Removing System Security

[Ned]

Did the computer have an internet connection so the programs could get updates when they ran?  If not, they may not have the signature data to detect the malware.

If nothing else works, the complex manual removal may be all that's left.

 

[Tom]

Did the computer have an internet connection so the programs could get updates when they ran?

Yes it did, and (I think) I saw the updates happening.

 

[Mike and Sherrie in VA]

For what it is worth, I use a combination of the free Malwarebytes removal tool and the Combofix tool for all really nasty (hard to get rid of) infections.  From those two I've been able to solve most any problem.  I clean up 3-4 machines per week (as a rough average). 

My experience has been that the commercial and most freeware antivirus tools just don't cut it for cleanup, but I DO use those same commercial (paid) products for my first line of defense (prevention and protection), for which they are pretty effective.  I guess Malwarebytes could be considered commercial for blocking threats before an infection takes place, but I have'n used it in that role.  They do have an excellent heuristics engine whereas most commercial tools are largely signature-based.

Tom/Ned, you probably know what I mean by that but in the interests of explaining for those who don't, signature-based tools look for "known" threats whereas heuristic tools looke for threats based upon how the program "behaves".  That's an oversimplification but should suffice for a basic understanding of the differences.  What it means in short is that most commercial tools look for and can generally remove problems from malware which have been identified in great number but they tend to ignore something that they don't "know" is a threat.  That is why antivirus, etc. signature file updates are especially important.  With the heurisitic scanners, they look for threats based upon how a program acts, such as the inability to "close' the program.  They can generate more false-positives (in that they can flag software as "bad' when it is not.  But for "new" threats (there are hundreds or thousands a day) they can detect and fix a problem without having to wait for a typical signature-file update as do many commercial programs such as Norton and McAfee.

The state of the industry (and threats to a computer) is constantly changing and evolving, so this is not hard, fast, 100% dead-on factual info, just a general overview.

 

[Ian]

Tom, if you are still having problems, a quick google search on Removing System Security will bring up hundreds of site with many different ways of removing this stinker. Here are some bits that I have read so far.

Note that this stinker gives itself a random number as a file name, so even though one person might say it is this number, chances are it is a completely different number. But, legitimate software will almost always have a filename which isn't just random numbers.

-------------------->
Automated Removal Instructions for System Security using Malwarebytes' Anti-Malware
http://www.bleepingcomputer.com/virus-removal/remove-system-security
-------------------->

How to remove System Security 2009 manually:
http://remove-malware.net/how-to-remove-system-security-2009-rogue-anti-spyware/
(Note: this site has a free downloadable tool specifically designed to find this stinker and kill it flat, I would try that first)

Manual removal of System Security 2009 is feasible if you have sufficient expertise in working with program files, system processes, .dll files and registry entries.

The files to be deleted are listed below:

    * %\Documents and Settings%\All Users\Application Data\00308937\pc00308937.ins
    * %\Documents and Settings%\All Users\Application Data\00308937\00308937.exe
    * %\Documents and Settings%\All Users\Application Data\00308937\config.udb
    * %UserProfile%\Desktop\System Security 2009.lnk
    * %UserProfile%\Start Menu\Programs\System Security\System Security 2009 Support.lnk
    * %UserProfile%\Start Menu\Programs\System Security\System Security 2009.lnk

The associated registry entries to be removed are as follows:

    * HKEY_LOCAL_MACHINE\Software\00308937
    * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run ?00308937?
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemSecurity2009

Please, be informed that manual removal of System Security 2009 is a cumbersome procedure and does not always ensure complete deletion of the malware, since some files might be hidden or may automatically reanimate themselves afterwards. Moreover, manual interference of this kind may cause damage to the system. That?s why we strongly recommend automatic removal of System Security 2009, which will save your time and enable avoiding any system malfunctions and guarantee the needed result.

-------------------->
If you locate the file with the shield icon in your system, usually in the C:\program data\  folder, you can rename the systems security folder and program to 2222. This will interrupt its pathways for running when you reboot the PC. As a result you will then be able to download and use removal programs or manually remove it. This was how I solved not being able to run any exe files for removing it or going to the CMD or Taskmgr.
-------------------->

Hope some of this helps you. I am nearly always online if you strike any bother just Skype me or IM me.

 

[Tom]

Thanks Ian. If you read my earlier messages you'll see that I looked for and found many links, and that manual removal wasn't possible.

 

[Ian]

Tom, we can always go Remote Access using LogMeIn if that would help track down this nasty beast.

Have you used msconfig to stop it from starting up?

Have you used RegEdit to clean it out of Registry?

 

[Tom]

Have you used msconfig to stop it from starting up? Have you used RegEdit to clean it out of Registry?

Ian, as I said in one of my earlier messages, neither of those are accessible. This beast runs interference with anything and everything I try to do on the PC, and the only thing it allows to run is the browser.

 

[Ian]

That is odd Tom. Normally I would just WindowKey + R then enter msconfig or else regedit . Though both of these need to be handled with care.
Otherwise boot up into SafeMode and run them from there before it has a chance to inflict its control.

Or, if it breaks into that, get a quick download of a Linux based repair kit, load it up onto a USB key as a bootable system, then boot from it and go hunting down the beast. If you can stop it from starting up then the other tools can boot it out of there.

I wish I could be closer to help you out, have chased things like this before and they can be harder to get out than the stuff that sticks on your boots from a cow paddock

 

[Ned]

The last resort is to put the drive in another computer, copy off any user data, then format and reinstall Windows.  It's a procedure that I rarely recommend but in some cases, it's the only way to get rid of the really nasty malware.  You also need to recreate the master boot record and partition table as some malware can hide there as well.

 

[Tom]

I'll probably get a call today letting me know how far he got with the remainder of the 4 rescue discs. If they didn't remove SS, I'll try some of the other things that have been suggested.

I'm a little nervous about popping his drive into one of my machines. OTOH I could pop his drive into a case and hook it via USB to a Linux machine I have sitting here to copy his data.

 

[Ned]

A Linux system would be the best for copying off data.  No chance of getting infected and you can mount the drive read only.

 

[Tom]

you can mount the drive read only.

Sounds like a good way to go, but how do you do that? (Sorry, another dumb question.)

 

[Ned]

It's a property you set when you actually mount the volume.  How that's set depends on the distro and how you issue the mount command.  Linux may mount it read only anyway as it's NTFS.  Even if it's not read only, you won't be writing to it so there should be no problem.  And nothing can execute from it.

 

[Tom]

Since the acquaintance and I didn't connect yesterday, I called for an update this morning. He says that, after running the Avira rescue disc with the configuration set correctly, he's back up and running with his PC behaving "normally". I've suggested he download the latest update to his Web Root software and run a full scan. I'd like to go make sure there's no trace of that SS file and that it's also gone from the registry. Meanwhile, he's going to pick up a USB drive and back up all his important data and files.

Thanks again to all who responded with suggestions.

 

[ruthandken CDN]

Tom I checked out the Symantec site and they stated that several Malware do that, won't let you even get into the registry.  They offered this tool LINK which then, apparently, once run allows you access to your registry once again.

 

[Tom]

Thanks Ruth.