Security center won't start

By revird
Jun 20, 2009
Topic Status:
Not open for further replies.
  1. Hi Folks, I hope someone can help me, my hijackthis log is attached...
    Anyway, for the last few days my local network has not been able to connect to the net, the reason I have found is that my ICS is not working, I have read so many forum messages about this proplem, none have the identical probs I'm having, I have used services.msc to try and start my firewall and ICS, it does start for about 20 secs, then stopps again, during the 20secs my local network has access..
    I really hope someone can help me,
  2. mflynn

    mflynn Newcomer, in training Posts: 2,793

    In Add/Remove programs remove WinMX P2P downloader!

    Tell me about your Virus scanner, doesn't look like you have one.

    Run HJT Scan only and select to Fix the below (if you use AVG or Norton leave the BOLD items for the one you use)
    O1 - Hosts: 65.75.216.6 www.winmx.com err.winmx.com
    O1 - Hosts: 205.238.40.54 www.winmx.com err.winmx.com
    O1 - Hosts: 65.75.216.6 cache0.winmx.com test3201.winmx.com test3206.winmx.com
    O1 - Hosts: 65.75.216.7 cache1.winmx.com test3202.winmx.com test3207.winmx.com
    O1 - Hosts: 82.43.229.238 cache2.winmx.com test3203.winmx.com test3208.winmx.com
    O1 - Hosts: 205.238.40.1 cache3.winmx.com test3204.winmx.com
    O1 - Hosts: 205.238.40.2 cache4.winmx.com test3205.winmx.com
    O1 - Hosts: 65.75.216.6 c3310.z1301.winmx.com c3310.z1302.winmx.com c3310.z1303.winmx.com c3310.z1304.winmx.com c3310.z1305.winmx.com c3310.z1306.winmx.com
    O1 - Hosts: 65.75.216.6 c3311.z1301.winmx.com c3311.z1302.winmx.com c3311.z1303.winmx.com c3311.z1304.winmx.com c3311.z1305.winmx.com c3311.z1306.winmx.com
    O1 - Hosts: 65.75.216.6 c3312.z1301.winmx.com c3312.z1302.winmx.com c3312.z1303.winmx.com c3312.z1304.winmx.com c3312.z1305.winmx.com c3312.z1306.winmx.com
    O1 - Hosts: 65.75.216.7 c3313.z1301.winmx.com c3313.z1302.winmx.com c3313.z1303.winmx.com c3313.z1304.winmx.com c3313.z1305.winmx.com c3313.z1306.winmx.com
    O1 - Hosts: 65.75.216.7 c3314.z1301.winmx.com c3314.z1302.winmx.com c3314.z1303.winmx.com c3314.z1304.winmx.com c3314.z1305.winmx.com c3314.z1306.winmx.com
    O1 - Hosts: 65.75.216.7 c3315.z1301.winmx.com c3315.z1302.winmx.com c3315.z1303.winmx.com c3315.z1304.winmx.com c3315.z1305.winmx.com c3315.z1306.winmx.com
    O1 - Hosts: 82.43.229.238 c3316.z1301.winmx.com c3316.z1302.winmx.com c3316.z1303.winmx.com c3316.z1304.winmx.com c3316.z1305.winmx.com c3316.z1306.winmx.com
    O1 - Hosts: 82.43.229.238 c3317.z1301.winmx.com c3317.z1302.winmx.com c3317.z1303.winmx.com c3317.z1304.winmx.com c3317.z1305.winmx.com c3317.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3318.z1301.winmx.com c3318.z1302.winmx.com c3318.z1303.winmx.com c3318.z1304.winmx.com c3318.z1305.winmx.com c3318.z1306.winmx.com
    O1 - Hosts: 205.238.40.2 c3319.z1301.winmx.com c3319.z1302.winmx.com c3319.z1303.winmx.com c3319.z1304.winmx.com c3319.z1305.winmx.com c3319.z1306.winmx.com
    O1 - Hosts: 65.75.216.6 c3520.z1301.winmx.com c3520.z1302.winmx.com c3520.z1303.winmx.com c3520.z1304.winmx.com c3520.z1305.winmx.com c3520.z1306.winmx.com
    O1 - Hosts: 65.75.216.6 c3521.z1301.winmx.com c3521.z1302.winmx.com c3521.z1303.winmx.com c3521.z1304.winmx.com c3521.z1305.winmx.com c3521.z1306.winmx.com
    O1 - Hosts: 65.75.216.6 c3522.z1301.winmx.com c3522.z1302.winmx.com c3522.z1303.winmx.com c3522.z1304.winmx.com c3522.z1305.winmx.com c3522.z1306.winmx.com
