13 replies to this topic

[stlkent]

I can't find anything regarding this one on the forum yet.

When trying to run ANY program, including browsers, the "System Security" icon in the taskbar notification box pops up stating XYZ-program is infected. No SysRestore or Task Manager, and Safe Mode boots to black screen.

Any suggestions before I reformat....

[Maniac]

Greetings and Welcome .

If you're having trouble getting Malwarebytes' and other tools to update or run please review the following tutorials and see if they are helpful:

• Total-Security (FakeAlert)
  
• av360 (Fakealert)
  
• CLB Rootkit driver=TDSS/Seneka/GAOPDX/UAC/ovfst
  
• SystemSecurity

If you aren't able to use those instructions or there are other issues then please follow the instructions here:
I'm infected - What do I do now?

And post your logs in a new topic here:
Malware Removal - HijackThis Logs

Please be sure not to install any software or use any removal or scanning tools except those that you are
instructed to by the expert who will be assisting you as doing so can make their job much more difficult.

note: if for some reason you are unable to run some or any of the tools in the first link, then skip that step and move on to the next one.
If you can't even run HijackThis, then just post here: Malware Removal - HijackThis Logs describing your issues and an expert will reply with further instructions.

I hope I was helpful. Good luck and safe surfing.

[aacharger79]

I have read the tutorial on SystemSecurity and I have downloaded Malwarebytes Anti-Malware. But I am unable to run the setup to install. I have tried all the instructions to enter safe mode (bleepingcomputer.com) but have been unsuccessful. "F8" stops the process, but when I select safe mode the computer simply restarts. There is no "Run" option when I click on Start, and the virus seems to stop me from opening the System Configuration Utility from the control panel. It also blocks getting to a command prompt. Very vicious! :angry: Any other suggestions for getting to safe mode so I can install and run the Anti-Malware? Thanks.

[GT500]

System Security is a pain in the neck.

Do you know how to make a BartPE disk?

[aacharger79]

Nope...never heard of it. But I'm a quick and patient learner!

[Fatdcuk]

Hi aacharger79,

Just want to test a quick theory out if you are game ?

Ps involves tracking down the systemsecurity core executable.....and renaming tools to see if they work.

[aacharger79]

I'm game...just give me directions.

[Fatdcuk]

Ok well i have just checked myself so is now just a walkthrough and will have to update my canned fix to reflect

Download and save the following file to destop.
http://live.sysinter...com/procexp.exe

Rename it to winlogon.exe and run it.

Locate the process that has the shield icon(SystemSecurity) and right click on it.

It will be random numbers.exe e.g 3427254.exe or something like that but will stick out like a sore thumb

Select " Kill Process"

Now Install,update and run MBAM quick scan.

Allow it to delete what it finds and reboot.

LMK how you get on

[Fatdcuk]

Just an update,

I have now updated the SystemSecurity canned fix with new screenshots/walkthrough to reflect this new angle of attack

http://www.malwarebytes.org/forums/index.p...amp;#entry90056

[aacharger79]

SUCCESS! I am most impressed, not only at the solution to the problem, but also at the forum help. Thanks!

[Fatdcuk]

Excellent and glad we could help

Will give my canned post cleanup since we have exorcised the demon

Here's some handy reading tho Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.


We hope our application has helped you eradicate this malicious Malware.
If your current anti-virus solution let this infection through please consider purchasing the PRO version of Malwarebytes' Anti-Malware for additional protection against these types of malware.


Safe surfing

[GT500]

Good job on this one Ade. I knew it'd be a good idea to have you look at this one, but I didn't see you on MSN at the time. I'm glad to see that you found it and checked it out.

[RiskyB]

Fatdcuk, on Jul 2 2009, 08:53 PM, said:

Just an update,

I have now updated the SystemSecurity canned fix with new screenshots/walkthrough to reflect this new angle of attack

http://www.malwarebytes.org/forums/index.p...amp;#entry90056

I am having an issue with the walk-through and was hoping you could offer some advice or some trouble shooting.

"In order to get MBAM installed you will need to identify and terminate/kill the SystemSecurity process.
As you see from the screenshot it very easily identified by its shield icon and use of random numbers for its executable. eg 1234567.exe 638476435.exe 453732.exe and the list goes on.

Highlight the shield icon/random.exe line and rightclick and select kill process."

The issue I am having is the shield icon/randomn.exe line is not available so I cannot select kill process. Do you have any advice about what to do in this case?

[AdvancedSetup]

Please go ahead and follow the advise below and someone will assist you as soon as they can.




Scan and post logs - read note at bottom in green
If you're having Malware related issues with your computer that you're unable to resolve.

• Please read and follow the instructions provided here: I'm infected - What do I do now?
  
• If needed please post your logs in a NEW topic here: Malware Removal - HijackThis Logs
  
• When posting logs please do not use any Quote, Code, or other tags. Please copy/paste directly into your post and do not attach files unless requested.

• Please do not post any logs in the General forum. We do not work on any logs posted in the General forum.
  
• Please do not install any software or use any removal/scanning tool except for those you're requested to run by the Helper that will assist you.
  
• Using these other tools often makes the cleanup task more difficult and time consuming.
  
• If you have already submitted for assistance at one of the other support sites on the Internet then you should not post a new log here, you should stay working with the Helper from that site until the issue is resolved.
  
• Do not assume you're clean because you don't see something in the logs. Please wait until the person assisting you provides feedback.
  
• There are often many others that require asistance as well, so please be patient. If no one has responded within 48 hours then please go ahead and post a request for review

• NOTE: If for some reason you're unable to run some or any of the tools in the first link, then skip that step and move on to the next one. If you can't even run HijackThis, then just proceed and post a NEW topic as shown in the second link describing your issues and someone will assist you as soon as they can.