Command Center wants to make changes to my computer, can't click no

uapaul · 08 Aug 2014

A few seconds after logging into my computer, I receive this message:

Do you want the following program to make changes to you computer?

It's from Command Center and the file origin is from my Hard Drive. When I show info about the pubisher's certificate it says that it's "ok" and show that it came from microsoft root authority. The validity of it expired in 2011. If I click on yes the message goes away until the next time i log onto my computer.

However, if I click on no instead of yes the message almost instantly pops up again. If I click on the x in the corner, the message goes away for about 2 seconds and comes right back. I can ctrl alt delete and open task manager, which get's rid of a message for few seconds only for it to come back in the taskbar. It stays there until I click yes.

I'm afraid that this is malware and that it's affecting my computer a lot. For example my CPU and network usage spikes randomly and it seems like my computer is slower than usual. Recently I've been having a lot of trouble with malware infection and I have been following these steps to delete it however I am wary about JUnkware Removal Tool. How to easily clean an infected computer (Malware Removal Guide)

If I anyone is able to help me with this, it would be greatly appreciated.

Jacee · 08 Aug 2014

Download DDS from one of these links:
DDS.com
DDS.pif

Disable any script blocking protection
Double click the dds icon to run the tool.
When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt <--- will be minimized in the task tray
Save both reports to your desktop.

****Include the contents of both logs in your next post.
The scan will instruct you to post Attach.txt as an attachment.

uapaul · 08 Aug 2014

Sorry, I'm a bit new to this. What exactly is script blocking protection and how do I disable it?

uapaul · 08 Aug 2014

I scanned with dds, here is the dds notepad and the zipped attach file

Jacee · 09 Aug 2014

I see three antivirus programs running ... Avira, Avast and AVG.

Please uninstall two of those programs. These programs run on your systems resources, and most likely are fighting each other for those resources. They could also be fighting each other's virus definitions.

Only run one Antivirus program.

Download AVAST Software Uninstall Utility
Special Note: Needs to be started from Safe Mode, the program will offer to reboot you into Safe Mode on launch. If you did not install the Avast product to the default install location, you need to point to it in the box.

Download AVG Remover
Supports all AVG products. The Remover Tool is usually the top two links on the page. Make sure to download the correct 32-bit or 64-bit version. Currently there are separate removers AVG 2012 and 2013 products.

Download Avira RegistryCleaner
Avira’s removal tool is more of a registry cleaner to clean any left over keys the software has created. It scans HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE by default. If you need to expand the search, click the Configuration button and select the other keys.

After you have removed any two of the above, Please download AdwCleaner by Xplode and save to your Desktop.
Step #1.

Double click on AdwCleaner.exe to run the tool.
Vista/Windows 7/8 users right-click and select Run As Administrator.
Click on the Scan button.
AdwCleaner will begin...be patient as the scan may take some time to complete.
After the scan has finished, click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
Copy and paste the contents of that logfile in your next reply.
A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

Step #2.
Using AdwCleaner v3: Scan & Clean:
This time click on the Clean button.
Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
Copy and paste the contents of that logfile in your next reply.
A copy of that logfile will also be saved in the C:\AdwCleaner folder

******Post both .txt logs

uapaul · 09 Aug 2014

I uninstalled avast, however to my knowledge I never downloaded avira. I searched my computer for "avira" and nothing came up. Is it possible Sophos Virus Remover or another malware remover is being recognized as avira or could a virus be masking itself as avira?

andrew129260 · 10 Aug 2014

Good job. Could you take screenshots of the uac prompt and the info of the file?

Please continue with the adwcleaner instructions jacee advised.

While you wait for jacee, I was wondering if you could also post this log for me?

1.) Download herdprotect: (choose the portable version)

Download herdProtect - Free Anti-Malware Platform

2.) Run the scan.

3.) When the scan finishes, save the results per the screenshot below. Then upload the log here.

DO NOT REMOVE ANYTHING.

Attached Images

uapaul · 10 Aug 2014

I'm not able to take a screenshot of the uac prompt because it greys out the rest of the screen and I tried pressing ctrl printscreen and pasting it into paint, however when I click paste nothing appears.

uapaul · 10 Aug 2014

Here is the herdprotect log

andrew129260 · 10 Aug 2014

I feel dumb. My apologies. I knew that wouldn't work. I wasn't thinking. Sorry. UAC when the prompts happen creates a secure desktop, so no programs can run or screenshots can be taken. Whoops.

