System Security 09. I can't remove because I can't execute anything.

Hi, I have a laptop with this virus. I have browsed through the threads with this issue and tried the recommendations, however nothing works because I can't execute the programs. I downloaded Ice Sword and was unable to execute it. I then re-named it to winlogon.exe but it did not work. I also downloaded the HiJack software and was unable to execute it. I also renamed it with no success. I also downloaded MGTOOLS but was unable to execute. Everything else is locked up. Except I can get on-line. I can't use taskmgr or access the computer through safe mode. I am so frustrated. I have never dealt with something this difficult to remove. My last resort is to clean up the laptop but I am hoping that I won't have to go that far. This virus seems to spread each time I reboot. Any help would be very appreciated. Thank you.

Hello.
Even though MGTools.exe won't run fully, it still drops it's load.

Is this folder present?
C:\MGTools

I tried to execute the program but it did not. Therefore, it did not create a folder.

The MGTOOLS.exe file is there but there is no folder. I don't mean to sound redudant.

I double clicked the link 1 to run DDS.scr. It looked like it was going to begin to run. However, nothing happened.

Can you do the following in Safe Mode with Networking, as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press your Enter key.

Note: With some computers if you press and hold a key as the computer is booting you will get a stuck key message. If this occurs, instead of pressing and holding the "F8 key", tap the "F8 key" continuously until you get the startup menu.) Once in the start up menu, select "Safe Mode with Networking", then do the following instructions:

Please download the current version of HijackThis from HERE

• Double click and run the installer.
  
• It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  
• After installing, you should get the user agreement, press accept and Hijack This will run.
  
• Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.
  

I rebooted the computer and pressed F8 to start it in Safe Mode Networking. I got a blue screen with the following message. "A problem has been detected and windows has been shut down to prevent damage to your computer. If this is the first time you've seen this stop error screen, restart your computer. If this screen appears again, follow these steps: Check for viruses on your computer. Remove any newly installed hard drives or hard drive controllers. Check your hard drive to make sure it is properly configured and terminated. Run CHDSK /F to check for hard drive corruption, and then restart your computer. Technical information: Stop: 0x0000007B.

Can you download the Hijack This installer, but before trying to run it, rename it to winlogon.exe.

To rename: Right click the file > Rename.

I tried that and it did not work.

Now I can't even get into the windows XP gui. When I restart I get a ton of bad image error messages. I have to press "ok" to get through them. I am getting a blue screen that reads. " A problem has been detected and windows has been shut down to prevent damage to your computer. DRIVER_IRQL_NOT_LESS_OR_EQUAL" The message continues.
At the bottom it says, "Beginning dump of physical memory
Physical memory dump complete."

Do you happen to know if this is a message from the virus or the OS?

Is the computer too infected to fix? Nothing seems to work. From looking at other threads, everyone can at least send you their files through HiJack This or another software.

I feel so frustrated. I have been working on this for two days. I have to go home (I am at work.) Tomorrow I will clean it up - I think.

Thank you so much for your help.

If the machine cannot boot anymore, we may need to use a rescue disk.

Please download this file: Avira Rescue Disc

1. Insert a black CD into your CD draw.
   
2. Double click the rescuecd.exe file on your Desktop.
   
3. Hit the "Burn CD" button and allow it to burn, it shouldn't take too long.
   
4. Next, reboot your computer, keep the CD inside the draw.
   
5. Your computer should boot from the CD and boot to the Avira rescue disc.
   
6. Next, see this guide here: How to use the boot disc
   

Hi I am helping a family member with this virus. (System Security 2009). Here are the symptoms:

- Not able to start in safe mode (boot.ini file corrupt)
- Not able to execute any files (Sophos Rootkit, Anti-malwarebytes, CA Anti-virus, Combo Fix.) Even after naming files with .com, .pif, .scr.
- Not able to delete files associated with System Security
- Cannot acces regedit, msconfig, task manager, or command prompt

Also tried bootable Avira cd as stated above and still no success.

Any advice?

(I cannot run Hijack This or anything else so I know I am very limited)

Oh and I tried running Malwarebytes from a batch file.

Last edited by ytap2000 on 1st July 2009, 9:32 pm; edited 1 time in total (Reason for editing : add info)

Hello ytap2000, please refrain from posting in members topics and start your own.

Hi,

Thank you for the info re: the boot disk. I went ahead and wiped the computer clean and reinstalled the OS. After that I immediately installed an anti-virus software and ran it. After everything looked cleaned I then re-installed the Ofc suite, etc. This virus seems to spread. Everytime I booted I would see a new sympton. My advice is if you see it, immediately follow the removal instructions. DON'T WAIT!

My problem was that I did not realize what type of virus I had. I didn't know that the softare was malicious (even though it was someone else's computer.) I did the regular checks and booted the computer a few times. By that point, all of my executables were sabotaged and all of the data was compromised - I had no control over anything. Yesterday when I plugged my NIC cable (and had internet access) I heard something on the audio device. It was like commercials and elevator music. It was just bizarre.

I am so glad I came across this site. Again, thank you for your help.