Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


System Security malware/ Moved

  • Please log in to reply
4 replies to this topic

#1 rhuppert


  • Members
  • 3 posts
  • Local time:12:21 AM

Posted 03 March 2009 - 11:32 PM

I am attempting to fix a friend's system that was infected with "System Security" malware. It is an XP system running McAfee I/S, which had not been updating properly. At any rate, I am not clear how far he went once System Security infected, but currently I cannot run any installation program for Malwarebytes or other software in Normal or Safe Mode.

The symptoms are rather pernicious. Install/Uninstall programs terminate almost immediately.
Any virus-related searches in IE or FF will immediately terminate the browser.
Autoruns will not run.
I've tried a few AV scans from boot CD's with no luck as yet.

Another symptom: When I plug in my USB drive, it will modify the autoplay script and add a new file: M.exe

I am running a Trintiy Rescue Kit virus scan now, but it is not complete. Other scans have not worked as yet.

I cannot uninstall McAfee or install AVG or Malwarebytes. It immediately terminates.

Any thoughts would be appreciated.

BC AdBot (Login to Remove)


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Moderator
  • 37,110 posts
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:21 AM

Posted 04 March 2009 - 07:44 PM

Hello rhuppert and welcome to BC :thumbsup:

As no logs are posted, I am moving this topic from the specialized HiJack This forum to the Am I Infected forum. PLEASE DO NOT NOW POST LOGS unless someone specifically asks for them.

Looking over your topic, I see that you have a flash drive infection. Please do not plug your flash drive into any other computers as you will then infect the other computers. Also, at this point, the infected machine will infect any other flash drives plugged into it.

It would be helpful to know if you have access to a clean computer and what portable storage devices you have.

Please be patient while someone more knowledgeable than I to assist you.

Orange Blossom :flowers:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


#3 DaChew


    Visiting Alien

  • Members
  • 10,317 posts
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:21 AM

Posted 04 March 2009 - 07:52 PM

Holding down the shift key when inserting a usb stick keeps it from infecting a computer with an autorun.inf file

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

The linux based AV scanners are a good idea

No. Try not. Do... or do not. There is no try.

#4 rhuppert

  • Topic Starter

  • Members
  • 3 posts
  • Local time:12:21 AM

Posted 05 March 2009 - 02:59 PM

I have disinfected the flash drive.
I decided to bring infected system to my office where I have clean machines and backup options.

I was going to run a Malwarebytes scan remotely, but cannot see the shares I've setup on suspect machine. Suspect machine can see network shares. I suspect permissions may have been modified somehow, but I'm at a loss as everything appears to be properly configured.

Any ideas are appreciated.

#5 rhuppert

  • Topic Starter

  • Members
  • 3 posts
  • Local time:12:21 AM

Posted 13 March 2009 - 02:02 PM


I thought I'd post an update.

Apparently, this issue was the combination of a variety of issues. It apparently began when McAfee Internet Security had a problem updating the computer and, upon attempting to follow their recommendations (virtual tech and uninstallation), the problems began.

The first step toward resolution was running Panda anti-rootkit software. It found and removed several problems.
Next, running SuperAntiSpyware, which found additional issues.
Third, running Malwarebytes removed the rest.

The key in this case was the Panda software. It provided an environment that enabled all the other programs to do their thing.

This was a particularly nasty experience. These were admittedly very clever programs that inhibited program installations and uninstalls. They would terminate any browser (FF or IE) from searching any infection-related terms. It also inhibited connecting remotely via the network.

The programs and developers of the above mentioned programs are fantastic and to be commended. I can't say enough how grateful I am to them. Also kudos to bleepingcomputer and the people who give their time and effort to help people.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users