    O1 - Hosts: 65.75.216.7 c3523.z1301.winmx.com c3523.z1302.winmx.com c3523.z1303.winmx.com c3523.z1304.winmx.com c3523.z1305.winmx.com c3523.z1306.winmx.com
    O1 - Hosts: 65.75.216.7 c3524.z1301.winmx.com c3524.z1302.winmx.com c3524.z1303.winmx.com c3524.z1304.winmx.com c3524.z1305.winmx.com c3524.z1306.winmx.com
    O1 - Hosts: 65.75.216.7 c3525.z1301.winmx.com c3525.z1302.winmx.com c3525.z1303.winmx.com c3525.z1304.winmx.com c3525.z1305.winmx.com c3525.z1306.winmx.com
    O1 - Hosts: 82.43.229.238 c3526.z1301.winmx.com c3526.z1302.winmx.com c3526.z1303.winmx.com c3526.z1304.winmx.com c3526.z1305.winmx.com c3526.z1306.winmx.com
    O1 - Hosts: 82.43.229.238 c3527.z1301.winmx.com c3527.z1302.winmx.com c3527.z1303.winmx.com c3527.z1304.winmx.com c3527.z1305.winmx.com c3527.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3528.z1301.winmx.com c3528.z1302.winmx.com c3528.z1303.winmx.com c3528.z1304.winmx.com c3528.z1305.winmx.com c3528.z1306.winmx.com
    O1 - Hosts: 205.238.40.2 c3529.z1301.winmx.com c3529.z1302.winmx.com c3529.z1303.winmx.com c3529.z1304.winmx.com c3529.z1305.winmx.com c3529.z1306.winmx.com
    O1 - Hosts: 65.75.216.6 winmx-com.winmxgroup.com winmx-com-v30.winmxgroup.com
    O1 - Hosts: 205.238.40.54 winmx-com.winmxgroup.com winmx-com-v30.winmxgroup.com
    O1 - Hosts: 65.75.216.6 test0.winmxgroup.net test5.winmxgroup.net
    O1 - Hosts: 65.75.216.7 test1.winmxgroup.net test6.winmxgroup.net
    O1 - Hosts: 82.43.229.238 test2.winmxgroup.net
    O1 - Hosts: 205.238.40.1 test3.winmxgroup.net
    O1 - Hosts: 205.238.40.2 test4.winmxgroup.net
    O1 - Hosts: 65.75.216.6 cache0.winmxgroup.com cache5.winmxgroup.com cache0.winmxgroup.net cache5.winmxgroup.net cache10.winmxgroup.net cache15.winmxgroup.net
    O1 - Hosts: 65.75.216.7 cache1.winmxgroup.com cache6.winmxgroup.com cache1.winmxgroup.net cache6.winmxgroup.net cache11.winmxgroup.net cache16.winmxgroup.net
    O1 - Hosts: 82.43.229.238 cache2.winmxgroup.com cache7.winmxgroup.com cache2.winmxgroup.net cache7.winmxgroup.net cache12.winmxgroup.net cache17.winmxgroup.net
    O1 - Hosts: 205.238.40.1 cache3.winmxgroup.com cache8.winmxgroup.com cache3.winmxgroup.net cache8.winmxgroup.net cache13.winmxgroup.net cache18.winmxgroup.net
    O1 - Hosts: 205.238.40.2 cache4.winmxgroup.com cache9.winmxgroup.com cache4.winmxgroup.net cache9.winmxgroup.net cache14.winmxgroup.net cache19.winmxgroup.net
    O20 - AppInit_DLLs: C:\WINDOWS\system32\bdfdacde.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\


    Then: Do the TechSpot 8 steps: http://www.techspot.com/vb/topic58138.html

    Attach all logs! Run HJT again only after all the above is finished and do it last attach this new log!

    Mike
  3. revird

    revird Newcomer, in training Topic Starter

    I was running avg free, uninstalled it thinking that may be the problem, also uninstalled spybot, I do not see winmx in my add and remove programs list..

    the 3 logs you requested are attached, thanks heaps...
  4. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Update the run MBAM again QuickScan, as it had finds and fixes on last run we need to confirm no more found and see a clean log.

    Only after the above and log is posted do the below.

    Download ComboFix

    Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Or here: http://subs.geekstogo.com/ComboFix.exe

    Double click combofix.exe follow the prompts.

