How to remove the System Security Virus
Recently, I have had the not so fun experience of trying to remove the virus known as System Security, System Security 2009, or "WARNING YOU'RE IN DANGER". This is probably one of the nastiest viruses I've ever experienced so I built this lens to help others combat it. There is not a lot of information out there on this virus from what I read.
Where does it come from? Many places. But the most common I believe are from torrents and transition ads from a company like AdBrite or ClicksOr. You may have seen a transition ad before. It says "Click here to continue" in the top right corner of the ad. Both of those companies that allow these types of ads are reputable but many of their publishers are NOT which is how we get viruses in the first place.
You will not be able to close it without it asking you if you want to remain infected, or if you want to buy the program. As I said before, Do not buy System Security 2008 or 2009 or any of them. It's just a ploy for the hackers to get your financial info. The program will also show a fake virus scan running in your lower right hand window.
If you are infected your wallpaper may also change. The wallpaper will be black and read a message "Warning! Your're In Danger" don't really worry about that right now. It's an annoying scare tactic.
Download or purchase Norton Anti Virus, and Malwarebytes Anti-Malware. Boot your system into safe mode (F8 at startup) and run both of these programs. If you find them, remove the viruses from your system. Disable system restore (so the virus isn't restored) and reboot. You are now virus free.
If you cannot open task manager, regedit, or any .EXE files You are in a LOT more trouble. But don't worry, I had the virus this bad and I am here typing this to you on my PC right now :).
You will need to do a manual removal. This will take a lot of "computer smarts" because you have to edit the registry and delete a lot of files manually.
=====
WARNING: USE THE FOLLOWING INFO AT YOUR OWN RISK. EDITING YOUR REGISTRY INCORRECTLY WILL RENDER YOUR PC USELESS.
If you do not know how to do this I recommend you purchase AntiVirus Pro Removal Tool (Click Here) and run it in safe mode to get rid of this virus. If you are having issues the people there will help you use their software step-by-step until you are cured.
=====
Manual Removal Instructions:
-Boot your PC in Safe Mode (F8 at startup).
-Search for all .EXE files on your PC. Order by date modified.
-Delete any suspicious looking files.
-Open regedit.
-Navigate to HKEY LOCAL MACINE/PROGRAM FILES/ MICROSOFT/ WINDOWS/ CURRENT VERSION/ RUN
-Find suspicious entries in the registry. Highlight them and look at the status bar for the location of the files they call.
-Delete the suspicious files and reg entires.
-Do the same for /UNINSTALL
-Search your PC for suspicious .DLL files and delete them
-Install a virus scanner and run a scan (optional)
You are now virus free! :)
What is it and where does System Security Come From?
This virus is a faux spyware scanner. It acts as though it will help you get rid of viruses, when in fact it is one exactly. It is a hijacker and will completely take over your system, popping up random fake virus scans and trying to bait you into buying the program. Do not purchase the System Security program in an effort to get rid of it. I don't even need to tell you what these people would do with your finances.
Where does it come from? Many places. But the most common I believe are from torrents and transition ads from a company like AdBrite or ClicksOr. You may have seen a transition ad before. It says "Click here to continue" in the top right corner of the ad. Both of those companies that allow these types of ads are reputable but many of their publishers are NOT which is how we get viruses in the first place.
Symptons of an Infected Computer
What happens when you get System Security
As I said before, this hijacker/virus is one of the worst out there. The first symptom you'll see when you get this program is that it will pop up and take over your PC.You will not be able to close it without it asking you if you want to remain infected, or if you want to buy the program. As I said before, Do not buy System Security 2008 or 2009 or any of them. It's just a ploy for the hackers to get your financial info. The program will also show a fake virus scan running in your lower right hand window.
If you are infected your wallpaper may also change. The wallpaper will be black and read a message "Warning! Your're In Danger" don't really worry about that right now. It's an annoying scare tactic.
How to Remove the System Security Virus
There are two ways to remove this virus. The first is with a good virus scanner.
Download or purchase Norton Anti Virus, and Malwarebytes Anti-Malware. Boot your system into safe mode (F8 at startup) and run both of these programs. If you find them, remove the viruses from your system. Disable system restore (so the virus isn't restored) and reboot. You are now virus free.
If you cannot open task manager, regedit, or any .EXE files You are in a LOT more trouble. But don't worry, I had the virus this bad and I am here typing this to you on my PC right now :).
You will need to do a manual removal. This will take a lot of "computer smarts" because you have to edit the registry and delete a lot of files manually.
=====
WARNING: USE THE FOLLOWING INFO AT YOUR OWN RISK. EDITING YOUR REGISTRY INCORRECTLY WILL RENDER YOUR PC USELESS.
