Fake Windows Security Center

July 29, 2009 at 03:02:53
Specs: Windows XP
It looks like i have been infected with a virus/trojan that looks like Windows Security Center. I have read other posts about the same issue, but it seems like the solution is unique each time. Can someone please help me? Here is the result of my SmitFraud scan:

SmitFraudFix v2.423

Scan done at 11:48:59,12, 29.07.2009
Run from C:\Documents and Settings\maghus\Lokale innstillinger\Temporary Internet Files\Content.IE5\4ISGCL7E\SmitfraudFix[1]\SmitfraudFix
OS: Microsoft Windows XP [Versjon 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\Programfiler\Windows Defender\MsMpEng.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
C:\Programfiler\Fellesfiler\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programfiler\Symantec AntiVirus\DefWatch.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programfiler\Symantec AntiVirus\SavRoam.exe
C:\Programfiler\Symantec AntiVirus\Rtvscan.exe
C:\Programfiler\Windows Defender\MSASCui.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
C:\Programfiler\CASIO\Photo Loader\Plauto.exe
C:\Programfiler\Windows Desktop Search\WindowsSearch.exe
C:\Programfiler\Microsoft Office\Office12\ONENOTEM.EXE
C:\Programfiler\Skype\Plugin Manager\skypePM.exe
C:\Programfiler\Symantec AntiVirus\VPC32.exe
C:\Programfiler\Protection System\psystem.exe
C:\Programfiler\Spybot - Search & Destroy\SpybotSD.exe
C:\Programfiler\Internet Explorer\IEXPLORE.EXE
C:\Programfiler\Internet Explorer\IEXPLORE.EXE
C:\Programfiler\Internet Explorer\IEXPLORE.EXE

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\maghus

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\maghus\LOKALE~1\Temp

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\maghus\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\maghus\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Programfiler

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"FriendlyName"="Min gjeldende hjemmeside"

»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

»»»»»»»»»»»»»»»»»»»»»»»» RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: 11a/b/g Wireless LAN Mini PCI Express Adapter - Miniport for pakkeplanlegger
DNS Server Search Order:

HKLM\SYSTEM\CCS\Services\Tcpip\..\{1029AEAC-AED4-4810-AC5A-0B4BCDD835D0}: DhcpNameServer=
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1029AEAC-AED4-4810-AC5A-0B4BCDD835D0}: DhcpNameServer=
HKLM\SYSTEM\CS3\Services\Tcpip\..\{1029AEAC-AED4-4810-AC5A-0B4BCDD835D0}: DhcpNameServer=
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

See More: Fake Windows Security Center

Report •

July 29, 2009 at 07:12:36
1) Install, update database and run full scan with Malwarebytes' Anti-Malware. Attach malwarebyte full scan log, fix anything detected.

2) Run full Scan with SuperAntispyware : http://www.superantispyware.com/dow... . Fix what it detects and post summary scan log.

If I'm helping you and I don't reply within 24 hours send me a PM.

Report •

July 29, 2009 at 09:06:04
Thanks for reply!
I am not able to open the links you have posted. I can not connect to the Avast homesite either. I don't think there is anything wrong with my internet connection, so maybe its another virus. Do anyone have any solutions? When I try, I get up something like this: This web site can not be shown in Internet Explorer (Translated from Norwegian =) )

Report •

July 29, 2009 at 09:20:14
Try to change you dns server to: https://www.opendns.com/start/device/windows-xp

If I'm helping you and I don't reply within 24 hours send me a PM.

Report •

Related Solutions

July 29, 2009 at 10:11:35
It still doesn't work!
I'm able to open the links from another computer on my network, so I believe the problem is on my computer. Is it a posibility to download from the other pc, load it into a memory stick and then install the programs on this computer?

Report •

July 29, 2009 at 10:21:19
Note: I can help you remove malware manually. Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible. First Track this topic. Then follow:

1) Can you please post your AVZ log:
Note: Run AVZ in windows normal mode and make sure you are connected to internet. If avz.exe doesn't start, then try to rename the file avz.exe to something else and try to run it again. Also make sure you have your web browser open in background before following the steps below.

i) To create the log file, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

ii) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

iii) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator.

You should now see the main window of the AVZ utility.

--> Please navigate to "File" => "Custom Scripts". Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.


Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script.

--> Choose from the menu "File" => "Standard scripts" and mark the "Healing/Quarantine and Advanced System Investigation" check box. Click on the "Execute selected scripts" button.
Automatic scanning, healing and system check will be executed. A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip. Upload virusinfo_syscure.zip to rapidshare.com and paste the link here.
* It is necessary now to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan. All applications will work properly after the system restart.