    Install Recovery Console if connected to the Internet!

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall.

    Mike
  5. revird

    revird Newcomer, in training Topic Starter

    mbam log attached
  6. revird

    revird Newcomer, in training Topic Starter

    Installed this combofix, my computer rebooted, now my security center and ICS is staying running.... not sure why tho... more logs attached...
  7. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Do the below in Normal Mode.

    Left Drag mouse and Copy for Pasting all text in the box below.
    Make sure the slider bar goes to bottom from the @ to the end of the second exit.
    Then paste to the black screen of an open command prompt.
    Code:
    @echo off
    
    attrib -h -s -r /s c:\SKYNET*.*
    del /f /q /s c:\SKYNET*.*
    
    attrib -h -s -r /s c:\svkp*.*
    del /f /q /s c:\svkp*.*
    
    attrib -h -s -r /s c:\msdirectx*.*
    del /f /q /s c:\msdirectx*.*
    
    attrib -h -s -r /s c:\xz.bat
    del /f /q /s c:\xz.bat
    
    attrib -h -s -r /s lockx*.*
    del /f /q /s c:\lockx*.*
    
    exit
    exit
    Then Boot to Safe Mode and do it again.

    Next still in Safe mode rename ComboFix to 1cfix and run 1cfix

    Attach both the 1cfix log and a new HJT log.

    Mike
  8. revird

    revird Newcomer, in training Topic Starter

    Just got home from work, 24 hours later and all is running properly...

    None of those files exist on my system, what does it do?

    thankyou for your help
  9. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Specific commands to delete some of the Malware that you had.

    ComboFix found more so we need to confirm it is clean so rename ComboFix to 1cfix and run 1cfix and post the log.

    Then
    Run HJT and select and Fix the below.
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

    Last after all above post final HJT log!

    So Security center is running now?

    Do a full Virus scan with your virus scanner.

    Mike
  10. revird

    revird Newcomer, in training Topic Starter

    combofix log and hijackthis logs attached

    Downloading virus software right now, will scan when finished...

    Yes Security Centre is running fine, along with Connection Sharing..
  11. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Hmmm!

    Second run of ComboFix had some of same findings.

    Better do this..

    DrWeb

    Go here Download DrWeb http://www.techspot.com/vb/post724044-3.html

    Then....

    Boot to Safe Mode only! Not with Networking and run...

    DrWeb will fisrt do an Express Scan on its own when it completes then you should do a full scan.

    The first Virus it finds select Cure and it will use this as the default automatically for all the rest. What it can't fix will be Quarantined!

    This will take a while based on CPU and HD speed and size, but is worth it!

    Mike
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Mike, suggest you check this one out:

    O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll
    This is an illegal software crack used to bypass copy protection for Windows.

    This does not show in the first HijackThis log. But does show in first Mbam log as:
    C:\WINDOWS\system32\antiwpa.dll (Trojan.I.Stole.Windows) -> Delete on reboot.

    It shows on Combofix report dated 6/23/09: 13:40.2 (Reply #10)
    2009-06-21 09:15 . 2008-04-11 08:29 60416 ----a-w- c:\windows\system32\antiwpa.dll

    It shows in HJ log for 6/23/09 2:00:57 PM
    O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll

    Suggest full system scan with new antivirus and possibly online AV scan and online spyware scan. to determine source of this Trojan and file.

    Maybe run LSP Fix?
  13. revird

    revird Newcomer, in training Topic Starter

    Thanks mike, I know all about "Antiwpa" it didnt show in the first HijackThis log because the malaware program deleted it, I found it had been deleted on my next reboot, and I installed it again, hence the reappearance of Antiwpa.

    AVG Free installed again and running....

    All systems/programs are doing what they are supposed to do, I thank you very much..
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    For the record, Mike did not tell you about and document the occurrence of "Antiwpa"- I did.

    I went back and re-read all the logs to track it.

    I made a subtle comment to try and bring it to his attention, which failed. But if you saw it and acted on it, that's what matters.

    You're welcome.
  15. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Sorry revird

    I have been away out of office trying to make a living and not getting in until late exhausted.

    And still will not be available until tonight!
    No Bobby it was not subtle nor did I see it till now,and ignore it as I am doing now! Knew what is was, knew it was a false positive so had no intention of removing it!

    Mike
  16. revird

    revird Newcomer, in training Topic Starter

    Thankyou guys...
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    You're welcome.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.