Security Center turned Off. Bitdefender services are loading now. please wait

[zack1986]

hi Malware Team,
i having this problem on last monday (14 July 2014). i did download K-Lite Mega coded new version and install it. After install, i'm watching movie and notice that my system running on low memory. i check on task manager and found that CPU usage 100%. i founded there is a new application running on that. i removed and then ok.

but after a few minutes, my bitdefender keep telling me there are several infected file happen during that time. i running full system check using my bitdefender and founded 2 threat and i cannot delete the infected file.

after i rebooted my computer, new message pop-up shown that my security center is turned off. i try to on it back but it shown cannot be turn on anymore. i do some research and running services.exe. in the property of my security center, there is disable selection there, i changed to automatically start, apply and try to start it. after a few second its become stopped back as before.

I found your website and i read on same issue and i run the FSS check. here is my FSS.txt log file as per attachment.

kindly please help me to check either this is a registry problem or due to malware attack.
your cooperation and help is really appreciate.

thank you
zack

 

[TwinHeadedEagle]

Hello,


Before we start please note the following:

Analysis and research take some time, also sometimes real life gets in the way, please be patient.

Limit your internet access to posting here, some infections just wait to steal typed-in passwords.

Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.

Do not paste the logs in your posts, attachments make my work easier. There is a Upload a File button which you can use to attach your reports. Attach all reports.

Stay with me to the end, the absence of symptoms doesn't mean that your machine is fully operational.

Note that we may live in totally different time zones, what may cause some delays between answers.

I can't foresee everything, so if anything unexpected happens, please stop and inform me!

There are no silly questions. Never be afraid to ask if in doubt!

Scan with Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool x64 and save it to your Desktop.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• When the tool opens click Yes to disclaimer.
• Make sure that Addition option is checked.
• Press Scan button and wait.
• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please attach them into your next reply.

 

[zack1986]

hi TwinHeadEagle,

Thank for your prompt action. Here is the 2 file as required.

 

[TwinHeadedEagle]

Go to Control Panel and remove QuickStores toolbar.

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.

Running it on another one may cause damage and render the system unstable.

​

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

Scan with ComboFix

This is a very powerful tool that should be used only if advised by Malware Analyst.
Do not run ComboFix on your own!

Referring to this instruction, please download ComboFix by sUBs and save it to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
• Accept the disclaimer and agree if prompted to install Recovery Console.
• Do not take any actions while ComboFix goes through your System - it may cause it to stall!
• This scan may take some time!
• When finished - it will display a logfile (located also on your main drive, usually C:\ComboFix.txt).

Include that log in your next reply.

If you'll encounter any issues with internet connection after running ComboFix, please visit this link.

If an error about operation on the key marked for deletion will appear after running the tool, please reboot your machine.

 

[zack1986]

Hi,
i can't temporary disabled my antivirus (Bitdefender Internet Security) due to its stuck and only shown 'Bitdefender Services is loading now, please wait' on my tray icon.

so how to disable it? can i run combofix in this condition?

i already run 1st step (fix with FRST) and the second one i will wait for your advice on above problem.

thank

 

[zack1986]

hi
due to that bitdefender problem, i completely removed my BIS by using BIS removal tools and my BIS uninstall completely after that.
currently my pc running without any protection
After that, i run your combofix until it complete and come out with the log.

But, i accidentally forgot to save the log and i running it again one time until it finish. the log come out again and its shown the log can be view at c:combofix.txt. i missed this note on the first time due to i'm not in front of my pc.

there is any problem if i run it twice?

here is the log file after fix using FRST and the Combofix log after run it on 2nd time.
kindly notify me if the way i'm doing the process is wrong.

thank

 

[TwinHeadedEagle]

I need to assess your situation, will be back later.

 

[zack1986]

ok i will waiting for it. thank for your fast action and cooperation.

really appreciated it.

thank you.

 

[TwinHeadedEagle]

Download this file and copy it to C:\

http://www63.zippyshare.com/v/71588730/file.html

Fix with ComboFix

Let's prepare a Script for ComboFix to mark some things for being deleted.

• Press the
  
  + R on your keyboard at the same time.
• A Run window should appear in the lower left corner. Type in notepad.exe and press Enter.
• In the shown window paste in the following script:
  

  FCopy::
  C:\svchost.exe | c:\windows\SysWOW64\svchost.exe
  
  ClearJavaCache::

• Go to File menu and select Save as.
• Make sure that the Save as type option is set to Text files (*.txt) and the place to save will be your desktop.
• Name the file CFScript and select Save.

