Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Worst Virus Ever?


  • Please log in to reply
10 replies to this topic

#1 mlarsen

mlarsen

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:13 AM

Posted 15 November 2009 - 11:16 PM

My daughter brought me her computer that has the worst virus I have ever seen. (She is running a farly new Compaq machine with Windows XP Media Center). This appears to be a new version of Privacy Center. On boot, computer goes through Windows startup and asks for login/password. From there, starts to load, then screen goes black and a screen VERY similar to Privacy Center comes up asking for money. (The only difference is that in the upper left of the 'page' it reads Control Center - but their 'About' link refers to it as Privacy Center) The computer will not go past this page. <ctrl><alt><esc>, <alt><F4>, <ctrl><Alt><delete> all have been rendered inoperational. I have read other articles here and in other places with instructions as to how to remove it - all suggest Safe Mode. Well, here's where this virus gets nasty! When going into Safe Mode, the system reboots after mup is loaded therefore Safe Mode is Not an option. Tried a bootable F-Secure CD - it found a number of harmful files and renamed them but the machine still does the same nonsense :thumbsup: .

Any suggestions aside from System Restore? (and I'm not sure that will fix the problem either!)

BC AdBot (Login to Remove)

 


#2 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:06:13 PM

Posted 16 November 2009 - 04:33 AM

On boot, computer goes through Windows startup and asks for login/password .... starts to load, then screen goes black and a screen VERY similar to Privacy Center comes up ..... The computer will not go past this page. <ctrl><alt><esc>, <alt><F4>, <ctrl><Alt><delete> all have been rendered inoperational.

Somehow you need to gain access to your system.
Try the following ....
Start the computer normally and immediately after logging in (as quick as you can) .... press Ctrl+Shift+Esc
Does this bring up the Task Manager window?

If not, perhaps try it again?

If you are lucky enough to see the Task Manger window, try this ....
http://www.ehow.com/how_4864878_fix-privac...nter-virus.html
and then this ...
http://www.bleepingcomputer.com/virus-remo...-privacy-center

Please let us know how it goes.
Good luck.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#3 mlarsen

mlarsen
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:13 AM

Posted 16 November 2009 - 08:52 AM

Have tried dozens of time to enter <ctrl><shift><esc> immediately after login. Privacy Center always comes up. :thumbsup:

#4 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:06:13 PM

Posted 17 November 2009 - 07:07 AM

Windows Advanced Options Menu
Getting into Windows Safe Mode
http://www.computerhope.com/issues/chsafe.htm

Choose "Last known good configuration that worked", and press the Enter key. The computer will attempt to load Windows.
If you are still blocked by PCenter, try the same thing a few more times, before you rule that option out.
Why 10 times? Based on past experience, a successful result is sometimes achieved after several consecutive failed attempts.

Try one or more of the following bootable "rescue" disks: You may have more luck than you did with the first attempt.

Avira AntiVir Rescue System
http://www.free-av.com/en/tools/12/avira_a...cue_system.html

Dr.Web LiveCD
ftp://ftp.drweb.com/pub/drweb/livecd/
review: http://www.raymond.cc/blog/archives/2008/1...arting-windows/

BitDefender 2009 Rescue Disk CD
http://download.bitdefender.com/rescue_cd/

Kaspersky Rescue CD
http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk/

Panda SafeCD 3.4.3.5
http://research.pandasecurity.com/archive/...5-Released.aspx

FREE Bootable AntiVirus Rescue CDs Download List
http://www.techmixer.com/free-bootable-ant...-download-list/


If the above steps do not result in you being able to access your system, we can access your Windows system in other ways and make changes that will allow you to use your computer in the normal fashion.
Do you have any one of the following disks .....
XP installation CD (any version) ?
Vista or Windows 7 installation disk ?

Do you have any other bootable CDs that could give access to the system, such as a version of Linux or UBCD4Win or BartPE ?
(If you do not have any suitable disk to use, that is not a problem: One can be created from an internet download.)
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#5 mlarsen

mlarsen
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:13 AM

Posted 17 November 2009 - 11:50 PM

Tried Kaspersky - did not work. :flowers:
Tried Panda - virus definitions to old - found nothing. :trumpet:
Tried Dr Web - found and deleted a number of viruses (ones that F-Secure found and renamed plus more) :thumbsup:
Rebooted - same old thing :inlove:
Tried Last Know Config about 20 times - still no luck. :huh:

I do have an XP disk - different version though (Professional rather than Media Edition). Can I edit the registry through that CD? (or do something else to access the computer?

#6 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:06:13 PM

Posted 18 November 2009 - 01:30 AM

That was a disappointing result.

I will set to work on devising a strategy: Give me some time, and I will get back to you within 24 hours.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#7 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:06:13 PM

Posted 18 November 2009 - 09:38 PM

Off-line removal of the malware "Control Center" with UBCD4Win

Step 1
Make a UBCD4Win LiveCD
Go to http://www.ubcd4win.com/howto.htm and follow the instructions to make a bootable CD.
Test: Boot the infected machine from the CD, to make sure that all is working as it should. You should see the UBCD4Win Desktop, and be able to browse the hard drive (C: ) and view all files and folders.
-------------------------------------------

WARNING:
(The information provided requires editing the Windows registry.)
Improper changes to the registry could render your computer inoperable.
The following instructions include steps to save a back-up copy of the relevant part of the registry before making any changes.
Do not neglect to make those back-up copies.

