Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Center disabled, Google redirecting, and RAM being taken up


  • This topic is locked This topic is locked
10 replies to this topic

#1 Dullahan8

Dullahan8

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 10 June 2011 - 07:02 PM

I was searching, downloading and opening keygens for a program that I was also installing in the background at the time when a pop-up warning about a certificate came up. I thought it was the installer, I looked at the certificate and it had Microsoft's signature on it but in spite of still being suspicious of it, I accepted the certificate to see what would happen. A few minutes later, I got a system pop-up saying that Security Center had turned off and I should turn it back on. I tried turning it back on from the Action Center but it just keept turning off.

So I went to do a Google search of my problem but I noticed that all the suggested links were being redirected but I could still reach the sites if I right-click/copy link location/open new tab/paste/go/. I found a few suggestions telling me to go to Registry Editor, delete the pseudo-graphic number found at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\, then go to Services.msc, find Security Center properties, and change it to automatic and start it from there but I still had the same issue.

I looked around for a bit more and noticed that my browser was getting slower and slower. I opened task manager and found a vkufob.exe stealing all my remaining RAM. I didn't recognize this program so I ended the process, my browser's speed went back to normal. Continuing my search, someone suggested running Malwarebytes so I downloaded that, installed it, started a full system scan. As the scan was running, I noticed that vkufob.exe was running again, I had to end its process several times for the duration of the scan because it kept coming back. After the scan finished, Malwarebytes prompted a restart for the removal of the 30 infections it found, I obliged and I never saw vkufob.exe in task manager again and no Google redirects.

So again, to reiterate, I solved two of the three symptoms on my own but I'm still searching for a way to turn on Security Center. I've looked at Regedit and the pseudo number isn't there anymore and I've also tried to turn it on from Services.msc.

I'm on Windows 7 Home

I went back through my browser history and collected links to all the webpages that I tried looking for a working keygen on. I will post them, preferably through PM if we have that here, upon request.

BC AdBot (Login to Remove)

 


#2 Dullahan8

Dullahan8
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 13 June 2011 - 07:29 PM

Update: Google redirecting came back. Took a look around some more, ran ESET, found one threat, got rid of it, didn't help.

#3 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:41 PM

Posted 13 June 2011 - 10:27 PM

Hello,

I was searching, downloading and opening keygens for a program that I was also installing in the background at the time


The practice of using cracking tools, keygens, warez or any pirated software is not only considered illegal activity but it is a serious security risk.

Cracking applications are used for illegally breaking (cracking) various copy-protection and registration techniques used in commercial software. These programs may be distributed via Web sites, Usenet, and P2P networks.

trendmicro.com/vinfo

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

...warez/piracy sites ranked the highest in downloading spyware...just opening the web page usually sets off an exploit, never mind actually downloading anything. And by the time the malware is finished downloading, often the machine is trashed and rendered useless.

University of Washington spyware study

...One of the most aggressive and intrusive of all bad websites on the Internet are serial, warez, software cracking type sites...they sneak malware onto your system...Where do trojan viruses originate? One of the biggest malware distributors on the Internet are serial/warez/code cracking sites.

Bad Web Sites: Malware

When you use these kind of programs, be forewarned that some of the worst types of malware infections can be contracted and spread by visiting crack, keygen, warez and other pirated software sites. In many cases, those sites are infested with a smörgåsbord of malware and an increasing source of system infection. Those who attempt to get software for free can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

***************************************************

Please try running MBAM this way.

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4
  • Before we begin, you should disable any anti-malware software you have installed so it does not interfere with RKill running. This is because some anti-malware software mistakenly detects RKill as malicious. Please refer to this page if you are not sure how to disable your security software.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

***************************************************

  • Make sure you are connected to the Internet.
  • Launch Malwarebytes' Anti-Malware
  • Click on the Update tab and click the button Check for Updates
  • If you encounter any problems while downloading the definition updates, manually download them from http://data.mbamupdates.com/tools/mbam-rules.exe'>here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

~Blade


In your next reply, please include the following:
Malwarebytes Log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#4 Dullahan8

Dullahan8
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 14 June 2011 - 02:05 AM

I understand fully the risks of using those programs.

The mbam log
Spoiler


#5 Dullahan8

Dullahan8
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 14 June 2011 - 01:09 PM

I used Google to do a few searches and it seemed like the redirecting stopped. However, Google started getting redirected again this morning. I ran mbam again, unlike last time, no problems were found. I ran a Google search and it worked normally. Perhaps this malware is programmed to trick me into thinking that it's not there right after a scan and then comes back later?

Edited by Dullahan8, 14 June 2011 - 01:10 PM.


#6 invision

invision

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 14 June 2011 - 01:34 PM

Follow this guide by boopme

[quote name='boopme']
Hello,lets first see if there is a malware here.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.5.4.0) from Kaspersky's website
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these[/color] instructions. [color=green]In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer.

#7 Dullahan8

Dullahan8
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 14 June 2011 - 03:55 PM

You know what? I did that already yesterday while looking for a solution on BC and forgot about it. It found nothing.

Spoiler


Also, a log from eset that I mentioned earlier. Taking a look at it, I see that it quarantined my Winamp installer which I downloaded from the Winamp site ages ago.

Spoiler


As per my suspicions, Google is being redirected again and I still can't turn on Security Center.

Edited by Dullahan8, 14 June 2011 - 03:58 PM.


#8 Dullahan8

Dullahan8
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 14 June 2011 - 09:13 PM

I did some research on the Microsoft Security Essentials site. Following their instructions, I went to services.msc and found Microsoft Antimalware Service and it was indeed disabled and stopped. I started that service and Security Center in quick succession and it was a success. Unfortunately, after a minute passed, the Antimalware Service stopped and as a result, Security Center stopped too. So I guess the problem is not at Security Center but with Antimalware Service.

Spoiler

http://www.microsoft.com/en-ca/security_essentials/Support/acafdaf7-3e0d-4049-8e82-04a86ec05845.aspx

Edited by Dullahan8, 14 June 2011 - 09:14 PM.


#9 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:41 PM

Posted 14 June 2011 - 09:59 PM

It appears that the issues on your system will require a more in-depth examination than can be performed in this forum. Please read the information in this guide, and follow all the steps beginning with step 6. After you have followed the steps in that guide, I would like you to start a new thread HERE and include a link to this thread.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. The MRT is very busy, so it could be several days (3-5 days is the average wait right now) before you receive a reply. But rest assured, help is on the way!

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#10 Dullahan8

Dullahan8
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 14 June 2011 - 11:33 PM

I have started a new thread here.

#11 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:41 PM

Posted 15 June 2011 - 03:09 AM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/topic403906.html you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

~Blade
Forum Global Moderator

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users