Your CFScript.txt file should appear on your desktop.

Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

• Now drag your CFScript file and drop it onto the
  
  icon.
• This will start ComboFix. Let it run uninterrupted!
• A reboot may be needed during this run. Allow it.
• When finished, it shall produce a log for you at C:\ComboFix.txt and display it.

Please include that log in your next reply.

If you'll encounter any issues with internet connection after running ComboFix, please visit this link.

If an error about operation on the key marked for deletion will appear after running the tool, please reboot your machine.

Do not forget to turn on your previously switched-off protection software!

 

[zack1986]

hi,
here is the new log file as required.

there are potential my pc got infected by malwares as what you have seen?

 

[TwinHeadedEagle]

PC seems clean, how is the situation now?

 

[zack1986]

still can't turn on my Window Security Center Service.
after you reply, i try to changed that service to Automatically in the properties under Service on my security center.

but its same situation happen here, after a few sec, the security center became disabled back.

so what to do now? formatting back to factory setting is final choice?

 

[zack1986]

this error pop-up during enable back my security center.

 

[TwinHeadedEagle]

Scan with Farbar Service Scanner

Download Farbar Service Scanner by Farbar and save it to your desktop.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
• Make sure all of the options are checked!
• Press Scan.
• It will create a log (FSS.txt) in the same directory the tool is run.

Please include that log in your next reply.

 

[zack1986]

here is the log file. can see much of them has been disabled.

 

[TwinHeadedEagle]

Ok, I need more time to prepare fix. Will get back to you soon.

 

[zack1986]

ok. thank. take your time.

 

[TwinHeadedEagle]

Here I am, sorry for waiting


Download this file and copy it to C:\

http://www11.zippyshare.com/v/78240508/file.html

Fix with ComboFix

Let's prepare a Script for ComboFix to mark some things for being deleted.

• Press the
  
  + R on your keyboard at the same time.
• A Run window should appear in the lower left corner. Type in notepad.exe and press Enter.
• In the shown window paste in the following script:
  

  FCopy::
  C:\VSSVC.exe | C:\Windows\System32\vssvc.exe

• Go to File menu and select Save as.
• Make sure that the Save as type option is set to Text files (*.txt) and the place to save will be your desktop.
• Name the file CFScript and select Save.

Your CFScript.txt file should appear on your desktop.

Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

• Now drag your CFScript file and drop it onto the
  
  icon.
• This will start ComboFix. Let it run uninterrupted!
• A reboot may be needed during this run. Allow it.
• When finished, it shall produce a log for you at C:\ComboFix.txt and display it.

Please include that log in your next reply.

If you'll encounter any issues with internet connection after running ComboFix, please visit this link.

If an error about operation on the key marked for deletion will appear after running the tool, please reboot your machine.

Do not forget to turn on your previously switched-off protection software!




Next download and run these 3 files:
LINK
LINK
LINK



Restart your PC and tell me how the situation now?

 

[zack1986]

hi,
sorry for late reply.

Here is the result
1. Notification Security Center in tray icon still unavailable.
2. I try to open window Defender under control panel, i appear but suddenly auto close after few sec
3. Before i can run check security status and can see my security center is on turned off mode, but now i can't access to that interface anymore.

is there any solutions?
last night i install back my BIS 2013 and running full system scan and this morning report shown there are 37 file infected and has been deleted. Some of them i don't think its a virus because its my game.

Here is the new combofix log file.

thank you

 

[TwinHeadedEagle]

I would like you to run one more ComboFix script

RegLock::
[HKEY_USERS\S-1-5-21-2054685846-3976676290-3612307034-1001_Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
[HKEY_USERS\S-1-5-21-2054685846-3976676290-3612307034-1001_Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]

RegLockDel::
[HKEY_USERS\S-1-5-21-2054685846-3976676290-3612307034-1001_Classes\Wow6432Node\CLSID\{737467ae-ab51-459d-b184-4b8c45ea4528}]
[HKEY_USERS\S-1-5-21-2054685846-3976676290-3612307034-1001_Classes\Wow6432Node\CLSID\{b4b28c49-e7a4-4e67-a483-8ef01803e69e}]

Also, I would like to see what Bitdefender detected?