• Happy holidays, folks! Thanks to each and every one of you for being part of the Tom's Hardware community!

Question I think my PC is infected

asda333

Distinguished
Mar 1, 2015
37
1
18,535
I recently got a dialog stating that windows security centre was turned off and I needed to turn it back on and when I click on it, it says Windows Security centre can't start, when I go to security and maintenance and see the message:

Windows Security Center Service is turned off I click Turn on I get message Windows security center service can't be started. I looked around the internet and none of the fixes worked because security center is not in services.msc nor is wscvs and there is no security centre in regedit in local machine, system, etc.

I ran scan sfc/now and it says there were problems and it has repaired it, restarted it and still cannot start windows security center service.

I ran scan on avg nothing, I ran malwarebytes scan and get the following threats detected.

windows\windows.exe
hklm\software\microsoft\security center I firewalldisablenotify (I don't have that line symbol on my keyboard so I used capital I)
hklm\software\microsoft\security center I Updatedisablenotify
etc\hosts
etc\hosts (yep it appears twice in the threats list)
wondershare helper compact\wshelper.exe
HKLM\software\wow6432node\microsoft\windows\currentversion\run I wondershare helper compact.exe
C:\$Recycle.BIN\s-1-5-21-2555645..........\$RWBSKBH.exe

Others I will quaratine, not like I need them, but i'm pretty sure I need windows.exe and svchost and the security center

What should I do. For now I will quarantine the last 3 items in the list.
 
The Wondershare thing is part of a DVD video converter pack. It isn't specifically a virus, but given it's use case something may have come out of video files if acquiring off the grey-black market.

I get no results from that last exe.

If you suspect there is an issue, and certainly something is keeping you from turning A/V back on it may be best to wipe and do a clean install.
 
The problem has likely gotten worse because, as I understand your post, you attempted to edit the registry.

Registry edits are a last resort and only should be attempted after a full system backup including the registry itself.

Also: Using a capital "I" (eye) is not the same character as the line symbol. Which, on most keyboards is a Shift + \ key combination.

The "\" key being between the backspace key and the enter key. However keyboard layouts can and do vary.

Did you have any backups?

If not, do you remember what registry changes you made and can go back and undo the changes?

(Be sure to backup all data before doing anything at all. Backup to locations off of the current host computer and verify that the backups are both recoverable and readable.)

= = = =

Look in Reliability History/Monitor. There may be some specific errors, warnings, or even informational events listed with respect to Windows Security failing to start.

= = = =

Try using "dism" and "sfc /scannow" exactly as shown.

FYI:

https://www.windowscentral.com/how-use-dism-command-line-utility-repair-windows-10-image

https://www.lifewire.com/how-to-use-sfc-scannow-to-repair-windows-system-files-2626161
 
The problem has likely gotten worse because, as I understand your post, you attempted to edit the registry.

Registry edits are a last resort and only should be attempted after a full system backup including the registry itself.

Also: Using a capital "I" (eye) is not the same character as the line symbol. Which, on most keyboards is a Shift + \ key combination.

The "\" key being between the backspace key and the enter key. However keyboard layouts can and do vary.

Did you have any backups?

If not, do you remember what registry changes you made and can go back and undo the changes?

(Be sure to backup all data before doing anything at all. Backup to locations off of the current host computer and verify that the backups are both recoverable and readable.)

= = = =

Look in Reliability History/Monitor. There may be some specific errors, warnings, or even informational events listed with respect to Windows Security failing to start.

= = = =

Try using "dism" and "sfc /scannow" exactly as shown.

FYI:

https://www.windowscentral.com/how-use-dism-command-line-utility-repair-windows-10-image

https://www.lifewire.com/how-to-use-sfc-scannow-to-repair-windows-system-files-2626161
I didn't edit the registry because I couldn't find Security Centre in regedit under Local Machine or mscvs (something like this).

The recyclebin thing looks like a legit virus I previously had on a usb stick, but the registry seem to have been edited automatically or buy a virus. So I quarantined them except for etc host and windows.exe
 
The problem has likely gotten worse because, as I understand your post, you attempted to edit the registry.

Registry edits are a last resort and only should be attempted after a full system backup including the registry itself.

Also: Using a capital "I" (eye) is not the same character as the line symbol. Which, on most keyboards is a Shift + \ key combination.

The "\" key being between the backspace key and the enter key. However keyboard layouts can and do vary.

Did you have any backups?

If not, do you remember what registry changes you made and can go back and undo the changes?

(Be sure to backup all data before doing anything at all. Backup to locations off of the current host computer and verify that the backups are both recoverable and readable.)

= = = =

Look in Reliability History/Monitor. There may be some specific errors, warnings, or even informational events listed with respect to Windows Security failing to start.

= = = =

Try using "dism" and "sfc /scannow" exactly as shown.

FYI:

https://www.windowscentral.com/how-use-dism-command-line-utility-repair-windows-10-image

https://www.lifewire.com/how-to-use-sfc-scannow-to-repair-windows-system-files-2626161
I did dism and sfc /scannow and it said files fixed but the issue still persists.

I ran them again and no problems detected but I still can't open security centre, says can't be started.
 
A clean Windows reinstall may be necessary.

Wait for other comments and suggestions.

In the meantime start planning as necessary beginning with:

https://forums.tomshardware.com/faq/windows-10-clean-install-tutorial.3170366

Run AV and malware scans on all backup drives/data.
Oh no please no not that.

Is there a way to clean install without losing programs or files or data. Maybe upgrade to windows 11 as that would technically be a new install, but I would still lose my installed programs, downloaded files, etc.
 
also I just found out something that when I was downloading a program, in the rar file was a file, which in the readme told me I had to run and it was called avengers aio and looking at google at what this is. it says it deletes windows security centre, oh crap. I need to undo this.
 
just edited a few regedit values which were firewalldisablenotify and updatedisablenotify from 1 to 0 and cval to 0. these were not there before. also deleted some unknown disable registry in windows defender.

now i'm going to try upgrade windows 10 via media creation tool to see if that will fix it.

then move all programs to another hard drive as windows is installed on a small nvme ssd so not too many losses
 
A clean Windows reinstall may be necessary.

Wait for other comments and suggestions.

In the meantime start planning as necessary beginning with:

https://forums.tomshardware.com/faq/windows-10-clean-install-tutorial.3170366

Run AV and malware scans on all backup drives/data.
Problem:
Downloaded a program and inside was told to install avenger aio, which I did and this permanently deleted security center and windows defender and placed a sneaky script in the pc that would detect if it was reinstalled or reenabled and it would disable it again and then you would have corrupted systems file. i didnt know until i tried starting security centre and get message "Security centre can't get started" or something like that.

Solution:
Unfortunately you will have to reinstall windows 10, but you can still keep your files and programs, by following the tutorial video below.


So everything is fixed working well, except for a small thing malwarebytes detected windows.exe in the C: \WINDOWS\ folder and not in the C:\WINDOWS\SYSTEM32\ folder as a trojan. So I just quarantined it and made exclusion for false positives of etc/host.

Glad that's over, never again.

Can someone Mark it as solved, I don't know how to.
 
Last edited: