Security Center shows wrong a/v
Lushington
Protection Suite. This was removed with a combination of Malwarebytes
Anti-Malware and manual deletion (MBAM didn't get it all). There are no
relevant hits for "protection" or "suite" searching either with Windows
Explorer or regedit, but there are 2 leftover bits of odd behavior.
Task manager does not run. There is no error message, just nothing happens.
We have reset the registry keys but this didn't help. Using a copy of
taskmgr.exe from a clean machine also did not work.
Although there is an active and uptodate Symantec Antivirus Corporate
Edition installed, Windows Security Center still reports that "Windows
Protection Suite reports that it is up to date and virus scanning is on."
Uninstalling and reinstalling SAV CE is not an option; he doesn't have the
install media. I realize that he could just remove it entirely and install
something else, such as NOD32, but at the moment he's not willing to do so.
Similarly, the Task Manager issue probably is best dealt with by a clean
install. That too isn't a real option for him at the moment.
Short of reinstalling Windows and/or the antivirus app, any suggestions?
Jose
wrote:
Please provide information first:
Click Start, Run and in the box enter:
msinfo32
Click OK, and when the System Summary info appears, click Edit, Select
All, Copy and then paste
There will be some personal information (like System Name and User
Name), and whatever appears to
be private information to you, just delete from the pasted
information.
Navigate to the c:\windows\system32 folder and make a copy of
taskmgr.exe to some other name:
lushing.exe
See if launching lushing.exe with open Task Manager.
Your name is familiar, have we worked on this before?
Ken Blake, MVP
<Lushi...@discussions.microsoft.com> wrote:
> I have a friend with XP Home sp3. The computer was infested with Windows
> Protection Suite. This was removed with a combination of Malwarebytes
> Anti-Malware and manual deletion (MBAM didn't get it all). There are no
> relevant hits for "protection" or "suite" searching either with Windows
> Explorer or regedit, but there are 2 leftover bits of odd behavior.
>
> Task manager does not run. There is no error message, just nothing happens.
> We have reset the registry keys but this didn't help. Using a copy of
> taskmgr.exe from a clean machine also did not work.
Then almost certainly, when you say "This was removed ..." you are not
correct. It is still there, at least in part.
Exactly what you or he do that you describe as "manual deletion"? How
do you know that what was done was the proper thing to do?
> Although there is an active and uptodate Symantec Antivirus Corporate
> Edition installed, Windows Security Center still reports that "Windows
> Protection Suite reports that it is up to date and virus scanning is on."
>
> Uninstalling and reinstalling SAV CE is not an option; he doesn't have the
> install media. I realize that he could just remove it entirely and install
> something else, such as NOD32, but at the moment he's not willing to do so.
Maybe he could and maybe he couldn't. It's common that infections
prevent the installation of security software.
> Similarly, the Task Manager issue probably is best dealt with by a clean
> install. That too isn't a real option for him at the moment.
He needs to understand that when a computer is infected with malware,
sometimes it's possible to remove the malware and sometimes it's not.
It depends on things like what the malware is, how many infections
there are, and for how long it's been infected. If the situation is
bad enough, what he describes as "not a real option" may in fact be
his *only* option.
> Short of reinstalling Windows and/or the antivirus app, any suggestions?
--
Ken Blake, Microsoft MVP (Windows Desktop Experience) since 2003
Please Reply to the Newsgroup
![PA Bear [MS MVP]'s profile photo](http://lh3.googleusercontent.com/a-/ALV-UjXsf05hH-R8XChS3fXPPzfoO8FYYxAKhT86KfPnIELr3QJ9tQ=s40-c)
PA Bear [MS MVP]
NB: If you had no anti-virus application installed or the subscription had
expired *when the machine first got infected* and/or your subscription has
since expired and/or the machine's not been kept fully-patched at Windows
Update, don't waste your time with any of the below: Format & reinstall
Windows. A Repair Install will NOT help!
1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/malwareremove/default.mspx
NB: Run the FULL scan, not the QUICK scan! You may need to download the
MSRT on a non-infected machine, then transfer MRT.EXE to the infected
machine and rename it to SCAN.EXE before running it.
2. [WinXP ONLY!! =>] Run the Windows Live Safety Center's 'Protection' scan
(only!) in Safe Mode with Networking, if need be:
http://onecare.live.com/site/en-us/center/howsafe.htm
3. Run a /thorough/ check for hijackware, including posting requested logs
in an appropriate forum, not here.
