I was getting a Microsoft Security Essentials Alert telling me that there were potential threats to my computer. It wanted me to install Privacy Corrector. I was able to search on Privacy Corrector and found that it was a trojan in at least one of the hits so I did not install it. I was not using MSE and it was not installed on my system. The alert appeared shortly after bring up the system, even in protected mode. Avast initially ran but did not detect anything. I down loaded Malwarebytes and tried to run it but it kept getting terminated. I tried the OTH/OTL process described in this forum but could not find the scan.txt file mentioned in the process.

I had noted somewhere in this sequence that a protect.exe process was running on my system. I determined that this might be a rogue process. I could not delete it in file manager as it was running. I was able to bring the system up in DOS mode and delete the protect.exe file. My system is running normal since. I have been able to run malware and it detected and corrected a number of potential problems.

My question is, if I had not noticed the protect.exe running, how would I have corrected this problem since none of the virus programs considered it a problem? It does show up in the log file created in the OTL run. Also, how did the protect.exe get loaded in protect mode?

I would appreciate any information that anyone might be able to provide. I also hope that this might help someone in a future infection.

Hi, welcome to the forum

I think this is the one that you mean:
http://www.bleepingcomputer.com/virus-removal/remove-privacy-corrector

This contains some instructions on how to remove the rogue. Have you tried this?
Good Luck

Scott

It sounds like a rogue/fake security (MSE) popping up fake security alerts, trying to get you properly infected, don’t visit any site nor download any application.

The pop-ups in themselves aren’t malicious (and variants are fast moving targets), but some of the actions are suspect and it is a more specialist application which is likelt to detect them.

If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

• MalwareBytes Anti-Malware (MBAM), On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

MBAM, formally known as RogueRemover is pretty good at finding and dealing with these rogues, so give that a try.

Before running MBAM send the protect.exe sample to avast for analysis.
Send the sample/s to avast as a Undetected Malware:
Open the chest and right click in the Chest and select Add, navigate to where you have the sample and add it to the chest (see image). Once in the chest, right click on the file and select ‘Submit to virus lab…’ complete the form and submit, the file will be uploaded during the next update.

I was getting a Microsoft Security Essentials Alert telling me that there were potential threats to my computer.

Remove the Fake Microsoft Security Essentials Alert Trojan and AntiSpySafeguard
http://www.bleepingcomputer.com/virus-removal/remove-fake-microsoft-security-essentials-alert

I did not keep a copy of the protect.exe. I do have a copy of protect.exe-9F681852.pf that had the same timestamp as the exe file. Will that file be of help?

upload the file to www.virustotal.com and test it with 43 malware scanners
when you have the result copy the url in the address bar and post it here

Results of the check:

Antivirus Version Last Update Result
AhnLab-V3 2010.12.17.05 2010.12.17 -
AntiVir 7.11.0.83 2010.12.17 -
Antiy-AVL 2.0.3.7 2010.12.17 -
Avast 4.8.1351.0 2010.12.17 -
Avast5 5.0.677.0 2010.12.17 -
AVG 9.0.0.851 2010.12.17 -
BitDefender 7.2 2010.12.17 -
CAT-QuickHeal 11.00 2010.12.17 -
ClamAV 0.96.4.0 2010.12.17 -
Command 5.2.11.5 2010.12.17 -
Comodo 7099 2010.12.17 -
DrWeb 5.0.2.03300 2010.12.17 -
Emsisoft 5.1.0.1 2010.12.17 -
eSafe 7.0.17.0 2010.12.16 -
eTrust-Vet 36.1.8048 2010.12.17 -
F-Prot 4.6.2.117 2010.12.16 -
F-Secure 9.0.16160.0 2010.12.17 -
Fortinet 4.2.254.0 2010.12.17 -
GData 21 2010.12.17 -
Ikarus T3.1.1.90.0 2010.12.17 -
Jiangmin 13.0.900 2010.12.17 -
K7AntiVirus 9.73.3277 2010.12.17 -
Kaspersky 7.0.0.125 2010.12.17 -
McAfee 5.400.0.1158 2010.12.17 -
McAfee-GW-Edition 2010.1C 2010.12.17 -
NOD32 5712 2010.12.17 -
Norman 6.06.12 2010.12.17 -
nProtect 2010-12-17.01 2010.12.17 -
Panda 10.0.2.7 2010.12.17 -
PCTools 7.0.3.5 2010.12.17 -
Prevx 3.0 2010.12.17 -
Rising 22.78.04.00 2010.12.17 -
Sophos 4.60.0 2010.12.17 -
SUPERAntiSpyware 4.40.0.1006 2010.12.17 -
Symantec 20101.3.0.103 2010.12.17 -
TheHacker 6.7.0.1.101 2010.12.15 -
TrendMicro 9.120.0.1004 2010.12.17 -
TrendMicro-HouseCall 9.120.0.1004 2010.12.17 -
VBA32 3.12.14.2 2010.12.17 -
VIPRE 7695 2010.12.17 -
ViRobot 2010.12.17.4206 2010.12.17 -
VirusBuster 13.6.100.0 2010.12.17 -
Additional information
Show all
MD5 : d28f5f1b05adaee158912837b60b48e7
SHA1 : 4a9dff23ff7d7ee2a0f1cc63eebb9b0a502d33f0
SHA256: 4501f41a5f1511ffe7da1876fefdb39d9cc7b00da847c800b0ba4c6313973e64
ssdeep: 768:xP+3AQklRxKJRhp6ZGnUlyY9aFwkyFOLhQxm50XlI/RLo2edvsH6dje:xcA/j8pOGncyY9g
eFOLh6plI/8Y6dje
File size : 43404 bytes
First seen: 2010-12-17 22:40:28
Last seen : 2010-12-17 22:40:28
TrID:
Unknown!
sigcheck:
publisher…: n/a
copyright…: n/a
product…: n/a
description…: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments…: n/a
signers…: -
signing date.: -
verified…: Unsigned

VT Community

0

This file has never been reviewed by any VT Community member. Be the first one to comment on it!

That isn’t a copy of the file, the data in the prefetch folder just contains information on the files location to speed up loading, unfortunately that is of no use as it is a completely different file. The timestamp may well be the same but the file size and MD5 would be completely different. This is why there are zero hits on the VT scan as it is a benign pre-fetch data info file.

jepp the protect.exe file is the one that avast! analysis would like to play with…

Sorry, the exe file is gone. I should have made a copy but I am luck to remember just enough to be dangerous in DOS anymore.

As to the suggested remedies suggested in the previous post, I did at least look at them during my attempt to clear the problem. However, I was not sure they were from a trusted source. I had been reading about fakers that might only compound the problem. How can I certify that a suggested solution is real? I downloaded one thing with a free download, it ran, but then I had to purchase the fix.

I will try to do better the next time.

We aren’t in the habit of suggesting options that aren’t genuine or that you may have to pay for. So personally I would start with MBAM that I suggested as aside from this I would keep it as a backup on-demand (free version is on-demand only) anti-malware scanner.

i have been hit by this same problem, it seems, but unlike reported supra, this MSE thing terminates IE8 as well as MBAM-on-demand, so how can i implement

http://www.bleepingcomputer.com/virus-removal/remove-fake-microsoft-security-essentials-alert

i mention that the infection is on 32-XP Pro.

Thanks for your help.

i have been hit by this same problem, it seems, but unlike reported supra, this MSE thing terminates IE8 as well as MBAM-on-demand, so how can i implement

ummm, sorry: what is “the guide” please?

The one you posted the link to, bleeping computers.

Step3 is downloading and using RKill.