1 2 Previous Next 13 Replies Latest reply on Jan 2, 2010 10:13 AM by chess77

    New Virus  McAfee won't run,  says I have virus and got Windows Defense for ssolution

         My brother-in-laws computer has McAfee Security Center installed and it looks like it allowed a virus through on

      Dec 26th.  I believe this is a newer version of an older virus,  but it won't let me run MaAfee or any of the normal tools

      to remove virus or malware.   It goes into processes but doesn't start/run the application.  This is in safe mode.  In normal mode it

      keeps saying everthing is a virus and gives a website to go to called windows defense.  A shield pops up and I believe he installed this software.

      I uninstalled and am still haveing the problem

       

         I think I need a bootable CD with windowsxp installed and an anti-virus and malware programs installed on it.   Laptop is 4 years old and

      doesn't allow booting off USB port.   Running Windows Media Center SP3

       

         Attempted to install HJT, combofix  and malwarebytes .  Nothing will run so I can scan it.

       

         the last thing he remebers doing is installing IPod software to copy songs from CD to Ipod.

       

      Any help would be greatly appreciated,  if we could prosecute  these individuals it would be better.

        • 1. Re: New Virus  McAfee won't run,  says I have virus and got Windows Defense for ssolution
          Peter M

          Can you successfully boot to "Safe Mode With Networking" by tapping F8 repeatedly while booting up?   If so, try 'saving as' the Malwarebytes download to your desktop.  Rename it to anything else, in case the infection objects to it.

           

          Install and update it.  Malwarebytes can also be run in that mode.  Let it remove anything it finds and reboot immediately if asked to do so.

           

          If that doesn't work & you have access to a clean machine that can burn media then try one of our Moderators Secured2k's BootCD.  Any questions on that should go in that thread.

           

          Sorry I missed this but it should have been posted in the Malware section.   I'll get it moved eventually.

           

           

          Message was edited by: Ex_Brit on 29/12/09 8:24:22 EST AM
          • 2. Re: New Virus  McAfee won't run,  says I have virus and got Windows Defense for ssolution

            Chess77:

             

            I received your reply and log. The log indicated you did not actually remove the detected items. Even if you were able to remove the malwarebytes infected items, there is no guarantee there wasn't something else active on the system blocking security software. You should try McAfee Stinger or the MCPR (Full McAfee Removal Tool) and then reinstall if McAfee was damaged.

             

            The Boot CD will not do anything without your input. You will need to tell it to run a scan or to manually edit the files or registry.

            1 of 1 people found this helpful
            • 3. Re: New Virus  McAfee won't run,  says I have virus and got Windows Defense for ssolution

              I sent the file I had before removing the selected items.  Then I rebooted. Note still hangs in normal mode so I rebooted in safe mode with networking,

              only way this laptop appears to work.   I just ran HJT and it produced this log,  I see some suspicious things I'm looking at removing.  Also note I have system restore turned off.  Also I attemped to create BootableSecure2k CD on this laptop but it won't do it in safe mode.

                Also there wasn't anyplace I could input or buttons to push to run scan.  I think this would be a great tool and something that I asked for.

              Running Windows XP Media Edition SP3 . Where  would I get McAfee Stinger or full MCPR?

              • 4. Re: New Virus  McAfee won't run,  says I have virus and got Windows Defense for ssolution

                McAfee Stinger -> http://vil.nai.com/vil/stinger/

                McAfee Consumer Product Removal Tool (MCPR) -> http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe ( http://service.mcafee.com/FAQDocument.aspx?id=TS100507 )

                 

                I'm still unsure at what point the boot CD is failing. In the instructions, you must RIGHT-CLICK the desktop background to get the menu of items. Did this not work?

                 

                I personally don't support HiJackThis because it is usually incomplete and won't show some areas where malware could be hidden. However, I do see a program "Winlogon.exe" on the desktop that probably should not be there.

                "krl32mainweq.dll" in the log also does not look legitimate.

                1 of 1 people found this helpful
                • 5. Re: New Virus  McAfee won't run,  says I have virus and got Windows Defense for ssolution

                  Mark

                   

                     Thanks for that info,  maybe I didn't read the instruction that said to right click.

                  I'm scanning now and will let you know the results. 

                   

                  Steve

                  • 6. Re: New Virus  McAfee won't run,  says I have virus and got Windows Defense for ssolution

                    I figured this would have fixed the problem,it picked up 20 files.  I guess this rootkit is too new to be in the latest antivirus deinitions

                    After rebooting in safe mode with networking I ran another malwarebytes scan.  I attached your report and the mbam-log.

                     

                      I'm presently running stinger,  but this says it's from Nov.


                    Steve

                    • 7. Re: New Virus  McAfee won't run,  says I have virus and got Windows Defense for ssolution

                      Stinger will use "Artemis" technology from McAfee to detect suspicious bad files by checking the real time database of reported malware through your internet connection (thus up-to-date). If you do not have a working internet connection, Stinger will not work well to discover any new or unknown samples.

                       

                      I would suggest you also try the ESET Online Scanner included on the CD. It uses a different engine and database set that picks up some things McAfee does not. If all three of the scanners (McAfee, ESET, MalwareBytes) do not detect anything, you may not have a virus left or you may have something too new that has not yet been widely discovered.

                       

                      In the case that you no longer have malware actively running, it's possible it did something that changed a Windows setting to prevent security software from running. Normally, MalwareBytes repairs these major system changes, but it's not 100% guaranteed.

                       

                      In the case you do still have some malware, the only options are to wait for a fix or to do a manual removal. This usually requires a knowledgable tech that can recognize what does and does not belong in your system.

                      1 of 1 people found this helpful
                      • 8. Re: New Virus  McAfee won't run,  says I have virus and got Windows Defense for ssolution

                        Ok  I just got home from work,  Stinger completed with no errors.(date says Nov24th)  I reran Malwarebytes and found the same

                         

                        Registry Keys infected Hkey_LOCAL_Machine\software\H8SRT (Rootkit.TDSS)
                        -> Quarantined and deleted successful every time I run the scan after a
                        reboot.             ( I couldn't find this key with regedit)  .

                         

                          This time I didn't reboot, ran another malwarebytes and it didn't find anything. 

                        I was able to start McAfee this time but it said it needed to be fix.  Fix Fails.

                        I did perform an Update,  but scan wouldn't run.  Looks like all is disabled. 

                        Should I uninstall McAfee ? & try reinstalling it?  Can  I log on with a Tech to find out what this

                        wrong so maybe they can prevent find a cure for future attacks,  I believe this

                        is  new an as you say not widely discovered.  Slowly we're moving ahead and gathering more info.

                         

                        Note I'm still in Safe Mode with networking

                          I'm going to attempt combofix also at this point, if I can load it.  Then I'll try ESET from the CD.

                         

                        Thanks for your help

                        • 9. Re: New Virus  McAfee won't run,  says I have virus and got Windows Defense for ssolution

                          The "TDSS" family of viruses/rootkits are usually very advanced and difficult to detect and remove. They have been known to be associated with MBR Rootkits and to modify driver files that are required to start the computer!

                           

                          Assuming the system is virus free now, I still suggest the MCPR tool to uninstall McAfee before trying to reinstall.

                           

                          You should be installing/uninstalling from Normal Mode.

                           

                          If you do use ComboFix, I highly recommend you follow the direction of whatever tech is guiding you through its proper use.

                           

                          For official McAfee Support, check out the "McAfee Support" drop down menu link at the very top of this web page or go to http://service.mcafee.com/.

                          1 2 Previous Next