Checking for/Help with Hijackware:
• http://aumha.net/viewtopic.php?f=30&t=4075
• http://mvps.org/winhelp2002/unwanted.htm
• http://inetexplorer.mvps.org/tshoot.html
• http://www.mvps.org/sramesh2k/Malware_Defence.htm
• http://www.elephantboycomputers.com/page2.html#Removing_Malware
**Chances are you will need to seek expert assistance in
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://www.spywarewarrior.com/viewforum.php?f=5,
http://www.dslreports.com/forum/cleanup,
http://www.bluetack.co.uk/forums/index.php,
http://aumha.net/viewforum.php?f=30 or other appropriate forums.**
If these procedures look too complex - and there is no shame in admitting
this isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
Lushington
I made a copy of taskmgr.exe from another computer and tried that, but I
haven't tried it with a different name. That, and the msinfo results will
have to wait until I get back to the problem machine.
Thanks
Lushington
Yes, there is more work to do.
As noted, SAV CE was installed and up to date. Windows update patches
likewise.
Although MBAM came up clean, Spybot S&D found some additional traces of
"Windows Protection Suite." I had to leave before I determined whether
allowing Spybot S&D to remove them solved the problem.
Spybot initially had a problem fixing the WPS issue because it couldn't
replace the hosts file. I was able manually deleted the hosts file and then
Spybot claimed it "fixed" the issue. When I attempted to edit the hosts file
back to the default (deleting all the lines below 127.0.0.1 localhost)
there was a permission issue when I attempted to save it. Because this was
XP Home, and I didn't have time to restart in Safe Mode, I saved the edited
file as hosts.txt and then was able to rename it to hosts.
I'll try the MSRT, but I suspect that this will not be simple, even with HJT
logs. Most likely, as Ken suggests, a reinstall will be the only way out.
Jose
wrote:
So far, the descriptions of your issues do not sound too scary. They
are just misunderstood.
Post the msinfo32 info, and run the lushing.exe, and then we will know
some things for sure and not have to resort to just trying things.
It sounds like you have limited access to the afflicted system so you
need to get things done chop-chop. Responding to my queries will only
take you a few minutes - even on a slow day, and will tell a great
story. Nothing to download, nothing to install...
I would be far, far, far, far away from a reinstall.
Bob Joy
I have removed "windows protection suite" with free trial of
www.malwarebytes.com
PA Bear [MS MVP]
post in an appropriate forum: You're going to need help from someone
experienced in these matters (or you can "wipe 'n reload").
Scanning with MBAM will NOT resolve all of your problems, either.
Lushington
taskmgr.exe from running under its own name.
Here is the msinfo32 report:
OS Name Microsoft Windows XP Home Edition
Version 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer Microsoft Corporation
System Name DELL
System Manufacturer Dell Computer Corporation
System Model Dimension 2400
System Type X86-based PC
Processor x86 Family 15 Model 2 Stepping 9 GenuineIntel ~2657 Mhz
BIOS Version/Date Dell Computer Corporation A05, 12/2/2003
SMBIOS Version 2.3
Windows Directory C:\WINDOWS
System Directory C:\WINDOWS\system32
Boot Device \Device\HarddiskVolume2
Locale United States
Hardware Abstraction Layer Version = "5.1.2600.5512 (xpsp.080413-2111)"
User Name DELL\Terry
Time Zone Eastern Daylight Time
Total Physical Memory 512.00 MB
Available Physical Memory 285.60 MB
Total Virtual Memory 2.00 GB
Available Virtual Memory 1.96 GB
Page File Space 1.22 GB
Page File C:\pagefile.sys
Daave
> I have a friend with XP Home sp3. The computer was infested with
> Windows Protection Suite. This was removed with a combination of
> Malwarebytes Anti-Malware and manual deletion (MBAM didn't get it
> all). There are no relevant hits for "protection" or "suite"
> searching either with Windows Explorer or regedit, but there are 2
> leftover bits of odd behavior.
>
> Task manager does not run. There is no error message, just nothing
> happens. We have reset the registry keys but this didn't help. Using
> a copy of taskmgr.exe from a clean machine also did not work.
>
> Although there is an active and uptodate Symantec Antivirus Corporate
> Edition installed, Windows Security Center still reports that "Windows
> Protection Suite reports that it is up to date and virus scanning is
> on."
Something tells me that that's not the *real* Windows Security Center
giving you that message!
> Uninstalling and reinstalling SAV CE is not an option; he doesn't
> have the install media. I realize that he could just remove it
> entirely and install something else, such as NOD32, but at the moment
> he's not willing to do so.
>
> Similarly, the Task Manager issue probably is best dealt with by a
> clean install. That too isn't a real option for him at the moment.
>
> Short of reinstalling Windows and/or the antivirus app, any
> suggestions?
Have you seen this page?:
http://www.bleepingcomputer.com/virus-removal/remove-windows-protection-suite
If the PC is still compromised, a Clean Install might be necessary. But
before doing that, you might first want to try posting a HijackThis log
to an appropriate forum to get guided assistance.
Lushington
I'll check to see if anything got left over when MBAM tried to remove it.