PDA

View Full Version : System Security 4.52 infection



rebels181
13-07-2009, 11:53 AM
Hi I've just been given a friends laptop to try and remove this virus
The laptop is using Vista Home Edition I not sure if it has SP1 installed yet.
Its got Avast 4.8 Home Edition
Malwarebytes anti-malware
spybot search and destory installed
What is the best procedure for removing this virus?

Thanks

Speedy Gonzales
13-07-2009, 12:02 PM
Kill its process first, since it looks like it stops anti-malware programs from working. Use ccleaner and delete the entry/entries for the files it loads in startup (system security.exe or similar maybe the main file). Reboot. Then do a scan with malwarebytes (update it first). Its rogue software (whats appearing on the screen is FAKE), not a virus. It looks like someone installed some kind of video codec, which installed it. Is it on the net?? If it is you could get teamviewer. And I could see if I can get rid of remotely from here

wratterus
13-07-2009, 12:11 PM
Run Combofix (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) too. :)

rebels181
13-07-2009, 12:23 PM
Just run malwarebytes found 5 infections removed, rebooted now scanning with avast.

Speedy Gonzales
13-07-2009, 12:27 PM
Remember to update both, before you scan. There SHOULD be more than 5 infections according to some sites

rebels181
13-07-2009, 12:33 PM
I thought that was a bit to easy.

Speedy Gonzales
13-07-2009, 12:36 PM
Click on the orb down the bottom, and type msconfig. Go to the startup tab and untick the entry for it then reboot. Thats if ccleaner isnt on it and you didnt delete its entry under tools/startup

rebels181
13-07-2009, 12:51 PM
Ok we're on the net so updating Vista, Avast and malwarebytes.
Download ccleaner & HJT
Where do I go to see if SP1 is installed?

Speedy Gonzales
13-07-2009, 12:53 PM
Click on computer on the desktop / properties / or the orb / right mouse on computer / properties. Or if the keyboard has a windows key, press that + pause

rebels181
13-07-2009, 02:01 PM
Ok just updated and rescaned with malwarebytes found another 7 infections. Installing SP1 now.I had a look at installed updates and found that 7 had failed to install including
KB890830 Malicious Software Removal Tool June, Do I have to go to M/S website and download again or will Vista try again?

Speedy Gonzales
13-07-2009, 02:07 PM
Dont worry about the malicious software removal tool. Avast will probably be better. Do another scan with malwarebytes, after you reboot. Did you delete the entry for system security in startup, with ccleaner?

What error is appearing in the windowsupdate window if there's one? Why the updates wouldnt install. Scan the whole hdd with Avast as well. Malwarebytes maybe picking things up in the registry, not whats on the hdd itself

Blam
13-07-2009, 02:08 PM
I suggest you disable System Restore to prevent re-infection.

Right Click My Computer>properties>Advanced System Settings>System Restore Tab

Only re-enable when you're sure there is nothing left..

Blam

rebels181
13-07-2009, 03:03 PM
Just finished installing SP1 rebooted note came up saying avast has been turned off, went into windows security center found that windows defender is install and swiched on. Do I need to uninstall W/D or can I just turn it off?

Speedy Gonzales
13-07-2009, 03:06 PM
Disable windows defender, click on it in control panel / tools / options. Scroll down to admin options and untick use windows defender. Dont forget to disable system restore as well. Till you remove that rogue software

Once this is removed update to SP2

rebels181
13-07-2009, 03:27 PM
Ok just a quick recap System restore, W/D have been disabled.
Had a look in ccleaner startup couldn't find any ref to System Security or 05643921.exe install.exe (I think it uses numbers for exe files)
So scan HDD with avast.

Speedy Gonzales
13-07-2009, 03:31 PM
Yup scan the whole hdd. If you want me to check it out (if its on the net), get teamviewer (www.teamviewer.com) install it run it. Send me a PM with the login and password. So I can connect, give me access, and I'll check it out. Dont worry you'll see what I'm doing

rebels181
13-07-2009, 03:39 PM
Funny you should say that, an icon came on the task bar not long ago, yup teamviewer I think its already on here.

Speedy Gonzales
13-07-2009, 03:42 PM
Is it the latest version?? If it is send me a PM if you like with the id and password its showing. Are you on dialup or broadband?

Speedy Gonzales
13-07-2009, 04:34 PM
Right. Checked the system out using teamviewer. Looks good now. Updated Mbam, did another scan - clean. Avast was turned off in control panel, stopped it then turned it back on that brought it back to life. Now scanning with Avast and will reboot when finished.

rebels181
13-07-2009, 07:56 PM
Scan all clear,Rebooted, Turned on system restore, downloading SP2,
avast couldn't scan 14 files C:\Program files\CA Yahoo! Anti-Spy\Quarantine\20090710110624.zip\0 ,thru to .zip\13 .I'm guessing I don't need to worry about these.
The infection came from an E-mail, What can be done to stop this from happening again?
Thanks again for your help:thanks

Speedy Gonzales
13-07-2009, 08:00 PM
No worries good to hear its fixed :) Dont open attachments in email. Dont click on links in yahoo messenger. If theyre in quarantine it should be ok.