Jump to content


Photo

System Security 4.52 Spyware Remover


  • This topic is locked This topic is locked
5 replies to this topic

#1 Megan D.

Megan D.

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 06 July 2009 - 08:54 PM

It appears that my father's desktop computer has been hijacked by a program called System Security 4.52. I get a message on a blue screen that says WARNING! YOUR'RE IN DANGER! YOUR COMPUTER IS INFECTED WITH SPYWARE! ect ect going on to say more is smaller font, and ending in: SECURE YOURSELF RIGHT NOW! REMOVE ALL SPYWARE FROM YOUR PC!

It won't allow me to run any programs, so I'm posting from another computer. Windows won't let me into safe mode, and instead gives me this message: We apologize for the inconvenience, but Windows did not start successfully. A recent hardware or software change may have occurred...etc.

I'm posting from my laptop trying to figure this out, but there seems to be no way to do anything. Help please?

#2 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,325 posts

Posted 07 July 2009 - 05:12 AM

Hi Megan D., and Welcome Back

Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore.
On a clean system, download The Avira AntiVir Rescue System from here.
  • Just double-click on the rescue system package to burn it to a CD/DVD.
  • Then please use that CD/DVD with Avira Rescue System to boot your infected computer.
You'll get a boot option to either boot from hard drive or AntiVir Rescue System (it's possible that you may need to change boot options in your CMOS settings to allow booting from the CD/DVD drive).
Posted Image

Press the number 2 on your keyboard to boot into AntiVir Rescue System.

Please wait until drivers are loaded and Main menu shows. Then please select the second option “Scan your system with AntiVir” and hit Enter.
Posted Image

Under Configuration, please select Scan all files, Try to repair infected files and Rename files if they cannot be removed?.
Posted Image

Then please start the scan.

The Avira AntiVir Rescue System wil now
  • repair a damaged system,
  • rescue data,
  • scan the system for virus infections.
After the utility has completed, remove the disc and restart your system.

Now see if you can Run HijackThis and post a log.
If you can't, rename HijackThis.exe to myprogram.exe and see if it will run.
If that doesn't work, see if you can boot to Safe mode and run HijackThis.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#3 Megan D.

Megan D.

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 12 July 2009 - 10:59 PM

So, I burned the program to a disk and ran a successful scan. Then I rebooted the computer, started Windows normally, and I got the same message again. I'm thinking my dad deleted HijackThis for some (most certainly stupid) reason, since its not on the computer anywhere. I burned HijackThis.exe to a disk and loaded it, then drug it to the desktop. When I tried to run it and got the message "WARNING! Application cannot be executed. The file hijackthis.exe is infected. Please update your antivirus software." Then I renamed it as myprogram.exe as you suggested and got the same message again. Safe mode still won't work, and is giving me the same message about changes having been made to the software or hardware. I'm ready to throw this hunk of junk out the window.

Edited by Megan D., 12 July 2009 - 10:59 PM.


#4 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,325 posts

Posted 12 July 2009 - 11:09 PM

Download the following file and save to your desktop.
http://live.sysinter...com/procexp.exe
If necessary, download it from a clean uninfected system and burn it to CD/DVD to transfer to your system.

Then follow the instructions here for:
If MBAM is not installed

MBAM won't run(Fix), SystemSecurity

After following those instructions, please post a new HijackThis log and note any errors encountered.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#5 Megan D.

Megan D.

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 13 July 2009 - 10:46 PM

Okay, so I've followed your instructions. I renamed mbam to winlogon and it worked, but now once it gets to a certain point in the scan, a bunch of popups appear, then the screen zooms in so nothing but a few words of the hijacked desktop warning appear, and then the computer flashes a blue screen with a message before rebooting. I'm trying to perform a scan for the third time now, and I'll try to watch to see if there's any way I can prevent the scan from stopping midway.

Any suggestions to keep it from rebooting mid-scan?

#6 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,325 posts

Posted 14 July 2009 - 04:51 AM

You mention renaming mbam.exe to winlogon.exe. Did you already have MBAM installed?
Try running the scan from Safe mode.

Did you try running procexp.exe renamed to winlogon.exe and killing the System Security process?
If not, try that to see if following those instructions you can find the process and kill it. When you do that, if you find the process with the shield, write down the file name.

Now use Windows Search (Start > Search > For Files or Folders), to search for and delete the file you found.

Then try and re-run MBAM. If you can, be sure you update MBAM.

After that, Download ComboFix© by sUBs from one of these locations:

http://download.blee...Bs/ComboFix.exe
http://www.forospywa...Bs/ComboFix.exe

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Familiarize yourself with ComboFix before running it:
http://www.bleepingc...to-use-combofix

  • Disable your AntiVirus and any AntiSpyware programs you may be running (usually via a right click on the System Tray icon) to prevent them from interfering.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. There are some difficult to remove infections that will only be fixed if you have the Recovery Console installed.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware. When finished, it will save a log.
Please include the contents of the log at C:\ComboFix.txt in your next reply.

Then please post a new HijackThis log, the log from MBAM, let me know what the file name was for the System Security process if you have that, and in a second reply (due to length) the log from ComboFix (combofix.txt), and note any errors encountered.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button