mcafee compromised

Discussion in 'Malware Help (A Specialist Will Reply)' started by frumpus, Apr 20, 2009.

  1. frumpus

    frumpus Private E-2

    On Easter weekend I was helping my father clean some stuff off of his computer. I figured since I had McAfee fully updated and running and Windows (XP pro, SP 3) fully patched I was pretty safe to use a USB drive to transfer some files between my laptop and his. I was mistaken.

    Within a couple of days McAfee was causing my system to freeze. I ran some scans at the time and cleaned up a couple of infections but McAfee still would not run properly.

    Symptoms Before running 'Read and Run First' procedure:

    My attempts to reinstall McAfee were only partially successful. It was unable to start the 'McAfee common framework' service. In fact the service did not even show up in the services list. I could ignore this and complete the install, but without the framework service running it is pretty useless. I could only update with superdats, and though I could run a scan, it never found anything and I wasn't very confident in it.

    Symptoms after running 'Read and Run First' procedure:

    McAfee installs properly and the services all start. However, it still refuses to update by normal means. When I try to update it instantly claims it is 'Unable to find a valid repository' and closes the update. It doesn't even take a full second for it to give up so I don't think it is even really trying to connect. Internet connectivity is otherwise fine. I think McAfee is still compromised somehow.

    Logs attached. Any thoughts?
     

    Attached Files:

    frumpus, Apr 20, 2009
    #1
  2. Corporal Punishment

    Corporal Punishment Head of Software Shenanigans Staff Member

    Corporal Punishment, Apr 22, 2009
    #2
  3. frumpus

    frumpus Private E-2

    frumpus, Apr 23, 2009
    #3
  4. frumpus

    frumpus Private E-2

    and I'm definitely still infected with something. While I was away with only MS Outlook running, mcAfee detected and deleted the following from the system volume information\_restore directory.

    A0003560.exe
    a0003559.dll

    detected as RemAdm-VNCView
    Detection Type - Remote Admin Tool
     
    frumpus, Apr 23, 2009
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What Corporal Punishment meant for you to do was use the search feature of the link he gave you. Just copy and paste 'Unable to find a valid repository' into the ask a question box to seach on this information.

    These are not problems. They are just files in System Restore that you can remove by toggling System Restore off and then back on. Doing this REMOVES ALL RESTORE points so you may not want to do this right now since you may need to use an old restore point to resolve your problem.

    For your issue with McAfee, you will have to post on their website or call them. It is not a malware problem, it is a problem with their software. If you do a complete uninstall using the below and then try to uninstall what happens:

    McAfee Consumer Product Removal Tool


    Is this a company owned PC? Who setup all the below policies and the Remote Administration tool which may be what McAfee was detecting.

    I strongly advise you to cleanup your Desktop. Remove eveything but links to run programs. Do not download and save programs here and defintely do not use it for long term storage. You need to keep ComboFix.exe here for now as we need it, but we will be removing it when we are finished with your cleanup. A cluttered Desktop is malware's playground and it can also cause performance degradation especially when you start saving large files here like you are doing.

    Delete the below file from your USB Drive which I assume was drive E:
    E:\m.exe

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    The above are the only issues in your logs.
     
    Last edited: Apr 27, 2009
    chaslang, Apr 27, 2009
    #5
  6. frumpus

    frumpus Private E-2

    I understand. I will try that.

    I tried that. Unfortunately the removal tool does not work with McAfee Enterprise.

    Yes, it is. In fact, after I removed McAfee it was supposed to get pushed back to my machine automatically. When this didn't happen I ran the installer manually but I don't think that installed it with exactly the same settings and policies that the admins are trying to enforce. I'm starting to think this may actually be my problem. I'm going to talk to them about pushing it to me correctly and see if that solves my update issue.

    Done. I am unable to keep combofix there as mcafee deletes it. I will have to reboot to safe mode with networking and download it when we need it again.

    Done and done and success message received.
     
    frumpus, Apr 29, 2009
    #6
  7. frumpus

    frumpus Private E-2

    Ok, the admins have repaired my McAfee problem. I will consider this resolved unless there is something else you recommend I do.
     
    frumpus, Apr 30, 2009
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Glad to hear it.

    Just final instructions below.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    8. If you did not already do this and you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    chaslang, May 3, 2009
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds