Got a call and went on-site to remove the virus he said it was something like Anti-virus 360. So get on site and come to fine out its not the antivirus 360 or a clone. I was called Super Privacy Center. i said ok looks just like the others but no i was wrong booted in to windows and it poped up as soon as i clicked the users name then it started talking to me in German i was like wtf did the same thing in safe mode couldnt go any futher so i booted safemode with console which let me get around it thankfully so i get it removed all by command promt and the customer was happy he could now see his desktop. By the was this happen on windows vista 64 bit. It was a pain at first because it blocked everything you did. Has any one esle ran across this? it created a folder in the system32, user account and program files called pcenter.

I have a PC with this I think I don't know and it is out of state but I have remote access just not at boot what did you have to do from the command line to fix it? I am wondering if I can do this remote or if it is fubar.

i had to delete files, edit configs, and rename folders. thats about it theres more but i dont have my notes (2 pages) with me there at my office. but you should be able to get rid of it if you can locate the folders it creates. I also can detect certain commands (regedit, msconfig, mmc, ect) and wont allow them to be executed. once you get around its protection your befine.

Today my friend who also has vista asked me to remove a virus. It wouldnt let me see a desktop in regular start up nor in safe mode.

What I did was let it load up normally into windows. Couldnt see the background, but task manager would come up. I clicked to end the control center task and it said it did but of course still no desktop. i clicked a new task in task manager and browsed to find ComboFix and i ran that. now i can see my desktop. Im about to run Smitfraud and such right now because i noticed in msconfig i still see ccagent.exe. Which is Control Center, in the same family as Privacy Center.

What else did yall do?

I saw Control Center the last week. It is safe-mode aware. I used the bootable and updatability Kaspersky disc to clean it. Then I booted to the normal Desktop and ran all the other scans.

Packrat1947

You could use one of the rkill versions like .EXE, .COM, .SCR or .PDF to end the processes that belong to Control Center.
http://www.technibble.com/rkill-repair-tool-of-the-week/

Once its stopped and before rebooting you can run anti-malware programs like MalwareBytes to remove its files and startup locations in the registry like:

Registry locations:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\Control center
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run "agent.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run "ccagent.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = "%UserProfile%\Application Data\CC\cc.exe"

How do you run rkill if you cannot boot to safe-mode?

Is there a "super" safe-mode?

Just wondering.

Packrat1947

Packrat1947:I was reading Elea's post:
now i can see my desktop. Im about to run Smitfraud and such right now because i noticed in msconfig i still see ccagent.exehe said he was able to run Combofix and Msconfig and was about to run Smitfaud and such. If he could do all that then he should have been in windows?

Both Privacy Center and Control Center run inside of windows, as to what is stopping you from booting windows normally or in safe mode is different, how would these two programs scam us if they weren't able to run?

I wish there was a "super" safe-mode, it would make life easier wouldn't it. I guess we are stuck fixing things with Recovery console and live boot CDs.

It sounds like it's one of the viruses that changes the userinit registry key. This will prevent Windows from starting completely (you get the welcome screen but then it just sits there on a blank wallpaper)

When I get these, I start a boot cd and change the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit
Back to what it should be:
C:\Windows\system32\userinit.exe (path may obviously differ)

Reboot and Windows should boot up properly. Business as usual from that point.