If you do not know how to do this I recommend you purchase AntiVirus Pro Removal Tool (Click Here) and run it in safe mode to get rid of this virus. If you are having issues the people there will help you use their software step-by-step until you are cured.
=====
Manual Removal Instructions:
-Boot your PC in Safe Mode (F8 at startup).
-Search for all .EXE files on your PC. Order by date modified.
-Delete any suspicious looking files.
-Open regedit.
-Navigate to HKEY LOCAL MACINE/PROGRAM FILES/ MICROSOFT/ WINDOWS/ CURRENT VERSION/ RUN
-Find suspicious entries in the registry. Highlight them and look at the status bar for the location of the files they call.
-Delete the suspicious files and reg entires.
-Do the same for /UNINSTALL
-Search your PC for suspicious .DLL files and delete them
-Install a virus scanner and run a scan (optional)
You are now virus free! :)
Thanks for the help. Although I ended up using PC Tools Spyware Doctor, your instructions were spot on. Only issue I ran into is that even in Safe Mode I could not open regedit. Also, I could not find all the virus files while logged in as Administrator in Safe Mode. I had to log in with the same account I was on when virus hit always in Safe Mode. Then I was able to search for all *.exe and *.dll files modified on that date. I deleted them all since I had not made any other major changes on my pc that day. I then ran Spyware Doctor which found more threads and cleaned up the registry for me. I did a search again, but this time for hidden .exe and found a hidden file named CSRSS.exe along with another hidden .exe file with an 8-digit number as the file name modified on the date the virus hit. I did a full system search for that 8 digit file number and a folder and several other files with different extensions appeared. I also had to manually delete those. Also make sure after you delete all those files to empty the recycle bin, this thing is nasty and it seemed to keep reloading from the recycle bin! I agree with Sean that this is more for advanced users, so unless you know how to recover your system in case you loose files and programs, consult a professional.
ReplyDeleteHey, I was wondering if you can help me, I've followed these instructions but I couldn't delete the system security files under safe mode, it gives me a blue screen saying "a problem has been detected and windows has been shut down..." So I've deleted everything that day from .exe and .dll in regular mode. redigit won't work task manager won't work, nothing. Tried doing a system clear and it says I have to contact the domain administrator?? I rebooted my pc like 3 times. Don't have a clue how to download a virus scanner from one computer and put it on another? Very frustrated. Any advice?
ReplyDelete@mollybot
ReplyDeleteDownload the installation file on the clean computer and put it on a flash drive. They're cheap and easy to find if you don't have one... but anyways, boot into safe mode and install the anti-virus from the flash drive. Hope I helped.
All this is very helpful and I'm following along pretty well, but I've encountered a problem that may be fatal. When I try to start in safe mode it runs the registry and starts up (athough not in safe mode) or tells me that windows started unsucessfully and to start at a point where the system worked better...nothing helps. Any suggestions? I cannot connect to the internet, so I'm guessing a flash drive will be my only option for uploading a spy killer, huh? Any help would be appreciated.
ReplyDelete(Sending this via my girlfriends laptop)
Todd
Ok following the directions i was able to get rid of it in SAFE MODE (F8) on start up.
ReplyDeleteI went in and viewed the regedit as described above. I found it as it was pointing to a folder called 11305934 with file 11305934.exe within it.
I deleted that registry entry, then had to go to C:\Documents and Settings\All Users\ then had to view hidden folders to see folder 11305934 which i then deleted it.
I also went into the uninstall portion of the regedit as described above and sure enough it was listed as System Security and easily deleted it there.
And now im good to go.
This whole ordeal was brutal. My daughter came to me this afternoon with this virus. She had it bad because every program I tried to open a program under her account, I'd get an error stating that the file was infected. I was unable to remove it by going into Safe Mode under Administrator, even though I deleted a bunch of .dlls from the System32 folder and some Registry keys as per the directions. I had to go into her account in order to do the removal. I had Webroot Spy Sweeper running on her machine ever since she got it and this Vundo bypassed it. I ran a full scan with Spy Sweeper three times and quarantined the same files each time. That was when I realized that I had to use Anti-Malware to get rid of most of the files and registry entries. It reported over twenty entries while Spy Sweeper only reported seven. The file I had the most problems with was hobopuke.dll. That file was locked so I had to remove it with FileAssassin. There is also a folder in the root directory called Avenger that contained hobopuke.dll. There were four registry entries that said they were removed but actually weren't. Those I had to manually delete.
ReplyDeleteSome files to look for:
hobopuke.dll (System32 and Avenger folders, also tries to run at startup with Rundll)
savobaro.dll (System32 and Avenger folders)
jiyayuda.dll (System32)
lohenufewa.dll (tries to run at startup with Rundll)