Solved Had the MS Security Essential Male Ware infection

November 24, 2013 at 04:16:59
Specs: Windows XP
Used Rkill to remove the male ware. The program gave a list of Reparse points/junctions that it labeled as questionable. I have tried to down load security software from MS and I continue to get error messages stating they ran into a problem and can not down load to my computer. How do I evaluate the reparse points/junctions to determine if they are the cause. And then how do I delete them if they are not legitimate. Every thing else on my computer seems to be working OK.

See More: Had the MS Security Essential Male Ware infection

Report •

✔ Best Answer
November 24, 2013 at 13:14:26
"How do I evaluate the reparse points/junctions to determine if they are the cause"

1: Download & run Unhide
http://www.bleepingcomputer.com/for...
http://download.bleepingcomputer.co...
To run Unhide, simply download it to your desktop and then double-click on the Unhide icon. The program will open a black box and start making the files on your fixed disks visible again. Please note, that this program will not unhide removable drives like flash cards and usb drives as the FakeHDD rogues do not target these types of drives. Once it has finished, the program will display a Windows alert stating that your files have been restored. You should then reboot your computer for all of the settings to go into effect.
Copy & Paste the contents of the log. Let me know if it doesn't produce a log please.

2: Reboot

3: Run Defogger & then Combofix.
http://majorgeeks.com/Defogger_d708...
http://www.bleepingcomputer.com/dow...
Double click DeFogger to run the tool.
The application window will appear
Click the Disable button to disable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.
This program can enable and disable CD emulation, often required in removing difficult malware. Some CD Emulation programs use a hidden driver that may be seen as a rootkit or that will interfere with the proper operation of the anti-rootkit scanner.
Run ComboFix. Copy & Paste the contents of the log please. ComboFix's log should be located at C:\COMBOFIX.TXT.
http://www.bleepingcomputer.com/dow...
http://download.bleepingcomputer.co...
http://www.forospyware.com/sUBs/Com...
A guide and tutorial on using ComboFix
http://www.bleepingcomputer.com/com...
http://www.winhelp.us/index.php/gen...
Manually restoring the Internet connection
http://www.bleepingcomputer.com/com...
"There are circumstances ComboFix will hang, crash or stall at various stages due to malware interference, failure to disable other real-time protection tools or the presence of CD Emulators (Daemon Tools, Alchohol 120%, Astroburn, AnyDVD) so that it does not complete successfully. Also, depending on how badly a system is infected, ComboFix may take longer to complete its routine than it normally does or fail to run properly. While that is not normal behavior, it is not unusual"
If you think it's frozen, look at the computer clock.
If it's running, Combofix is still working.
Note:
Do not mouseclick combofix's window while it is running. That may cause it to stall.
NOTE:
ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
Allow ComboFix to download the Recovery Console.
Accept the End-User License Agreement.
The Recovery Console will be installed.
You will then get this next prompt that asks if you want to continue the malware scan, select yes.
If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.
Can't Install an Antivirus - Windows Security Center still detects previous AV
http://www.experts-exchange.com/Vir...
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found in this topic.
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.



#1
November 24, 2013 at 12:27:17
Try running System Restore. Choose a date that precedes the date that the malware issues started. Then install some security software that offers better protection than what you've been using as it's obviously not good enough.

I've been using Comodo Internet Security for a year now & my PC & laptop have never been infected. Highly recommended:
http://www.comodo.com

message edited by phil22


Report •

#2
November 24, 2013 at 12:30:04
rkill does NOT remove malware...it only stops it so it can be removed by another program like malwarebytes and TDSS killer. A system restore does NOT stop malware that is already loaded on a PC, sorry.....

HELP in posting on Computing.net plus free progs and instructions


Report •

#3
November 24, 2013 at 12:38:56
"A system restore does NOT stop malware that is already loaded on a PC, sorry"

I'm well aware that Restore Points can contain malware, that's why I told the OP to choose a restore point that precedes the date of the infection first being noticed.
There's every chance that an old restore point will be clean, so it's therefore worth a try.

