Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Security 4.52 INFECTED BAD


  • Please log in to reply
28 replies to this topic

#1 Wolfman09

Wolfman09

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 05 July 2009 - 08:28 PM

Hello everyone.

My father who is 69 had his HP system running XP badly infected 3 days ago by System Security 4.52.

I understand why and the info on that program and after lots of trying I've been unsuccessful to run Malwarebytes EVEN IN SAFE MODE.

I'm accessing the net from his PC now in safe and luckily can do this. Most all programs exe will not run but many do in safe mode.

What I have done is downloaded to disc malwarebytes and did install and run setup in safe mode although took almost 30 minutes to do so BUT...

After installing still could NOT EXECUTE the software to run even in safe mode. Can't do ANYTHING in regular pc mode.

I then did an UNINSTALL of malwarebuytes as it WAS installed on pc before this problem started. So i uninstalled and after downloading the setup and installing I still CAN'T run the software in safemode.

Ok, think that's about it. would really appreciate any assistance to get him back to working.

Thank you!!

James

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:50 AM

Posted 05 July 2009 - 09:04 PM

This may help:

http://www.malwarebytes.org/forums/index.php?showtopic=17583
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 Wolfman09

Wolfman09
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 05 July 2009 - 09:32 PM

This may help:

http://www.malwarebytes.org/forums/index.php?showtopic=17583


Thank you so much!

I missed going to their forum and looking over info mostly because I see this forums helpful post all over the serps.

At my home pc now but going back over to Dads in a bit and will give that info a try.

Will post back my experience.

Wolfman

#4 Wolfman09

Wolfman09
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 05 July 2009 - 10:11 PM

Would it be possible or ok if someone on this forum could post info from THE LINK GIVEN ABOVE that content here?

I could not print out the info from my PC as printer is broke, I'm over at my dads and that damn security system program even has the search info locked down tight.

I can't even search or access a link with malwarebytes..it gives me an error. I can access other sites and even google. If i search google for malwarebytes it pulls up info but forget being able to pull any links up in the serps.

Never have I had a PC so screwed up. So frustrating!!!

#5 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:50 AM

Posted 05 July 2009 - 10:15 PM

Here's the text without the screenshots:

Download the following file and save to your desktop.
http://live.sysinternals.com/procexp.exe

Rename the file to winlogon.exe and the run it.

Inorder to get MBAM installed you will need to identify and terminate/kill the SystemSecurity process.
As you see from the screenshot it very easily identified by its shield icon and use of random numbers for its executable. eg 1234567.exe 638476435.exe 453732.exe and the list goes on.

Highlight the shield icon/random.exe line and rightclick and select kill process.

SystemSecurity will no longer be active in memory but is still installed so best let MBAM rip it good and proper smile.gif

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to the following:
* Launch Malwarebytes' Anti-Malware
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad and if required the program will ask you to reboot to remove locked files.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#6 Wolfman09

Wolfman09
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 05 July 2009 - 10:24 PM

Inorder to get MBAM installed you will need to identify and terminate/kill the SystemSecurity process.
As you see from the screenshot it very easily identified by its shield icon and use of random numbers for its executable. eg 1234567.exe 638476435.exe 453732.exe and the list goes on.

Highlight the shield icon/random.exe line and rightclick and select kill process.



I CAN access that link and download...ok...only question is how exactly or where do I go in my dads PC to SEE that Icon for SS process?

I checked task manager process info but does not show icons..and not able to locate system security.exe...

thank you again for your help!!!

#7 Wolfman09

Wolfman09
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 05 July 2009 - 10:26 PM

CRAP NEVER MIND... after I installed that download and renamed..i see what I need.

Sorry...just been long day.

#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:50 AM

Posted 05 July 2009 - 10:26 PM

You have to use Process Explorer to find the SS process.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#9 Wolfman09

Wolfman09
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 05 July 2009 - 10:29 PM

days not getting any shorter... I see all the info and many icons now but nothing indicating or showing that system security icon.

nothing similar to the examples of "1234567.exe 638476435.exe 453732.exe" either.

