remove System Security 2009 virus

DaveG247

Hi All,

My dads seems to have installed System Security 2009 on his pc which I'm guessing a some sort of virus/malware and I need some advice on how to get rid of it.

I have malwarebytes installed which was recommended here last time I had a problem and normally does the trick, however not sure if it is the System Security 2009 programme but it will not run malwarebytes on the PC I've also tried add and remove programmes but this wont run either?

Any help would be much appreciated.

Dave

espresso

Download malwarebytes again from here and change the file name before you try to run the program e.g. change to daveg247.exe

You need the latest version anyway.

DaveG247

Cheers espresso,

Right forget what I just posted I've managed to get Malwarebytes updated and running on my dads pc had to change the name of the shortcut to lauch the programme, doing a scan now hopfully this should get rid of the problem.

Browntoa

post the log file when its done

DaveG247

Browntoa wrote: »

post the log file when its done

Sorry Browntoa didn't see your post in time I did not make a copy of the log. However the problems now sorted there seems to be no sign of the problems I had before, malwarebytes cleared it no probs (once I got it running).

Cheers again for the help espresso

spud17

Sorry Browntoa didn't see your post in time I did not make a copy of the log

Open Malwarebytes, select the 'Log' tab, select the appropriate date/time.

DaveG247

Here's a copy of the log

Malwarebytes' Anti-Malware 1.37
Database version: 2229
Windows 5.1.2600 Service Pack 3
04/06/2009 18:52:08
mbam-log-2009-06-04 (18-52-08).txt
Scan type: Full Scan (C:\|)
Objects scanned: 139536
Time elapsed: 50 minute(s), 26 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 7
Memory Processes Infected:
C:\Documents and Settings\All Users\Application Data\10515374\10515374.exe (Rogue.Multiple.H) -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemSecurity2009 (Rogue.Systemsecurity) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\10515374 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Documents and Settings\All Users\Application Data\10515374 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
c:\documents and settings\D Goodhand\Start Menu\Programs\System Security (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
Files Infected:
c:\documents and settings\all users\application data\10515374\10515374.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\10515374\10515374.glu (Rogue.Multiple.H) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\10515374\pc10515374cnf (Rogue.Multiple.H) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\10515374\pc10515374ins (Rogue.Multiple.H) -> Quarantined and deleted successfully.
c:\system volume information\_restore{35ec702a-3e28-47c7-ab8f-4a1b162adf44}\rp13\A0002142.sys (Rootkit.Agent.Z) -> Quarantined and deleted successfully.
c:\documents and settings\d goodhand\start menu\Programs\system security\System Security (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\documents and settings\d goodhand\Desktop\System Security 2009.lnk (Rogue.SystemSecurity) -> Quarantined and deleted successfully.

Browntoa

for belt and braces I would run this

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

looking at the type of infection you had

then post that log file as well