Jump to content

System Security + Microsoft Antivirus Pro

Recommended Posts


I've been tasked to clean a friend's computer, and it seems really bad. I know he is infected with Windows Antivirus Pro and System Security, but there seems to be much more than that. At first I ran Kaspersky Rescue Disc which found and removed over 70 threats, but Win AV Pro and System Security still remained.

I was directed to mbam by some searches which said it will find and remove these infections. At first, these infections locked down the task manager, command prompt, registry, control panel, and basically every program from running. However, I followed some threads here and used Process Explorer to close down the Ssytem Security processes by renaming it winlogon.exe.

So now I'm at a point where I can use the task manager, registry edit, and install and run programs. However, after installing mbam, when I go to run it it shuts down and gets deleted, which makes me think there is something else here, perhaps a rootkit.

So I started following the rootkit advice but I can't get anywhere with it. Any program I try to run gets shut down and deleted even if I rename the exe to winlogon. I can install hijackthis, but when it starts running it closes, and if I run it again I get a message saying "Windows cannot access the specified device, path, or file. You man not have the appropriate permissions to access this item." Same thing happens with mbam.

I tried running RootRepeal, but when I start it up it just hangs at a window which says "Initializing. Please wait..." I waited over half an hour for that to start, while it starts instantly on another machine.

So I'd like to know if anyone can help me. I'm afraid I can't provide any log files because all the programs either won't install, won't run, or get terminated and deleted by the infection. Is there something more basic, with the console or registry I can do to get rid of this infection? Is there a manual way to identify it?

Thanks in advance, and please let me know if there's any more information I can provide you with which would be helpful.

Link to post
Share on other sites

One more thing, this computer looks like it hasn't been updated since 2004. It has IE 6 and SP 2, but there's a large number of fixes waiting in the Windows Update queue. I tried downloading them and it fails each time.

Is there a way to identify what is closing and locking the antivirus scanners before they finish? Presumably It's not system security or MS Antivirus pro, since I ended their processes.

Link to post
Share on other sites

  • Root Admin

Okay please try the following. Download and burn from a CLEAN system.

Avira AntiVir Rescue System

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

  • Download the
    Avira AntiVir Rescue System
  • Place a blank CD in your burner and double-click on the downloaded file named

  • If the above link does not work please try this one:

  • The program will automatically burn the CD for you.

  • Place the burned CD into the affected computer and start the computer from this CD.

  • On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.

  • Click on the

    • Select
      Scan all files
    • Select
      Try to repair infected files
      Rename files, if they cannot be removed

    • Select
      Scan for dialers

    • Select
      Scan for joke programs (Jokes)

    • Select
      Scan for games

    • Select
      Scan for spyware (SPR)

    Click on
    Virus scanner

    Click on
    Start scanner
    at the bottom of the screen

    Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings

The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Possible solutions to Screen Resolution and other issues

  1. Please see the post
    if you're unable to view the entire screen of Avira.
  2. You can also review this one
    Fixed Rescue CD Resolution Probs with Dell Video

  3. Currently only the German keyboard is supported.
    Command Line not working
    English keyboards require work arounds.

  4. Some computers attempt to mount the floppy even though they don't have one. You may need to go in to the BIOS and disable the floppy drive in order to mount your hard drive for scanning.

Link to post
Share on other sites

Here are the results for my scan

directories: 5015

scanned files: 226608

alerts: 43

suspicious: 0

repaired: 0

deleted: 0

renamed 43

quarantined: 0

warnings: 17

scan time: 00:27:47

Here are some threats it found. I omitted duplicates.

TR/Drop.Spybot. D




















Doesn't look good does it? As this shows, none of the threats were deleted, just renamed. Does this get rid of them? I tried reinstalling mbam again and it has the safe effect of closing and locking access from me.

However, I did notice the characteristic service svchast.exe of Microsoft Antivirus Pro was not running at start up. However, when I do a google search in IE, when I click on a search result it still takes me to an unrelated page.

I found I can run DDS without trouble. If you want I can post the log files from that.

Thank you for your help so far, any ideas to move forward are greatly appreciated.

Link to post
Share on other sites

  • Root Admin

Please run the following. Make sure you disable your Anti-Virus first or it will block it from doing it's job.

Please visit this webpage for instructions for downloading ComboFix to your

Please ensure you read this guide carefully and install the Recovery Console first.


You must save and run
on your DESKTOP and not from any other folder.

click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:


Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

Thank you for your prompt reply,

When I double-click on the file, a box appears with a green progess bar. The bar fills, but nothing happens. If I run the program while looking at the task manager a bunch of processes are created and destroyed promptly. This is the same if I rename the file on download, transfer it from a clean computer, or run it in safe mode.

I have disabled all anti-virus and firewalls, including windows firewall.

Is there any other thing which could prevent it from running? I look forward to your next response.

Link to post
Share on other sites

Thank you for your reply,

Well after trying all the suggestions in that FAQ and running it in safe mode I couldn't get anything to work.

I'm thinking it's about time to throw in the towel and reformat; the person whose computer this is has been without it for almost a week at this point. If you don't have any other suggestions, I think this might be what I tell the person.

Link to post
Share on other sites

  • Root Admin

Please try the following. If that does not help then there are some other things we can try, but if you're under a time constraint to complete this then let me know. Running scans and fixes does take time and for some people they just find it easier to save the data and reformat, but others don't want to lose all the customization, etc or don't have all the original install disks so they want to spend the time to remove the Malware.

Do you have or can you build an Ultimate Boot CD for Windows?

Link to post
Share on other sites

I had just run that scan again earlier today. Nothing has changed since the last time: 43 alerts, 17 warnings, nothing suspicious, so at least it's not getting worse!

I'm not under a strict time constraint, I'm just thinking about what a reasonable amount of time to have your computer out of commission is. Anyway, the person whose this is is going on vacation next week so they won't miss it in that time.

Thank you for your prompt reply

Link to post
Share on other sites

  • Root Admin

The latest is 3.5 I think.

One last thing you can try is this. Please only do this portion and not anything else posted.


Start at option #2 and ignore #1

If that too does not work or help then build the disk and we'll see if we can run some other tests, scans with it.

update the virus def files when building the CD.

Link to post
Share on other sites

  • Root Admin

Okay, thanks for the follow-up I appreciate it.

Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

This topic is now closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.