System Security 2009

**DamonJones** · **DamonJones** on 5th September 2009, 3:34 pm

I'm new to the site but i was hoping someone could help me. I was recently infected with the System Security 2009 malware. When I try to boot normally I get to my desktop, then my startmenu/task bar appears for a second and instantly vanishes, leaving me looking at a my desktop image with no icons. At this point the only thing I can do is shut down my computer. I've dealt with this issue before, but I was able to get rid of it by booting in safe mode and running my various spyware/virus removal programs. The ones that did the most work were Xoftspy, SuperAntiSpyware, and Malware Bytes respectively. Surprisingly I ran AVG first and it couldn't detect the threats at all and only found cookies. Running these programs one after another got rid of the problem for me or so I thought, but now it's back. Now I have the same boot problem as before, but when I run safe mode, the System Security Malware is there too! I thought safe mode was supposed to be...safe. Anyway I can't open any of my removal programs because of it. When I double click, nothing happens. It even blocks the installers for certain programs to run. I found a handy trick online to go into the program files and rename the executable since the SP2009 recognizes processes by name. It works to a degree but only for certain programs. Xoftspy opened and fully ran when I did this trick. It detected some threats and removed them but the problem still remains. When I rename and try to run AVG or SuperAntiSpyware they start to scan my computer, then abruptly close. I've tried everything in my knowledge and I'm at the end of my rope now so I was hoping someone could help me here. I hope I was descriptive enough for someone to recognize what the problem is and how to fix it. Thanks!

Edit: I've even tried to run Hijack This. It installs but nothing happens when I try to open it.

**Belahzur** · **Belahzur** on 5th September 2009, 8:57 pm

Hello.
Did you get Hijack This from this link?
http://www.sendspace.com/pro/dl/fpzz64

If not, please download it from that link.

**DamonJones** · **DamonJones** on 6th September 2009, 2:49 am

The version of HJT from that link opened fine, but closed shortly after it started running. And now I guess System Security recognizes it as HJT so I can't open that one again either. It's like the malware is learning what i'm doing and preventing me from opening anything that can potentially remove it. Is there anything I can do to prevent it from blocking my programs functionality?

**Belahzur** · **Belahzur** on 6th September 2009, 6:37 pm

Please do the following in Safe Mode with Networking: as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press your Enter key.

Note: With some computers if you press and hold a key as the computer is booting you will get a stuck key message. If this occurs, instead of pressing and holding the "F8 key", tap the "F8 key" continuously until you get the startup menu.) Once in the start up menu, select "Safe Mode with Networking", then try Hijack This from there.

**DamonJones** · **DamonJones** on 6th September 2009, 7:14 pm

That's actually the version of safe mode i've been running the whole time. It's the only way I can access the internet now since I can't boot normally. Still no luck though. Would you suggest reformatting?

**Origin** · **Origin** on 6th September 2009, 10:13 pm

Try this in safe mode with networking:

Download combofix from here
Link 1
Link 2

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to svchost as follows:

3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

See HERE for how to disable your AV.
Double click on svchost.exe.
Follow the prompts. NOTE:
Allow combofix to run
Post C:\combofix.txt back here.

Note:
Do not mouse click combofix's window whilst it's running. That may cause it to stall.

**DamonJones** · **DamonJones** on 7th September 2009, 12:40 pm

Ok. I followed your instructions. When I run combo fix it opens and closes abruptly as well. For some reason, when it closes, I get a message saying combo fix is uninstalled and the icon disappears so I have to reinstall it to try it again.