This damn thing must be getting nastier and more difficult.

#10 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:50 AM

Posted 05 July 2009 - 10:36 PM

It should probably show up under the explorer.exe process.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#11 Wolfman09

Wolfman09
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 05 July 2009 - 10:37 PM

I just realized the BAD INFO may NOT show up as I"m in SAFE MODE.

I'll reboot and see how it goes from there and report back once I do.

#12 Wolfman09

Wolfman09
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 06 July 2009 - 12:11 AM

Here's the text without the screenshots:

Download the following file and save to your desktop.
http://live.sysinternals.com/procexp.exe

Rename the file to winlogon.exe and the run it.

Inorder to get MBAM installed you will need to identify and terminate/kill the SystemSecurity process.
As you see from the screenshot it very easily identified by its shield icon and use of random numbers for its executable. eg 1234567.exe 638476435.exe 453732.exe and the list goes on.

Highlight the shield icon/random.exe line and rightclick and select kill process.

SystemSecurity will no longer be active in memory but is still installed so best let MBAM rip it good and proper smile.gif

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to the following:
* Launch Malwarebytes' Anti-Malware
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad and if required the program will ask you to reboot to remove locked files.



Budapest
THANK YOU so much for posting..saved lots of time and trouble running to and from my pc to dads.

OK, great progress has been made but not out of the woods completely.

Reason why is his surfing/url address pulls up sites we don't even try to go to and I still don't have full free access to where we need to go.

example. we still cant access malwarebytes sites or forums..even when trying to access using links from googles search results. Get an error on the page.

That said... downloading that program and renaming to winlogon.exe helped get access to PC so now I'm accessing the web without being in safe mode. Can now also access most everything else far as I can tell.

The way I was finally able to RUN MALWAREBYTES was to go into program file where it was located and I had to RENAME the .exe file to something else. Before I did that I had no success running the program.

Once I did that I did a quick scan and it came back with 38 or so BAD items! I did the FIX on those but still having the issues with not being able to access certain sites and the malwarebytes sites.

As I write this reply I'm doing a full system scan. So far over 67 thousands objects scanned and so far NO infected objects. Again I know things are not completely right or normal but much closer than before.

Ok,,that's the update for now again thank you for the assistance!!!

#13 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:50 AM

Posted 06 July 2009 - 12:17 AM

Post the log when the scan is finished.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#14 Wolfman09

Wolfman09
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 06 July 2009 - 12:29 AM

Post the log when the scan is finished.



Ok, guess I should have posted the quick scan before I did a fix but jumped the gun.

I will post results of full scan before going further.

#15 Wolfman09

Wolfman09
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 06 July 2009 - 12:41 AM

Below is the Malwarebytes FULL SCAN RESULTS of my Dads PC



Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 3

7/3/2009 10:32:24 PM
mbam-log-2009-07-03 (22-32-08).txt

Scan type: Full Scan (C:\|D:\|J:\|)
Objects scanned: 194928
Time elapsed: 34 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\config\systemprofile\local settings\temporary internet files\Content.IE5\GDKFVGK8\flvjj[1].htm (Trojan.Downloader) -> No action taken.
c:\WINDOWS\system32\config\systemprofile\local settings\temporary internet files\Content.IE5\GDKFVGK8\flvjj[2].htm (Trojan.Downloader) -> No action taken.
c:\WINDOWS\system32\config\systemprofile\local settings\temporary internet files\Content.IE5\NJ5LECDA\fcdzd[1].htm (Trojan.Downloader) -> No action taken.
c:\WINDOWS\system32\config\systemprofile\local settings\temporary internet files\Content.IE5\NJ5LECDA\fcdzd[2].htm (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\1.tmp (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\E.tmp (Trojan.Agent) -> No action taken.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users