Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Windows Advanced Security Center


  • Please log in to reply
14 replies to this topic

#1 wardw

wardw

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 28 January 2014 - 04:03 PM

I'm trying to remove Windows Advanced Security Center from a friend's laptop running Vista. I've tried various removal methods, but they all involve downloading apps to the infected computer. I can't download anything, because WASC won't let me open a browser. I get the fake message "Firewall has blocked a program from accessing the Internet."

 

The malware works the same in Safe Mode as it does in regular mode. I've installed rKill by using a thumb drive, but WASC will not let it run, even when rKill has the fake name "iExplore". It looks as if the WASC developer(s?) keep up with all the workarounds and ensure they're prevented.

 

I've also used a registration number I found on one of the sites, to "register" the WASC app, but there's no Enter button on the registration form, and nothing happens.

 

What's the latest fix method for WASC?



BC AdBot (Login to Remove)

 


#2 Condobloke

Condobloke

    Outback Aussie @ 54.2101 N, 0.2906 W


  • Members
  • 5,808 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:01:41 AM

Posted 28 January 2014 - 06:47 PM

  1. Before we can do anything we must first end the processes that belong to Security Center so that it does not interfere with the cleaning procedure. To do this, please download RKill to your desktop from the following link.

    RKill Download Link - (Download page will open in a new tab or browser window.)

    When at the download page, click on the Download Now button labeled iExplore.exe download link. When you are prompted where to save it, please save it on your desktop.
     
  2. Once it is downloaded, double-click on the iExplore.exe icon in order to automatically attempt to stop any processes associated with Security Center and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that RKill is an infection, do not be concerned. This message is just a fake warning given by Security Center when it terminates programs that may potentially remove it. If you run into these infections warnings that close RKill, a trick is to leave the warning on the screen and then run RKill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that RKill can terminate Security Center . So, please try running RKill until the malware is no longer running. You will then be able to proceed with the rest of the guide. Do not reboot your computer after running RKill as the malware programs will start again.

    If you continue having problems running RKill, you can download the other renamed versions of RKill from the RKill download page. Both of these files are renamed copies of RKill, which you can try instead. Please note that the download page will open in a new browser window or tab.

Condobloke ...Outback Australian  

 

fed up with Windows antics...??....LINUX IS THE ANSWER....I USE LINUX MINT 18.3  EXCLUSIVELY.

 

Microsoft gives you Windows, Linux gives you the whole house...

It has been said that time heals all wounds. I don't agree. The wounds remain. Time - the mind, protecting its sanity - covers them with some scar tissue and the pain lessens, but it is never gone. Rose Kennedy

#3 wardw

wardw
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 28 January 2014 - 07:24 PM

Thanks for your reply, Condobloke. Security Center is preventing the infected laptop from running any applications or accessing the Internet, so I can't download RKill onto the laptop. I used my desktop computer to download RKill onto a thumbdrive and plugged that into the laptop, but Security Center prevents me from starting RKill, or any other virus/malware tools, on the laptop.

 

Now, I'm trying to edit the Registry to clear out Security Center, but it's preventing me from starting regedit. I'd like to just open parts of the Registry in Notepad, but I don't know the path to the Registry in Vista.



#4 Condobloke

Condobloke

    Outback Aussie @ 54.2101 N, 0.2906 W


  • Members
  • 5,808 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:01:41 AM

Posted 28 January 2014 - 07:44 PM

Just sit tight.....I will report this to Grinler


Condobloke ...Outback Australian  

 

fed up with Windows antics...??....LINUX IS THE ANSWER....I USE LINUX MINT 18.3  EXCLUSIVELY.

 

Microsoft gives you Windows, Linux gives you the whole house...

It has been said that time heals all wounds. I don't agree. The wounds remain. Time - the mind, protecting its sanity - covers them with some scar tissue and the pain lessens, but it is never gone. Rose Kennedy

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,536 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:41 AM

Posted 28 January 2014 - 08:00 PM

Try running IE as an administrator. If that doesnt work you will need to transfer the file via a usb key from another computer that can access the internet.

Also try running rkill as different names:

explorer.exe
iexplore.exe
rkill.com

etc

#6 wardw

wardw
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 29 January 2014 - 01:20 PM

Thanks for your reply, Grimler. I've already transferred RKill to the infected laptop from my desktop computer, using a thumbdrive. I only transferred the installation app, rkill.exe; I assume that if I were able to run this from the laptop it would first install RKill onto the laptop, and then run RKill on the laptop.

Should I try to "install" RKill (or any other virus killer) onto my thumbdrive, and then try to run that on the laptop? If so, I'm not sure how to do that.

When I try to run IE as administrator, I get a message:

 

===========

Firewall has blocked a program from accessing the Internet.

SQL Browser Service EXE
...les (X86)\microsoft sql server\90\shared\sqlbrowser.exe

...les (X86)\microsoft sql server\90\shared\sqlbrowser.exe
is suspected to have infected your PC.
This type of virus intercepts entered data and transmits them
to a remote server.

===========

 

This is the same message I get whenever I try to start an ordinary app like Word or Photoshop (but there are exceptions; see below).

I tried experimenting with changing the filename of RKill. Using "iexplore.exe" gets:

 

=================

"Firewall has blocked a program from accessing the Internet.

[RKill icon] Terminates malware processes so that you can run your normal security
F:\iexplore.exe [F is my thumbdrive]

F:\iexplore.exe
is suspected to have infected your PC.
This type of virus intercepts entered data and transmits them
to a remote server.
===============

 

I get the same message for "explore.exe", "kkdg84j5.exe", "5948hfrt.com", "495ur74.doc", etc.; of course, the icon and/or description of the app changes. If I change the extension to .txt, Notepad opens with mixed characters and numbers. If I use a random extension, I get a Windows message asking which app to use to open it.

