View Full Version : "Security Center" malware

2013-11-27, 19:34
Edit: http://forums.spybot.info/showthread.php?69337-another-ACL-windows-security-center&p=447567#post447567

Gonna try to hijacking this thread since appears dormant.

I have the same registry entry on a computer that was infected with "Security Center" malware. It’s your typical hostageware bug that hits you with a popup at logon and won't let you do anything until you purchase an updated version of the “AV” software.

I regained control of the machine by booting into safe mode, creating a new account while disabling all others, then rebooting into the new account and installed SBSD and MS Security Essentials (SE). SBSD didn’t hit the bug on a full scan, though SE did and appears to have successfully cleaned it. After a few more reboots, I re-enabled the infected account and ran the SBSD’s rootkit checker. This is what I got back:

RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\","LogonSoundPlayed"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center\Svc\","Vol"

Of course I altered to HKLM…\Security Center\... given that “Security Center” was plastered all over the popups when the malware had control of the machine.
As for the machine, it belongs to a family member who brought it to me once infected. It runs an up-to-date version of Win 7 sp1 (the only patches missing according to Windows update after I got control of the machine was an update for IE11—though I haven’t run anything like MBSA on it yet). When I received the machine it had ZERO AV software on it.
I’ve already backed up the reg key, then tried deleting or changing the value, but it won’t let me. Before I revert to more extreme measures, I figured I’d talk to you fine folks.

I’d much rather to a clean Windows install, but not sure the owner has any recovery media.

Thanks for the help!

2013-11-28, 05:45
Hello fad2blk,

For someone to take a look at the system please start a topic in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) and a volunteer analyst will advise when available. :)

First see that forum's FAQ which also includes instructions in post #2 on how to provide DDS and aswMBR logs, which are the logs used in the preliminary analysis.

Best regards.