Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot install MSE or System Center 2012 Endpoint Protection


  • Please log in to reply
7 replies to this topic

#1 LannyLin

LannyLin

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 25 October 2013 - 12:29 PM

My computer is running XP SP3. It had Symantec Endpoint Protection before. Three days ago, I noticed that Symantec Endpoint Protection kept popping out messages saying it has found virus. And also I couldn't ping this computer or use Remote Desktop Connection to connect to this computer. So I downloaded MalwareBytes Anti-Malware and scanned my computer. Removed all the things it found. But the ping and RDC problems remain.

 

So I tried to restore system to a previous restore point. Had to go into Safe Mode to run the restore, and many of my restore points stopped working. I was finally able to restore back to a restore point about two weeks back. Then my computer seemed to have returned to normal. I was able to ping it and also RDC to it.

 

Then the next day, the same ping/RDC problems occurred. But this time I wasn't able to restore back to any restore point (including the one I successfully used previously). After some research online, I downloaded ComboFix, ran that in Safe Mode, and ComboFix seemed to have fixed the problem (although some of my program links in the Start Menu, such as NotePad++ or Adobe Photoshop, now are broken shortcuts) and returned my computer back to normal. I immediately created a restore point at that time.

 

Seeing that Symantec Endpoint Protection is obviously not doing its job, I uninstalled it, and then put Microsoft System Center 2012 Endpoint Protection on my computer. Did a quick scan, and it didn't find anything, so I thought my pain was over.

 

Then when I tried to open Google web site with Chrome, I kept getting Security Certificate Errors. I did some online research and learned that this is caused by malware. So I ran MalwareBytes Anti-Malware again and it did find several malware. After removing those I can open Google web site using Chrome fine. So I thought System Center 2012 Endpoint Protection was not doing its work either. So I downloaded Microsoft Security Essentials and removed System Center 2012 Endpoint Protection using Control Panel. However, MSE would not install. So I decided to run ComboFix again. But ComboFix starts to tell me that System Center 2012 Endpoint Protection is still doing real-time protection on my computer. I risk damaging Windows OS if I keep running ComboFix. So I closed ComboFix and didn't proceed. I tried to boot my computer into  Safe Mode and still got the same warning.

 

Then I researched on how to get rid of System Center 2012 Endpoint Protection. Some one said to run c:\windows\ccmsetup\scepinstall.exe /u /s. However, I don't have a folder called ccmsetup. I found an article talking about manually removing System Center 2012, so I followed that and disabled the Microsoft AntiMalware service, and also went into the registry and manually deleted AntiMalware keys. However, when I try to run ComboFix, I still get the warning saying that System Center 2012 is doing real-time scan. And I still cannot install MSE. I can't even reinstall System Center 2012 Endpoint Protection. Both would stop at error code: 0x80070643. Event viewer log says something like "The error code is 2324. The arguments are: 1920".

 

I researched online more, and then ran the following:

rkill

mbam

MiniToolBox

tdsskiller

AdwCleaner

ESET Online Scanner

FRST

dds

 

Please see attached the logs from those programs.

 

So right now my computer doesn't have a firewall (Windows Firewall seems to not be there anymore) and doesn't have a virus scan program (although ComboFix keeps thinking System Center 2012 Endpoint Protection is running, and Windows Security Center also says so).

 

Please help!!!

 

Best,

Lanny

Attached Files



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,759 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:12:37 PM

Posted 25 October 2013 - 09:04 PM

:welcome:

Please download the enclosed file.

Save it next to FRST.

Run FRST as you did before, except that this time around click on the Fix button and wait.

The tool will make a log next to FRST (Fixlog.txt) please post it to your reply.

Please also post the latest Combofix log.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 LannyLin

LannyLin
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 25 October 2013 - 11:49 PM

Hi JSntgRvr,

 

Thanks for the quick reply. I finally gathered enough courage (after I carefully backed up all my data to an external drive), I ran ComboFix despite the warning that System Center 2012 Endpoint Protection is still doing real-time scan, and I think that did it. ComboFix got rid of the last four places of potential ZeroAccess rootkit. I was able to open Windows Firewall. Just to be safe, I ran ComboFix a second time (attached is the log for the second time), and also ran mbam again. They didn't find anything. So I tried to install MSE, and this time it installed fine. So System Center 2012 Endpoint Protection is really gone this time. I am using updated MSE to run a scan right now, but I don't think it will find anything malicious.

 

Some of my programs' executable files were deleted through this process (e.g., Notepad++, Adobe Photoshop, Kingsoft Powerword, etc.), but I can re-install those programs. No big deal.

 

What really surprised me was the fact that these virus/malware can actually damage restore points, rendering system restore totally useless.

 

Best,

Lanny

 

Attached Files



#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,759 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:12:37 PM

Posted 26 October 2013 - 12:02 PM

Download the enclosed file.

 

Save it next to Combofix.

 

CFScriptB-4.gif

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

 

Re-Scan with FRST and post the new FRST.txt and Addition.txt.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 LannyLin

LannyLin
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 26 October 2013 - 09:17 PM

Hi JSntgRvr,

 

Followed your instructions and see attached log files. Really appreciate your help! BTW: MSE full scan found a few more malwares and was able to remove those before I ran ComboFix and FRST again.

 

Best,

Lanny

Attached Files



#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,759 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:12:37 PM

Posted 27 October 2013 - 01:04 PM

It looks clear now. How is the computer doing?


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 LannyLin

LannyLin
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 27 October 2013 - 05:03 PM

Computer seems to be back to normal now. I just have to re-install some programs. Thank you so much for helping me out! Is there a way I can mod you up or mark this as the answer or something like that? 



#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,759 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:12:37 PM

Posted 27 October 2013 - 09:11 PM

Congratulations.
 
A final word:
 
Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

The following will implement some cleanup procedures as well as reset  System Restore points:

Press the Windows key + R. At the Run command type or copy and paste the following and press Enter:
 

Combofix /uninstall


Remove the C:\FRST folder.

Run and uninstall AdwCleaner.

Manually remove any tool left.

Here are some suggestions.

  • Always keep your JAVA updated. Older versions will make your computer vulnerable.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft.  To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article    by Miekiemoes.

Best wishes! :hello:


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users