Please answer this question: Did you run the removal tools for avast and avira since you have avg?

Adwcleaner logs show your clean, nothing found. Herdprotect tells a different story...
You have some malware hiding in your temp folders and appdata.

Code:

---------------------------------------------------------------------------------

File path: 		c:\users\paulurban\appdata\local\temp\quarantine.exe
Publisher: 		
MD5: 			d1b8356365d58b249b8e9e883e115b6a
SHA-1: 			4bb8bdc6dd4f5de70ebaa9e065847b29716bb295
Created: 		8/6/2014 10:48:25 AM
Detections: 		3
Determination: 		UndefinedMalware
			- Jiangmin as TrojanDropper.FrauDrop.uic (Undefined)
			- Antiy Labs AVL as Trojan/Win32.Scar (Undefined)
			- Reason Heuristics as Threat.Win.Reputation.IMP (Undefined)

---------------------------------------------------------------------------------

File path: 		c:\users\paulurban\appdata\local\temp\{04487208-2c0e-4343-bd9a-6711f49c9607}\setup.exe
Publisher: 		Activision                                                
MD5: 			cec7e6472df1f863cf77902759f4a0f2
SHA-1: 			e5e80275d3a7210d70cc9671e861676b40c213fc
Created: 		1/18/2014 4:59:55 PM
Detections: 		3
Determination: 		UndefinedMalware
			- Agnitum Outpost as Trojan.Genome (Undefined)
			- VIPRE Antivirus as Trojan.Win32.Generic (Undefined)
			- Sunbelt AntiMalware as Porn-Dialer.Win32.CapreDeam.N (Undefined)

---------------------------------------------------------------------------------

File path: 		c:\users\paulurban\appdata\local\temp\diqm\flashplayer_151\software\strongvault.exe
Publisher: 		Strongvault
Signer: 		Strongvault Online Storage LLC
MD5: 			245dbd87a3e22ec610c823d38443a630
SHA-1: 			cdf66b8c6cc63352b760b29c4edcaec1ddceaa26
Created: 		5/13/2013 8:56:36 PM
Detections: 		3
Determination: 		Adware
			- ESET NOD32 as MSIL/Adware.StrongVault (Adware)
			- Comodo Security as ApplicUnwnt (Undefined)
			- Reason Heuristics as PUP.Optional.Installer.StrongvaultOnlineStorage.L (Adware)

---------------------------------------------------------------------------------

File path: 		c:\users\paulurban\appdata\local\temp\diqm\flashplayer_151\software\yontoo.exe
Publisher: 		Web Deals Interactive LLC
Signer: 		Web Deals Interactive LLC
MD5: 			067becafd5f884ceb2e86f766f965b5d
SHA-1: 			da602313ec344e31f340105c29df699267f73b84
Created: 		5/13/2013 8:55:47 PM
Detections: 		7
Determination: 		Adware
			- Reason Heuristics as PUP.Installer.WebDealsInteractive.J (Adware)
			- Agnitum Outpost as Adware.Generic (Adware)
			- Comodo Security as UnclassifiedMalware (Undefined)
			- Dr.Web as Adware.Plugin.8 (Adware)
			- VIPRE Antivirus as Yontoo (Undefined)
			- Kingsoft AntiVirus as Win32.Troj.Generic.a.(kcloud) (Undefined)
			- ESET NOD32 as Win32/Adware.Yontoo (variant) (Adware)

---------------------------------------------------------------------------------

Make sure your data (Documents, music, etc.) is backed up either on an external hard drive or somewhere else as a precaution before proceeding:

1.) Please download and save the file TFC by Old Timer. Again, save the file to your downloads folder or your desktop. Do not run it.

Downloading TFC

2.) Close your programs before running this tool. TFC will close ALL open programs.

3.) Browse to where you saved tfc. Right click on tfc.exe and choose Run As Administrator.

4.) Click the Start button to begin the cleaning process and let it run uninterrupted to completion. When it finishes it will say total files cleaned, and the start button will be grayed out. Click exit.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.