Results 1 to 2 of 2

Thread: "Security Center" malware

  1. #1
    Junior Member
    Join Date
    Nov 2013
    Posts
    1

    Default "Security Center" malware

    Edit: http://forums.spybot.info/showthread...567#post447567

    Gonna try to hijacking this thread since appears dormant.

    I have the same registry entry on a computer that was infected with "Security Center" malware. It’s your typical hostageware bug that hits you with a popup at logon and won't let you do anything until you purchase an updated version of the “AV” software.

    I regained control of the machine by booting into safe mode, creating a new account while disabling all others, then rebooting into the new account and installed SBSD and MS Security Essentials (SE). SBSD didn’t hit the bug on a full scan, though SE did and appears to have successfully cleaned it. After a few more reboots, I re-enabled the infected account and ran the SBSD’s rootkit checker. This is what I got back:

    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\","LogonSoundPlayed"
    RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Security Center\Svc\","Vol"

    Of course I altered to HKLM…\Security Center\... given that “Security Center” was plastered all over the popups when the malware had control of the machine.
    As for the machine, it belongs to a family member who brought it to me once infected. It runs an up-to-date version of Win 7 sp1 (the only patches missing according to Windows update after I got control of the machine was an update for IE11—though I haven’t run anything like MBSA on it yet). When I received the machine it had ZERO AV software on it.
    I’ve already backed up the reg key, then tried deleting or changing the value, but it won’t let me. Before I revert to more extreme measures, I figured I’d talk to you fine folks.

    I’d much rather to a clean Windows install, but not sure the owner has any recovery media.

    Thanks for the help!
    Last edited by tashi; 2013-11-28 at 04:43. Reason: Split off to own topic

  2. #2
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,457

    Default

    Hello fad2blk,

    For someone to take a look at the system please start a topic in the Malware Removal Forum and a volunteer analyst will advise when available.

    First see that forum's FAQ which also includes instructions in post #2 on how to provide DDS and aswMBR logs, which are the logs used in the preliminary analysis.
    http://forums.spybot.info/showthread.php?t=288

    Best regards.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •