Windows security centre can't be started, the sequal

Hi everyone, as the title suggests my windows security centre cant be started, more accurately it can when I run services from the start menu, set it to automatic and start it, but after 20 seconds it turns itself off, and wont let me start it again. I know there's some orrible little bit of malware or something in there, because I get pop ups from IE (even though I use firefox) and when I search with google, when clicking on a result I get redirected to some other page.

I tried to research how to fix it up myself and posted on the original windows security center can't be fixed thread but I reached the limit of my crude abilities and was advised that this would be best suited to a new thread. So here is where I'm at:

I downloaded ESET scanner and sent it to work, it came back with this:

C:\Users\Dell\AppData\Local\Temp\svchost.exe a variant of Win32/Injector.DWK trojan cleaned by deleting - quarantined
C:\Users\Dell\AppData\Roaming\lsass.exe a variant of Win32/Injector.DWK trojan cleaned by deleting - quarantined
C:\Users\Dell\AppData\Roaming\sfvkaf.exe a variant of Win32/Injector.IGX trojan cleaned by deleting - quarantined

I have a basic understanding that this far from the ideal. I havent taken any options to delete the files yet, because I reckon the files that are infected are quite important. but again, I'm a novice in this game and probably need some hand holding while I take this on.

It might be worth noting that my antivir online protection had also disabled itself without consulting me and refused to co-operate until I ran the ESET scan, now its happy.

If anyone could help me figure out how to appease the security center and bring it out of its sulk it would be greatly appreciated.

Many thanks

More research has lead me to do a sfc /scannow command, which didn't find any integrity violations, and throw malwarebytes on the case. a malwarebytes quick scan came up with this:

Malwarebytes' Anti-Malware 1.51.1.1800
Malwarebytes : Free anti-malware, anti-virus and spyware removal download

Database version: 7398

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

07/08/2011 13:01:04
mbam-log-2011-08-07 (13-00-44).txt

Scan type: Quick scan
Objects scanned: 188131
Time elapsed: 8 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\8DDYX0ZBPZ (Trojan.FakeAlert.SA) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\ZU6RKI1ONY (Trojan.FakeAlert.SA) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\VB AND VBA PROGRAM SETTINGS\Micronsoft (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSWUpdate (Trojan.Agent.Gen) -> Value: MSWUpdate -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSWUpdate (Trojan.Agent.Gen) -> Value: MSWUpdate -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell.Gen.A) -> Bad: (Explorer.exe "C:\Users\Dell\AppData\Roaming\services.exe") Good: (Explorer.exe) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> No action taken.
c:\Windows\Tasks\{810401e2-dde0-454e-b0e2-aa89c9e5967c}.job (Trojan.FraudPack) -> No action taken.


Some of the things in there even to my untrained eye look pretty rubbish, would a full scan uncover more undesirable things? will removing the selected things just clean the nasties or will it delete the files completely that might be important? I'm not sure really how these programs work, it might sound like a stupid question, but I guess it would be stupider not to ask...

Another question, my sfc /scannow didnt return any violations, but its clear I'm being violated, why is it lying to my face? is it just not as powerful a tool as malware bytes? or is malwarebytes trying to sell itself to me? OR (because I ran them at the same time) is malware bytes fighting the good fight so sfc /scannow can chill? this is a very new world to me.

many thanks in advance.

Hello woodfin and welcome to Seven Forums.

First, my usual disclaimer: I'm not an expert at anything and these are just my own personal opinions. If I'm wrong about anything I'm sure more knowledgeable forum members will correct me.

As I understand SFC, it checks the integrity of system files. In other words, it checks to make sure required system files are installed and that the programming for those files is correct. It does not necessarily check to see if unwanted data is also included. To give an example, lets say a system file is supposed to contain A, B, C, and D. When you run SFC as long as A, B, C, and D are present in that particular file and have not been changed in any way, no problems will be noted. If it also contains X, Y, and Z (malware) there probably won't be any red flags because A, B, C, and D were not altered, modified, etc.

