Fake Windows Security Center

Hello there,

i have massive problems with the "Fake Windows Security Center" malware. I am also quite sure that i have been infected with something else along the way. Beware, this is a lengthy and sad story.

Here is what happened:
- While browsing the www some window popped up and spoke about infection. Realizing that it might be a trap i simply closed the winow by clicking on the x. Obviously that was wrong and my computer started to show something that looked like a Windows security center and installed (without me accepting) some software. I uninstalled the software. (i don´t remember its name) It required me to name a reason or i wouldn´t be able to uninstall. I simply wrote "because".

- This, of course, wasn´t the end of the story. The Fake Windows Security Center persisted to pop up. It also told me that Malwarebytes AntiMalware was infected and asked if i wanted to remove it. Of course i said no.

Here is what i did:
- I had a copy of Malwarebytes on my PC and tried to run it. No effect.

- I wanted to uninstall Malwarebytes. It stopped during uninstallation and some files remained.

-I downloaded the Malwarebyte installer and tried to install it again. The installation never completed and i had to reboot my PC several times.

-I tried multiple things to solve the problem.
a) install it in safe mode
b) rename the .exe data and install it in safe or normal mode
c) rename the exe and give it a .bat ending (normal and safe mode)
d) i used a data stick downloaded the installer from another computer and installed it on the data stick. Then i put it on my PC and tried to run it. No effect.
e) i tried to install it from the data stick. No. Renamed it on the data stick. No.

- I tried all the same stuff with SuperAntiSpyware. Same results.

- I even used CC-Cleaner although Malewarebytes hadn´t run yet.

- I read on another forum that renaming the installer would only work when i disabled a non-p&p driver which i wound find hidden under "device manager". Its name was TDSServ.sys or something along these lines. I never found that under the device manager And yes i clicked on show hidden).

- In the end i somehow managed to run Malwarebytes. I am not completely sure why it ran in the end. I used the Start-Menu -> Programs -> Malwarebytes (which i had renamed completely, including the folder)
But this copy was a remain from previous efforts to install Malwarebytes where the installation never completed. I even had tried to delete the folder, as i assumed having multiple MWB (Malewarebytes) on my PC would somehow cause problems. I had my data-stick with an installed copy of Malwarebytes on it attached to the PC at the time.
Im throwing out wild guesses but perhaps the data from the stick were used, although i told the PC to run MWB from the (renamed) folder on my harddisc.

Here is the situation from earlier today:
- MWB had deleted these "rouge" stuff from my PC. Fine so far.
- My Computer is extremely unstable. Booting or restarting will only work every third time or so. Sometimes it just stops and does nothing. Moving the mouse works but not even right-clicking or anything else.
- Today again a window popped up that spoke about infections. I am not 100% if it was the same message with which the whole story started. I closed it with ALT+F4. It did not appear again nor did the fake windows security center window.
- My browsers (Firefox and IE) sometimes simply close themselves. Sometimes that is followed by a complete stop of everything as described above. Sometimes when browsing for MWB or SAS it redirects me to somewhere else.

What i did:
-Desperate as i am i tried to run MWB. After 2 seconds of hot hourglass action nothing happens. SAS gives me a standard error message (You should report to Microsoft...hell no!). Installing anything of the two won´t work, even with all tricks in Safe mode and renaming it.

-As i knew i wanted to write here i put MGtools.exe at C:\ and ran it in safe mode. The black DOS-box popped up and told me to wait. 1 hour later nothing happened. It did produce a zip file but remained open. I wanted to attach the file to this thread but after the attachment window opened i got no reaction when i clicked on "search" or tried to type the C:\... Maybe both browsers are compromised.
- Currently im running MGtools in normal mode while i write this. (if it is important, with Firefox) My hopes it will complete are slim.

I use Windows XP proffessional with service pack 3.

As i have been fighting with Fake Windows Security Center and the unstable booting/restarting since yesterday afternoon i might have forgotten to mention some of the things i tried or noticed, even though i did my best to remember all.:major

To be honest im desperate now and even contemplating magnets to format my harddisc. Any help would be appreciated.:cry

~Konstantin

 

Hi there dr. moriaty,

thank you for trying to help me. I have run into problems with your steps though.

1.) I have downloaded and run AVPF.bat. Log attached.

2.) I have downloaded and run exehelper.com and run it. Log attached.


Then i tried to use the online scanner from SAS. My browser (Mozilla) could not find the url. (Although i know it is correct) I tried to cheat the trojan and googled for SAS. That worked, but then when i clicked on the google link again it could not find the url. As i previously had asked SAS directly i had a link to the SAS online scanner in one of my emails. That didn´t work as well.

Not being able to go to the SAS website is a new thing.

---------------------------------

Mozilla still won´t react when i try to browse for files to attach to this post. Therefore i put the logs onto a data stick and write this post from another computer.

----------------------------------

Two other things happened while i was doing that. As i tried to open the AVPF log a window popped up and spoke about virus infection of the data. I knew the window already. It is from the malware of my computer. I did NOT click on OK but instead closed the window via the Task manager. Then the log data opened normally.

-----------------------------------

What troubled me more is that suddenly some sound started after i had tried to search the online scanner. It was a continuous music and then a speaker announced something. Im not that fluent with english but i understood it was some radio broadcast about an extreme-sports show...
Frankly that scared me.rolleyes

Now i have removed my internet cable untill i get further instructions.