Information for the following steps:
Refer to the following information about items related to "Control Center" when viewing the files and folders on your hard drive, and the entries in the Windows registry.

Remove Control Center (Uninstall Guide)
Posted by Grinler on November 16, 2009
http://www.bleepingcomputer.com/virus-remo...-control-center

Associated Control Center Files:
%UserProfile%\Application Data\CC
%UserProfile%\Application Data\CC\agent.exe
%UserProfile%\Application Data\CC\cc.exe
%UserProfile%\Application Data\CC\settings.ini
%UserProfile%\Application Data\CC\uninstall.exe
%UserProfile%\Application Data\CC\faq
%UserProfile%\Application Data\CC\faq\guide.html
%UserProfile%\Application Data\CC\faq\images
%UserProfile%\Application Data\CC\faq\images\05.png
%UserProfile%\Application Data\CC\faq\images\06.png
%UserProfile%\Application Data\CC\faq\images\07.png
%UserProfile%\Application Data\CC\faq\images\08.png
%UserProfile%\Application Data\CC\faq\images\09.png
%UserProfile%\Application Data\CC\faq\images\10.png
%UserProfile%\Desktop\Control center.lnk

Associated Control Center Windows Registry Information:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Control center
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "agent.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = "%UserProfile%\Application Data\CC\cc.exe"

-----------------------------------------

Step 2
Navigate to
C:\Documents and Settings\username\Application Data <<< directory
Within the "Application Data" directory, find and delete the directory named "CC" and all the contents of that directory.

Step 3
Navigate to
C:\Documents and Settings\username\Desktop <<< directory
Within the "Desktop" directory, find and delete the file (a shortcut) "Control center.lnk"

Step 4
Edit the registry using "Registry Editor"
At the UBCD4Win Desktop, go to Start > Programs > Registry Tools > RegEdit(Remote).
Select C:\WINDOWS (should be the only thing showing) and click OK (if you see this dialog box at all)
At the "Runscanner" prompt box, choose "Yes".
Select Administrator probably, in the "Select User Profile" window.
You will now see the "Registry Editor" window.

Step 5
Navigate to
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <<< key
Right-click on the "Run" key and choose "Export" and give it a name and choose a location (say "My Documents" folder) and save it.
In the right-hand side pane, find the entry "agent.exe" and delete it (the whole line).

Step 6
Navigate to
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon <<< key
Right-click on the "Winlogon" key and choose "Export" and give it a name and choose a location (say "My Documents" folder) and save it.
In the right-hand side pane, find the entry "Shell" = "%UserProfile%\Application Data\CC\cc.exe" and delete it (the whole line).

Step 7
Navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Control center <<< key
Right-click on the "Control Center" key and choose "Export" and give it a name and choose a location (say "My Documents" folder) and save it.
Right-click on the "Control Center" key again and choose "Delete" to delete the whole key.

Step 8
Close the Registry Editor window.
Restart your computer, taking out the LiveCD.
Does Windows load normally and present you with the your Desktop now?
How do things look? Are you able to operate the system normally?

Edited by AustrAlien, 19 November 2009 - 03:51 PM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#8 mlarsen

mlarsen
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:13 AM

Posted 18 November 2009 - 11:30 PM

A nasty piece of business but it seems to be working. I notice that others are now experiencing "Control Center" but not with the same degree of difficulty. I knew MBAM would probably solve problem - it was just getting into the registry to remove.

Thanks for the help AustrAlien :thumbsup: - we appreciate the information and the efforts!

#9 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:06:13 PM

Posted 18 November 2009 - 11:45 PM

it seems to be working

Thanks for the update: Glad to know things are progressing satisfactorily.

How far have you got with the instuctions? Have you been able to get your system started yet? I wonder how things will look when you do get back into Windows, and whether those instructions completely removed "Control Center" without causing any other problems.

I would appreciate it if you would let me know how things turn out when you finally get access to the computer. I also wonder what else you will find in the way of malware on the system.

There certainly does seem to be a lot of "Control Center" going about! Your computer certainly didn't like it much. Other systems seem to be accessible at least, from what I have seen so far.

Edited by AustrAlien, 18 November 2009 - 11:51 PM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#10 mlarsen

mlarsen
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:13 AM

Posted 19 November 2009 - 10:28 PM

Actually had to go in and use system restore to reinstall Windows.
Once in, I ran MBAM and cleaned up Control Center.
All my daughter's data was saved but now have to reinstall software.
At least its clean now. :thumbsup:

Mostly multiple instances on Control Center were there - a few relatively non-descript bugs (borderline pests)
The biggest problem was the failure to run Safe Mode. Glad to see most people don't have that problem.

How did she get it? Well it seems that her antivirus subscription ran out while she was on holidays and she got infected the moment (or at least the day) she returned. Lesson learned - NEVER connect to the internet without some UP TO DATE antivirus protection. (I could make an analogy here but I don't want to be crude.)

Again, thanks for everything AustrAlien.

#11 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:06:13 PM

Posted 19 November 2009 - 10:32 PM

Actually had to go in and use system restore to reinstall Windows.

Again, thanks for everything AustrAlien.

No worries. Pleased to see that you have managed to get the problem resolved.
Take care.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users