Malwarebytes (and other anti-malware tools) are designed to look for specific signatures of known malware. Assuming that X, Y, and Z are known malware, or their programming language matches certain common malware characteristics (also known as heuristics), then it will be detected and flagged by the anti-malware scanner.

In your case I would rely on whatever Malwarebytes indicates. I'd go ahead and at least quarantine the bad guys and then run a full scan. Don't forget to update Malwarebytes again. After running a full scan I'd also use another free tool called Hitman Pro and let it double check your computer.

Hitman Pro 3 - SurfRight

Awesome! I think the malwarebytes nailed it, security centre is back in business (for the last 10 mins) downloading hitman pro to stick the boot in, as well as a full malwarebytes scan to clean up the blood.

many thanks for the explanation, the learning curve is steep here...

Aha, the hitman uncovered what it reckons is a trojan, as well as 12 other suspicious threats, they all come from my copy of sony vegas, I'm in Thailand and bought a copied version of vegas, I've not really had any problems with it, is hitman being overcautious? if I click next and delete the files will my copy of vegas stop running? that would be kind of a disaster at the moment...he also wants to take out a load of tracking cookies too, but I guess thats ok.

It's possible that your copy of Vegas contains malware, especially if somewhere along the line it was downloaded using peer-to-peer or torrent. There's no telling what else might be included in the download and by the time you get your copy it could be ripe with malware.

From the Hitman Pro website:

Malware Removal
When the file is classified as malicious by the Scan Cloud, the Hitman Pro client is placing the infection into quarantine. Various techniques ensure that all infections are completely removed without false positives.

• Close handles (e.g. unload DLL from winlogon)
• Close processes (e.g. winlogon stays)
• Remove object from disk
• Schedule object removal using PendingFileRenameOperations
• Remove references like shortcuts and registry entries
• Restore standard registry keys to default values (e.g. Userinit)
• Disable service drivers
• Deploy native NT bootdelete to remove resilient disk objects
• After reboot retry removal and rescan to ensure complete removal

White Listing
It is a huge problem when anti virus programs remove legitmate files from the computer (false positives). Especially in the case of Windows system files, it could lead to parts of the computer to malfunction. Most anti virus vendors have experience with such a horror scenario Hitman Pro 3 contains a large white list with "Hashes" of these legitimate files. To prevent this, Hitman Pro 3 has a white list of standard installations of Windows 2000 to Windows 7, Office 2000 to 2007 and all updates and services packs.

Source


The problem is Hitman Pro could remove the suspected malware and your copy of Vegas could suffer from it. I guess this is a call you'll have to make. Which is more important? Making sure your copy of Vegas works or having possible malware on your system that could eventually make the whole system inoperative. (Tracking cookie removal isn't a problem. If a website needs a tracking cookie it will just reinstall the next time you visit the site.)

many thanks for the advice, sorry my replys are late, I forget which accounts I have where sometimes. Everythings back on top, the system security centre is fully functional, as is the antivir and all the nasty stuff has been removed, thanks for the tips on programs, I'll be running regular scans in future to make sure stuff gets got before it becomes a problem. I read the link from Jacee, and although it says alert level severe, I couldnt actually figure out what the worm does, is it for stealing data, just slowing things down or what? I'm sure its horrible but I'm just not sure why? many thanks again

Glad to hear everything is running normally again. thanks for letting us know. :)

As to what this particular malware does, it's hard to say without knowing what the author's intent was. Generally speaking worms are designed to accomplish one or more of the following:

• To report a new infection to its author (phoning home to tell the author another machine has been infected)
• To receive configuration or other data (from the infected machine)
• To download and execute arbitrary files (including updates or additional malware) (on the infected machine)
• To receive instruction from a remote attacker (having the infected machine do certain things)
• To upload data taken from the affected computer (such as account numbers, passwords, etc.)

Bear in mind that some infections can be so deeply rooted they can avoid all malware scans. That's why folks say the only sure way to know an infected machine is 100% clean is to do a reformat/reinstall of the operating system and all other programs (either with a known clean system image or the origianl install media.)