----------------------------------------

PS: Despite not having completed step 3 i have tried to run MGtools. But it didn´t work and had the same problem as before. It ran and told me to wait. But nothing happened even after waiting 20 minutes.

 

Before i start just a short comment.

I have to do all of this in safe mode as in normal mode my PC collapses after less than 5 minutes.

 

Hello dr. moriarty,

it seems i had some success, albeit lackluster in some regards. Here is a step by step description of what i did and how that turned out.

1.) I got all the software you listed below with an extern harddisc from another computer.
CHECK

2.) I tried to run TDSSKiller from safe mode. As i have pointed out my PC collapsed and failed to react to anything in normal mode after 2-4 minutes. The prompt window told me that it could not find the driver.

3.) Hoping the few minutes i have are time enough i tried it in normal mode.
Start->Run->"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

It did not actually ask me to write "delete" or anything else but said it had to restart. I accepted.(See the jpg file for how that prompt window looked like.)

During the boot a blue screen appeared and told me it has to check "consistency" of the drive. (That is a literal translation into english, i dunno if you know what i mean) This check had 3 phases.
a) CHKDSK -> data
b) CHKSDK -> indexes (see below)
c) CHKSDK -> "security description" (whatever that means)

during b) it deleted some files. Each line looked like this:
perfs.js in index $30 of the data 35579
search.json " " " "
SEARCH~1.JSO " " " "
XUL.mfl " " data 35586

When finished with booting a standard microsoft error message appeared. Major error blablabla

4.) As i did not know if it worked or not i ran TDSSKiller again and this time the prompt window told me that there were Registry/file objects infected anymore.
CHECK

5.) I started DrWeb CureIt. It did not ask for any updates. It immidiatelly started to scan and happy, that anything worked at all i let it. It ran rather long and finally found a file called "bootecab.dll" which it identified as "likely BACKDOOR Trojan."

I told it to move the uncurable stuff and that it did. I have it saved in a quarantined folder now. I could have attached that file as well, but i wasn´t sure if that would cause problems. If you need it, just say the word.

6.)I did not immidiatelly save a log but continued to make the "custom scan" for my only harddisc C:\. In the middle of the scan my PC kept rebooting. I could run the normal scan (that is the one that starts if you run the program) but as it did not find any malware after the first time i could save no log. Therefore i cannot provide you with a DrWeb.csv file or DrWeb.txt. Still the thing was contained.
CHECK

7.) Now i ran MBAM, SAS and ComboFic in this order.

a) MBAM did find something called Trojan.Agent in C:\documents\local adjustments/Temp/57.tmp.
It continued to scan though and showed no sign of stopping even after nearly two hours. After i was sure it scanned the same files/directories again and again i stopped it manually. Then i let it remove the Trojan.

b) I ran SAS and it found:
- Adware.Tracking Cookie (60 Items)
- Rogue.Agent/Gen-Nullo(DLL) (1 Item)
I let it remove both

c) I ran ComboFix. (Of course from the desktop.
- It asked me to update and i accepted.
- It starting to download something from Microsoft and was at 100%.
- Then it stopped and wouldn´t do anything for about 15 minutes. I canceled it and started again. This time i did say no to an upgrade and shortly thereafter it produced a txt file/log. (Attached)
CHECK

8.) I ran MGtools.exe on my C:\.
- This time it actually worked and produced a folder and a .zip.(Attached)
- As you told me specifically to run GetLogs.bat i ran that from the folder. The prompt window that popped up looked exactly like the previous one and therefore im not sure if the zip i attached was overwritten with this second scan.
-------------------------------------------------------

RESULT:
- After TDSSKiller my computer did not collapse after 2-4 minutes in normal mode.
- My Mozilla works normally. I did not dare to try the Internet Explorer yet.
- There are no more windows popping up and speaking about alleged virus infections.
- Exe file seem to work normally.

I don´t want to be too overconfident, but for all i see it seems to have worked. Hurray!!!

------------------------------------------------------

What now?
- On my C:\ i got multiple (9) TDSSKiller logs. Do you need me to post one or all of them here?
- Are there some steps i should take to make sure that the trojan/malware/bitch is removed completely from my computer?
- Should i / may i attach this mysterious bootecab.dll here so you can have a look at it?

- If it should really be true and my computer is rescued from the edge of the void, then what protection software would you recommend to ensure that i have not to go through all of this again?

------------------------------------------------------

At last let me thank you from the deepest fleshy dephts of my heart. I know that is stagy but i was close to abandon all hope and just reformat the whole thing.
It is a refreshing and pleasant experience to receive such patient and competent help when one is clearly overstrained. Thank you very much.

And if that whimsical british detective comes sniffing around asking for you i´ll tell him i saw you run in the other direction.:cool

 

Post Scriptum:

As i had more time at my hands today i let MBAM run again. It took two and a half houres and i am sure it did some folders more than once but it still found something:

1.) Malware.Trace in C:\System Volume Information\_restore{AF68D 299-E9B5-4F2E-913D-36CF47AC6DA\RP1\A0000708.sys

2.) Malware.Trace in C:\System Volume Information\_restore{AF68D 299-E9B5-4F2E-913D-36CF47AC6DA\RP1\A0000017.sys

3.) Trojan.FakeAlert in C:\WIN-ALT\system32\spool\prtprocs\w32x86\00006cff.tmp

It deleted them, saved a log (do you need that?) and booted. Seems im free now.:cool