 

I am able to run Windows accessory apps such as Notepad, Paint, Calculator. Interestingly, after trying the filename changing, I'm now getting a different message when I try to open a browser or start Word or other regular apps:

 

=============

Warning! Identity theft attempt detected

 

Hidden connection IP:               64.51.8.67

Security Risk: [empty text field]

Target: Your bank account details

Your IP:          127.0.0.1

=============

 

On my clean desktop computer I put the 64.51.8.67 IP into my browser, but it got a Timed Out message. I assume it's a bogus address, and it doesn't change when I try to start a different app.
 


Edited by wardw, 29 January 2014 - 01:23 PM.


#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,536 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:41 AM

Posted 29 January 2014 - 05:13 PM

Try renaming rkill as rkill.com and running that.

#8 wardw

wardw
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 29 January 2014 - 06:27 PM

Renaming to "rkill.com" gets:

 

=================

Firewall has blocked a program from accessing the Internet.

Terminates malware processes so that you can run your normal security
F:\rkill.com

F:\rkill.com
is suspected to have infected your PC.
This type of virus intercepts entered data and transmits them
to a remote server.
===============



#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,536 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:41 AM

Posted 30 January 2014 - 04:23 PM

Have you tried rebooting into safe mode with command prompt and then when the command prompt appears, type explorer.exe. That should bring up the desktop. If the infection does not start, you can then scan your computer with what is currently installed as networking will not work in that mode.

#10 wardw

wardw
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 31 January 2014 - 04:15 PM

Thanks, Grinler. I was able to bring up the desktop all right, but unfortunately this laptop has no installed virus/malware removers. And I don't believe Vista has any built-in ones, either.

I did run regedit to try to delete some registry settings that some web sites said the malware makes, but I was not able to find any that they listed, which include:

HKEY..\..\{Value}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnOnHTTPSToHTTPRedirect" = 0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegedit" = 0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegistryTools" = 0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = 0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings "ID" = 4

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings "net" = 2012-2-20_1

HKEY..\..\..\..{Subkeys}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Inspector"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{RANDOM CHARACTERS}.exe

 

Are there any other "cleaning" actions I can take using the apps currently available on the laptop to delete files or registry entries? Or are there any virus/malware removal apps that can install on the laptop from a thumbdrive without having to access the Internet to install?



#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,536 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:41 AM

Posted 31 January 2014 - 05:29 PM

You can download Emsisoft or Malwarebytes and save it to a thumb drive. Then copy it over to the command prompt and run it from there. Should get it all.

#12 ITGUY-Steve

ITGUY-Steve

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 02 February 2014 - 09:20 AM

Thanks for the helpful thread.  I just removed this strain of the virus this morning.  The laptop was Windows 7 Professional and had multiple accounts on it.  Once realizing the new version of this virus lets you do almost nothing from a gui interface, here is how I got the machine clean and stable again:

 

1. I downloaded RKILL and HitmanPro as described above and copied them to a usb drive.

2. I renamed rkill to a generic name, in my case baby.exe.

3. I started computer in command prompt safe mode as an administrator user.

4. Ran the baby.exe from the command prompt and it was able to find the changed file associations etc and fixed them.

5. Next I ran hitman pro in 30 day mode to identify what was probably the file that started it all, called svc-qybb.exe.  Hitman wouldnt let me delete it so i followed the path and from the cmd prompt used the del command to remove the file.

6. At this point I rebooted into regular mode and then was able to get in, run Malwarebytes and clean off the remnants of this attack.

 

It is worth noting that the ability to activate the fake AV with a key was not an option in the screens I received.  Pretty much the machine could not run anything because of the hijacking of the exe files.

 

Hope this helps and thanks to those who put me on the right path for fixing this relatively quickly for a new one!

 

 



#13 wardw

wardw
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 02 February 2014 - 11:40 AM

Thank you for all your help, Grinler. I downloaded Malwarebytes to a thumb drive, plugged it into the infected laptop, unzipped it, and ran it. It cleared up the problem and I was able to boot up in normal mode with no trace of the malware.

 

Then I downloaded and installed Avast and ran a full system scan, which found no problems. With Avast now running on the laptop, I'm hoping the owner will be protected from viruses/malware.



#14 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:03:41 PM

Posted 02 February 2014 - 12:08 PM

Lets do more a thorough job with some other tools. There could be remnants.

Please download TDSSKiller exe version to your desktop. Double-click on TDSSKiller.exe to run the tool for known TDSS variants. Vista/Windows 7 users right-click and select Run As Administrator.
  •     Click on Change Parameters and click Detect TDLFS File System.
  •     Click the Start Scan button.
  •     Do not use the computer during the scan
  •     If the scan completes with nothing found, click Close to exit.
  •     If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  •     Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  •     Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  •     A TDSSKiller text file would be saved in Local Disk C.
  •     Copy and paste the contents of that file in your next reply.
ADW Cleaner


Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Clean.
  • Confirm each time with Ok.
  • You will be prompted to restart your computer. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Edited by cryptodan, 02 February 2014 - 12:08 PM.


#15 wardw

wardw
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 03 February 2014 - 10:47 AM

Thanks, cryptodan, for the detailed instructions. I've already returned the laptop to its owner, but I've asked her to let me know if she has any trouble in the future. I've bookmarked your message, so I'll refer to it if she calls.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users