?
please advise.

I have NOT run combo fix yet due to the error encountered in step 1

Note. I also have Ubuntu CD-rom I am able to load / temporarily run to bypass the windows boot so I can safely get on the net and download the needed files and copy/move files to my directories as needed.
Not sure if there is a way to boot under Ubuntu and then have it scan the C: hard drive as an external drive and find the issues? I tried looking for virus/malware scanners in their apps store but since Linux environments don’t usually get virus/malware, I came up empty.

thanks for sticking with me on this “project”
lerxt

incorrect username “User-ga” in this code:
C:\ProgramData\imgdoc2.dll
C:\Users\Public\AlexaNSISPlugin.5872.dll
C:\Users[b]User-ga[/b]\AppData\Local\Temp
cmd: ipconfig /flushdns


FRST fix log:
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 31-10-2013
Ran by Stephen at 2013-11-04 00:21:58 Run:1
Running from C:\Users\Stephen\Desktop
Boot Mode: Safe Mode (with Networking)

Content of fixlist:

C:\ProgramData\imgdoc2.dll
C:\Users\Public\AlexaNSISPlugin.5872.dll
C:\Users[b]User-ga[/b]\AppData\Local\Temp
cmd: ipconfig /flushdns

Could not move “C:\ProgramData\imgdoc2.dll” => Scheduled to move on reboot.
C:\Users\Public\AlexaNSISPlugin.5872.dll => Moved successfully.
“C:\Users[b]User-ga[/b]\AppData\Local\Temp” => File/Directory not found.

========= ipconfig /flushdns =========

The requested operation requires elevation.

========= End of CMD: =========

=========== Result of Scheduled Files to move ===========

“C:\ProgramData\imgdoc2.dll” => File could not move.

==== End of Fixlog ====

17

I did find this article on how to scan a windows HDD under Ubuntu environment but its referring to an older ver of Ubuntu. Would think it would be similar with the new version:

http://www.howtogeek.com/howto/14434/

18

Procede with ComboFix, and do not change the log anyway, or I’ll abandon this case…

Follow my instructions, when I say that system is clean, than you can do whatever you want. Now, please stick to my instructions…

19

OK
ran ComboFix

while it ran there were a few instances where it said it didnt have administrator rights to do what it wanted to do but the scan did complete and created the log.

I rebooted into windows normal (non-safe mode)

still takes 7-10 mins to load and get to the desktop, but it seemed to be a little different and the Semantic End Point scanner that I had loaded a few days was now showing in the system tray on the right which wasn’t the case.

was able to update the definitions for Avast this time

but still cant go into control panel, locked out, when i click it it doesn’t do anything

i didnt get the “Security Center was disabled” warning this time but not sure if I waited long enough for it to show up.

still not back to normal.

see attached log from ComboFix

20

I really try to understand everything you told, but I can’t. Why did you run Combofix from Safe mode?

Is this account Limited or Administrator?