System Security 2009 Virus

  Inside Edge 17:50 07 Jul 2009
Locked

Hi,

I've managed to suck in what I think is the System Security 2009 Trojan - I can't verify that anymore, as I can't boot to Windows XP at all right now, Safe Mode or otherwise. Initially, I was getting all the unsolicited virus scans and invitations to buy my way out of trouble. I ignored them whilst researching a removal method but before sorting it, I found I couldn't boot past the " For Recovery Press F10" step in the boot up process. Pressing F10 does nothing and I can't reach Safe Mode via F8 either.

I had something similar on another PC a few months back and went through the AntiMalwareBytes and SuperAntiVirus steps through Safe Mode but I couldn't remove it totally and ended up reinstalling XP and all my programs. That PC was new'ish so it wasn't a big deal but now my main PC is infected.

I had an idea that I might re-install my old HDD, which still has an image of my Operating System and most programs, boot to that and then install AntiMalwareBytes or another recommended program and use it to remove the problem from my "real" C:\ drive, which would now be a dumb D:\ drive.

Do you think that would work, or would I risk infecting my old HDD too ?

Any thoughts very much appreciated

  Rahere 17:57 07 Jul 2009

Just make sure you have antivirus, MS updates and latest versions of all the tools you want to use.
Disconnect from your network or internet too. Not sure if you will be able to scan another drive or use some of these tools in safe mode but try it first as this is safer.

You could also try booting the original computer with DrWeb Cureit Live CD click here this assumes you've got access to another PC, internet and a CD burner though.

Good luck

  birdface 18:30 07 Jul 2009

As far as I know.Microsoft Malware Removal Tool now removes it.

click here

  Inside Edge 19:09 07 Jul 2009

Thanks guys,

Rahere - I do have a second PC so I'll try the link when I get home this evening.

buteman - I followed the link, but I don't think I can download it directly to the infected HDD, as I can't boot to XP on that HDD. If I boot to the clean OS on the spare HDD, do you think the MS malware tool would work on the infected one (when it sees it as D:\ ? I would try this anyway, but I'm just a bit cautious about the risk of cross infecting the clean HDD before I get a chance to run a tool on it !

  Stuartli 19:25 07 Jul 2009

Windows Defender is apparently able to Delete the System Security 2009 virus.

click here

  baldydave 21:49 07 Jul 2009

If the microsoft Malware Removal Tool fails try Malwarebytes from here
click here
Download it then right click it and rename file rabbit or what ever you want (the trojan will try to stop mbam/malwarebytes running if you do not rename file)install then update(tab) then scan

  birdface 10:07 08 Jul 2009

Another good program to try is this.

click here

It is a pay for version but you get a 30 day trial and it will remove anything that it finds.If it asks for a payment ignore it and carry on with the scan.
Worth a try if you can get it to run.

  rdave13 10:29 08 Jul 2009

If you have an XP disc you could also try a repair install; click here

  Inside Edge 12:27 08 Jul 2009

Thanks to all above for your suggestions.

Update:

As I can't boot to the infected HDD at all, I booted to my clean disk and ran AntimalwareBytes from there. I was able to scan the infected HDD. For some reason it ran very slowly (6 hrs ! ) and I got the results this morning. It found various things (see list below). I must admit, I expected a longer list, but as there's several .exe files in there, maybe that's why the trail of damage is significant.

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 2

08/07/2009 08:14:53
mbam-log-2009-07-08 (08-13-59).txt

Scan type: Full Scan (D:\|H:\|)
Objects scanned: 245881
Time elapsed: 7 hour(s), 5 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\program files\rhcaj8j0e391 (Rogue.Multiple) -> No action taken.

