Jump to content

"Security Protection" (defender.exe) not completely removed


Recommended Posts

Hello, first time poster, long time user.

I have a windows 7 laptop here that was infected with the "Security Protection" (defender.exe) malware. I was able to boot into safe mode and remove the hklm\software\microsoft\windows\currentversion\run entries for the malware, and also deleted c:\programdata\defender.exe and a rogue "conhost.exe" which was located under the user's appdata\roaming\microsoft folder. I also removed all items in prefetch.

This prevented the malware from loading at next boot and the OS seems to be ok. However, under task manager there is a strange process with the name of "1741608673:506016152.exe" with user name "SYSTEM" and description "506016152.exe". If I try to end the process it does not work. If I attempt "open file location" nothing happens. I can use taskkill, which tells me it terminated the process, but it doesnt go away. Even booting into safe mode it is still there.

Web access seems to be broken. I can ping sites like www.google.com but the actual browser gives me "internet explorer cannot display the web page". Initially the checkbox for proxy server was checked off (with nothing defined), but even after clearing this I still cannot get anywhere within IE8.

I tried installing malwarebytes antimalware and running a scan but it crashes about 10 seconds into the scan, and attempting to run mbam.exe after this results in "windows cannot access the specified device, path or file. You may not have the appropriate permissions to access this item". The same thing happens with hijackthis.exe. It crashes when I attempt to run it, and subsequent attempts at running it generate this same message.

It seems that this "1741608673:506016152.exe" is still leftover from the "security protection" malware and I am stumped at this point.

Please help

Link to post
Share on other sites

Hello, first time poster, long time user.

I have a windows 7 laptop here that was infected with the "Security Protection" (defender.exe) malware. I was able to boot into safe mode and remove the hklm\software\microsoft\windows\currentversion\run entries for the malware, and also deleted c:\programdata\defender.exe and a rogue "conhost.exe" which was located under the user's appdata\roaming\microsoft folder. I also removed all items in prefetch.

This prevented the malware from loading at next boot and the OS seems to be ok. However, under task manager there is a strange process with the name of "1741608673:506016152.exe" with user name "SYSTEM" and description "506016152.exe". If I try to end the process it does not work. If I attempt "open file location" nothing happens. I can use taskkill, which tells me it terminated the process, but it doesnt go away. Even booting into safe mode it is still there.

Web access seems to be broken. I can ping sites like www.google.com but the actual browser gives me "internet explorer cannot display the web page". Initially the checkbox for proxy server was checked off (with nothing defined), but even after clearing this I still cannot get anywhere within IE8.

I tried installing malwarebytes antimalware and running a scan but it crashes about 10 seconds into the scan, and attempting to run mbam.exe after this results in "windows cannot access the specified device, path or file. You may not have the appropriate permissions to access this item". The same thing happens with hijackthis.exe. It crashes when I attempt to run it, and subsequent attempts at running it generate this same message.

It seems that this "1741608673:506016152.exe" is still leftover from the "security protection" malware and I am stumped at this point.

Also, when initially looking at msconfig there was a strange entry that linked to user/appdata/local/mpimsry.dll. I was pretty sure this was malware related but not positive, so instead of deleting it I renamed it "disabled_mpimsry.dll"

Please help

Link to post
Share on other sites

sorry about quoting my whole last message, I meant to edit it.

about the strange .dll, I went back into msconfig and the entry is still there (albeit disabled).

I have the "security protection" (c:\programdata\defender.exe) disabled, and this other one is named:

"Jwuhafewoqaned" - (rundll32.exe "c:\users\user\appdata\local\mpimsry.dll",Startup)

both have been disabled. But I still have this strange .exe as mentioned above in the taskmgr, and am unable to run hijackthis or mbam.exe (both crash, then the actual .exe seems to get corrupted as I cannot run the program after that point unless it is reinstalled.

Link to post
Share on other sites

also, in the windows directory there is a 0kb file that is the same name as the first part of the rogue .exe.

The file is "c:\windows\1741608673" and in the task manager there is an .exe named "1741608673:506016152.exe" that does not respond to termination requests, attempt to create a dump file of the process just hangs at "please wait while the process is written to the file..." and trying "open file location" does nothing.

Link to post
Share on other sites

I searched the registry for "1741608673" and it came up with

HKLM\system\controlset001\services\e1d6ce67

HKLM\system\controlset002\services\e1d6ce67

HKLM\system\currentcontrolset\services\e1d6ce67

each of these has the "ImagePath" value set to "\systemroot\1741608673:506016152.exe"

I deleted those entries and subkeys, but after a reboot, the .exe still persists in task manager, and the registry keys were RECREATED.

I then tried the following, changed "imagePath" to blank for all three, then changed the permissions on the e1d6ce67 key; disabled inheritance and removed all permissions. After reboot, the registry keys were not populated again due to me removing the permissions. However, that damn 1741608673:506016152.exe still shows up in task manager!

Link to post
Share on other sites

  • 1 month later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.