Instead of just criticising, how about offering some suggestions to help the OP?

message edited by phil22


Report •

Related Solutions

#4
November 24, 2013 at 13:14:26
✔ Best Answer
"How do I evaluate the reparse points/junctions to determine if they are the cause"

1: Download & run Unhide
http://www.bleepingcomputer.com/for...
http://download.bleepingcomputer.co...
To run Unhide, simply download it to your desktop and then double-click on the Unhide icon. The program will open a black box and start making the files on your fixed disks visible again. Please note, that this program will not unhide removable drives like flash cards and usb drives as the FakeHDD rogues do not target these types of drives. Once it has finished, the program will display a Windows alert stating that your files have been restored. You should then reboot your computer for all of the settings to go into effect.
Copy & Paste the contents of the log. Let me know if it doesn't produce a log please.

2: Reboot

3: Run Defogger & then Combofix.
http://majorgeeks.com/Defogger_d708...
http://www.bleepingcomputer.com/dow...
Double click DeFogger to run the tool.
The application window will appear
Click the Disable button to disable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.
This program can enable and disable CD emulation, often required in removing difficult malware. Some CD Emulation programs use a hidden driver that may be seen as a rootkit or that will interfere with the proper operation of the anti-rootkit scanner.
Run ComboFix. Copy & Paste the contents of the log please. ComboFix's log should be located at C:\COMBOFIX.TXT.
http://www.bleepingcomputer.com/dow...
http://download.bleepingcomputer.co...
http://www.forospyware.com/sUBs/Com...
A guide and tutorial on using ComboFix
http://www.bleepingcomputer.com/com...
http://www.winhelp.us/index.php/gen...
Manually restoring the Internet connection
http://www.bleepingcomputer.com/com...
"There are circumstances ComboFix will hang, crash or stall at various stages due to malware interference, failure to disable other real-time protection tools or the presence of CD Emulators (Daemon Tools, Alchohol 120%, Astroburn, AnyDVD) so that it does not complete successfully. Also, depending on how badly a system is infected, ComboFix may take longer to complete its routine than it normally does or fail to run properly. While that is not normal behavior, it is not unusual"
If you think it's frozen, look at the computer clock.
If it's running, Combofix is still working.
Note:
Do not mouseclick combofix's window while it is running. That may cause it to stall.
NOTE:
ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
Allow ComboFix to download the Recovery Console.
Accept the End-User License Agreement.
The Recovery Console will be installed.
You will then get this next prompt that asks if you want to continue the malware scan, select yes.
If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.
Can't Install an Antivirus - Windows Security Center still detects previous AV
http://www.experts-exchange.com/Vir...
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found in this topic.
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.


Report •

#5
November 24, 2013 at 15:42:06
Instead of just criticising, how about offering some suggestions to help the OP?

sorry to offend you Phil, BUT, I did suggest what other progs to run while using rkill...

HELP in posting on Computing.net plus free progs and instructions

message edited by XpUser4Real


Report •

#6
November 24, 2013 at 16:29:17
Thanks you all for your help...I will try your advice. Hope it solves my issue.

Report •

#7
November 24, 2013 at 17:01:39
"Hope it solves my issue"
I doubt it, that is just to clear the decks, the Reparse points/junctions fix I will do after reading the logs.

Report •

#8
November 25, 2013 at 17:20:57
The aside about restore points and viruses is interesting. There are websites around that seem to jump at clearing restore points, as if every one of them is immediately infected. You never know what viruses can do of-course (or what the future might bring) but I think that "so far" it is usually only the restore points made after the infection that are of concern. I have definitely managed to clear a virus using System Restore. It reverts all but personal files to just those that were present at the selected date/time (including the registry).

Unfortunately the average Joe will often have no idea when the virus came along and therefore which restore points are dubious. The more technical users will be better able to deduce this and there is even a facility in CCleaner to clear individual points (except the last one).

I do think that if restore is used it should be followed up immediately by at least some basic checks, just to get a degree of confidence that the virus wasn't kicking around before the first symptoms became apparent. That way you can always opt to restore back a bit further or take some other action.

EDIT:
But viruses can "remove" or "disable" restore points.

Always pop back and let us know the outcome - thanks

message edited by Derek


Report •

Ask Question