Image Tutorial

2) Download and Run DDS which will create a Pseudo HJT Report as part of its log: DDS Tool Download Link. When done, DDS will open two (2) logs

   1. DDS.txt
   2. Attach.txt

Upload the logs to rapidshare.com and paste download link in your next reply.
Note: Disable any script-blocking programs and then double-click on the DDS.scr icon to start the program. If you did not disable a script-blocker that may be part of your antimalware program, you may receive a warning from your antimalware product asking if you would like DDS.scr to run. Please allow it to do so.

In your next reply, please include download links to the following:
[*] virusinfo_syscure.zip
[*] DDS Logs

Report •

July 29, 2009 at 10:44:02
I'm not able to open the link to download AVZ ( 1i )

Report •

July 29, 2009 at 10:47:11
Try this link for AVZ: http://www.uploadjockey.com/downloa... or you can transfer it via usb from another computer.

If I'm helping you and I don't reply within 24 hours send me a PM.

Report •

July 29, 2009 at 10:53:47
I tried from another computer, and it worked =)

Report •

July 29, 2009 at 13:04:17
Here is the result of the two scannings. First the Malware:

Malwarebytes' Anti-Malware 1.39
Databaseversjon: 2421
Windows 5.1.2600 Service Pack 3

29.07.2009 20:45:58
mbam-log-2009-07-29 (20-45-52).txt

Skanntype: Full Skann (C:\|Z:\|)
Objekter skannet: 158678
Tid tilbakelagt: 42 minute(s), 51 second(s)

Minneprosesser infisert: 1
Minnemoduler infisert: 0
Registernøkler infisert: 1
Registerverdier infisert: 3
Registerfiler infisert: 0
Mapper infisert: 1
Filer infisert: 2

Minneprosesser infisert:
C:\WINDOWS\sc.exe (Trojan.FakeAlert) -> No action taken.

Minnemoduler infisert:
(Ingen mistenkelige filer funnet)

Registernøkler infisert:
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> No action taken.

Registerverdier infisert:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\protection system (Rogue.ProtectionSystem) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\1 (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\security center (Trojan.FakeAlert) -> No action taken.

Registerfiler infisert:
(Ingen mistenkelige filer funnet)

Mapper infisert:
C:\Programfiler\Protection System (Rogue.ProtectionSystem) -> No action taken.

Filer infisert:
c:\programfiler\protection system\uninst.exe (Rogue.ProtectionSystem) -> No action taken.
C:\WINDOWS\sc.exe (Trojan.FakeAlert) -> No action taken.

And then the SuperAntispy:

SUPERAntiSpyware Scan Log

Generated 07/29/2009 at 09:45 PM

Application Version : 4.27.1000

Core Rules Database Version : 4023
Trace Rules Database Version: 1963

Scan type : Complete Scan
Total Scan Time : 00:39:31

Memory items scanned : 551
Memory threats detected : 0
Registry items scanned : 6416
Registry threats detected : 0
File items scanned : 20817
File threats detected : 18

Adware.Tracking Cookie
C:\Documents and Settings\maghus\Cookies\maghus@xiti[1].txt
C:\Documents and Settings\maghus\Cookies\maghus@tribalfusion[3].txt
C:\Documents and Settings\maghus\Cookies\maghus@at.atwola[2].txt
C:\Documents and Settings\maghus\Cookies\maghus@ad.proxad[2].txt
C:\Documents and Settings\maghus\Cookies\maghus@tacoda[2].txt
C:\Documents and Settings\maghus\Cookies\maghus@track.adform[2].txt
C:\Documents and Settings\maghus\Cookies\maghus@smartadserver[2].txt
C:\Documents and Settings\maghus\Cookies\maghus@tribalfusion[1].txt
C:\Documents and Settings\maghus\Lokale innstillinger\Temp\Cookies\maghus@imrworldwide[2].txt
C:\Documents and Settings\maghus\Lokale innstillinger\Temp\Cookies\maghus@247realmedia[1].txt
C:\Documents and Settings\maghus\Lokale innstillinger\Temp\Cookies\maghus@mediatotal.ads.visionweb[1].txt
C:\Documents and Settings\maghus\Lokale innstillinger\Temp\Cookies\maghus@tribalfusion[1].txt
C:\Documents and Settings\maghus\Lokale innstillinger\Temp\Cookies\maghus@revsci[1].txt
C:\Documents and Settings\maghus\Lokale innstillinger\Temp\Cookies\maghus@track.adform[2].txt

C:\SYSTEM VOLUME INFORMATION\_RESTORE{C5628E37-0840-47CE-B806-6B28C11B10F0}\RP55\A0007706.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C5628E37-0840-47CE-B806-6B28C11B10F0}\RP55\A0007875.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C5628E37-0840-47CE-B806-6B28C11B10F0}\RP55\A0007876.EXE


Report •

July 29, 2009 at 13:43:37
Is your problem fixed? If not follow: Response Number 5

If I'm helping you and I don't reply within 24 hours send me a PM.

Report •

July 29, 2009 at 14:41:23
It looks like it's fixed! Thank you very much! I couldn't have made it without your help =)

Report •

Ask Question