Yesterday, one of my friends asked if I would look at their machine. It was very sick, it got sick and they had asked someone for help. But then they went on vacation for twenty days.

So it was like very slow to boot (10 minutes), and I noticed that msmpeng.exe was part of the problem. I think that what happened is that there was malware that messed up the msmpeng.exe or was running intereference on it. I believe is is part of MS Security Essentials? Or should it be set to not scan on startup, or something?

So I disabled it and then ran Malwarebytes just to see what was going on. In safe mode it came back with 21 entries, then it came back with three and then it came back with six. So I am assuming there is a rootkit on the machine that needs to be purged before the AV and firewall are going to work.

So I offered to him clean install and format (preferred) and then either a repair/install of Windows OR running the clean and scan with Combofix.

He chose the repair intsall, so when I do this I know that I have to uninstall IE8 , IE7 and WindowsXP SP3, then run the repai/install.

I was then going to clean with Malwarebytes and Superantispyware. But I have a feeling I need something more to dog out the rootkit. I know that the repair/install has done wonders on other sick machines.

Ideas?

Is MS Security Essentials more likely to work after a repair install, or should I tell him that Combofix is really the way to go?
Should I tell him to use Avast?

The real Problem could be a virus/rootkit/whatever running each time you boot this PC.
I suggest connecting the HDD to a clean PC and scan it from there, so no program on the infected PC gets executed.
If you dont want to do this, you can boot from a suitable medium like a Hirens Boot CD (works from USB Stick, too) or some kind of Linux.
Of course you need a good, fresh, portable Antivirus to run from these...
And just for fun, send your msmpeng.exe to http://www.virustotal.com/.

Makes sense, well I already blasted the MS Suite, which may not have been wise. I will check out the other boot options, thanks!

ETA: This looks cool, I will have to play with it!
http://www.hiren.info/pages/bootablecd

If your friend doesn't care about the programs on his machine (he has the original installation media) then reinstall is probably the best option. I'm presuming you know how to back up his data.

But if he absolutely has to keep the programs, then cleaning the system with multiple scans with antivirus/antispyware tools will have to suffice. Bear in mind a repair installation of Windows XP (inplace upgrade) will not generally solve any registry problems.

Bear in mind a repair installation of Windows XP (inplace upgrade) will not generally solve any registry problems.

Well Geez Louise ! That's what Microsoft is going to do to fix my computer problem.
They just mailed another Word 2003 disk to me so that I could re-install it on my computer. But one of the problems I have is my computer restore registry won't open. So that's not going to fix it ?

Well Geez Louise ! That's what Microsoft is going to do to fix my computer problem.
They just mailed another Word 2003 disk to me so that I could re-install it on my computer. But one of the problems I have is my computer restore registry won't open. So that's not going to fix it ?

It'll restore default permissions to the registry and re-register Windows components, but if it's badly hosed due to infections, I wouldn't rely on it fixing anything; it won't change any third-party entries. But using the antimalware software you've already mentioned I would try - you may need multiple passes, and to use them in safe mode.

If your friend doesn't care about the programs on his machine (he has the original installation media) then reinstall is probably the best option. I'm presuming you know how to back up his data.

But if he absolutely has to keep the programs, then cleaning the system with multiple scans with antivirus/antispyware tools will have to suffice. Bear in mind a repair installation of Windows XP (inplace upgrade) will not generally solve any registry problems.


Oh I know, I think a clean install would be best. I am going to try a clean with a Knoppix disk and tell him that they have to use Combofix anyway.

I burned a Knoppix disk, way too cool, and way too powerfull. I have to do some major reading before i would use that.

So I used Majorgeeks Read and Run Me First,it was all better after Combofix and now has Avast on board.