Files Infected:
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> No action taken.
h:\documents and settings\all users\application data\13334374\13334374.exe (Rogue.SystemSecurity) -> No action taken.
h:\documents and settings\all users\application data\93344366\93344366.exe (Rogue.SystemSecurity) -> No action taken.
h:\documents and settings\bernie smith\my documents\my downloads\AdwarePro_Setup.exe (Rogue.Installer) -> No action taken.
h:\program files\motorola phone tools\MPT_TEST_Info.exe (Trojan.Downloader) -> No action taken.
h:\program files\motorola phone tools\061013008293\MPT_TEST_Info.exe (Trojan.Downloader) -> No action taken.
h:\program files\Pinnacle\DV500\eregister\RegTool.exe (Rogue.RegTool) -> No action taken.
h:\system volume information\_restore{e1d71d59-8187-4fd8-9db9-d4a73a6f8b48}\RP1389\A0287954.rbf (Rogue.RegTool) -> No action taken.
c:\program files\rhcaj8j0e391\database.dat (Rogue.Multiple) -> No action taken.
c:\program files\rhcaj8j0e391\license.txt (Rogue.Multiple) -> No action taken.
c:\program files\rhcaj8j0e391\rhcaj8j0e391.exe.local (Rogue.Multiple) -> No action taken.
....................

I removed all the above using AntiMalwareBytes and it reported that they were successfully removed.

That was this morning before work and I haven't had time to re-wire the HDD's to check if I can boot to the infected one. This evening I plan to run one or more of the other removal tools as insurance and then I'll reboot to check how successful it's been. I'll post later on to tell you all how it went.

Rahere - I was interested in the DrWeb Live CD as it had the potential to avoid the need for swapping the HDD's around. I tried to download it, but after a long wait, I didn't seem to get anything in, .....the download instructions weren't that clear as to exactly what you need to cop from the list of files and folders that appear when you click "download".

More later, .....thanks again.

  Inside Edge 13:21 09 Jul 2009

OK, ...update...

Rebooted to the "infected" HDD following removal of the threats identified by AntiMalwareBytes, but it still gets stuck at the "press F10 for Recovery" stage. It does not respond to further inputs.

I repeated the scan exercise (run from the clean HDD)using Superantispyware. This found a shed load of cookies but not really anything else.

I ran AntiMalwareBytes again and it picked up more threats as follows:

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 2

09/07/2009 07:16:07
mbam-log-2009-07-09 (07-16-07).txt

Scan type: Full Scan (H:\|)
Objects scanned: 245466
Time elapsed: 4 hour(s), 5 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
h:\system volume information\_restore{e1d71d59-8187-4fd8-9db9-d4a73a6f8b48}\RP1330\A0268236.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
h:\system volume information\_restore{e1d71d59-8187-4fd8-9db9-d4a73a6f8b48}\RP1330\A0268237.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
h:\system volume information\_restore{e1d71d59-8187-4fd8-9db9-d4a73a6f8b48}\RP1330\A0268238.exe (Rogue.Installer) -> Quarantined and deleted successfully.
h:\system volume information\_restore{e1d71d59-8187-4fd8-9db9-d4a73a6f8b48}\RP1330\A0268239.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
h:\system volume information\_restore{e1d71d59-8187-4fd8-9db9-d4a73a6f8b48}\RP1330\A0268240.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
h:\system volume information\_restore{e1d71d59-8187-4fd8-9db9-d4a73a6f8b48}\RP1330\A0268241.exe (Rogue.RegTool) -> Quarantined and deleted successfully.

Again this ran overnight and I've not tested the success of the removal. I'll try this evening. any comments on what the scan found?, ...particularly whether you'd expect more items if every threat associated with System Security 2009 were uncovered?

In the meantime, can anyone guide me in the procedure for downloading the DrWeb Live CD files? I couldn't undestand what it wanted me to do and it looks like I may need a bootable CD option.

I'm suspecting that installing and running the MS Malware Removal Tool will not help because I can't install it directly into the infected HDD operating System - anyone got a view on that?

My Windows CD is a Mesh Rescue Disk which only allows reinstallation of the original Operating System and original Mesh configuration. I'll restore a 6 month old Drive Image back-up that I have before I resort to that.

Thanks again everyone

  hiwatt 18:41 09 Jul 2009

Those last files found by malwarebytes are all in system restore so wouldn't be "active" unless you done a system restore.Can you boot into safe mode by continually tapping F8 while booting up the computer?

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

Xiaomi Mi Mix 2 review

What went wrong at the Designs of the Year 2017

iPhone X news: Release date, price, new features & specs

Comment créer, modifier et réinitialiser un compte Apple ?