System Security 2009 - tried everything and can't remove!

Hi.. I have a MAJOR issue and could use some help. I am unable to start a new topic on this board in Firefox because the System Security 2009 virus has blocked the icons from appearing for New Post (IE works ok). I cannot run Hijackthis or any other virus or malware scanner - renaming the files do not help. After I run any of the programs, they halt automatically and then the icon changes to a standard windows icon.. and then when I go to run it again, it says I don't have the proper permissions.. when I try to delete the icon - it says it is still in use! Unlocker allows me to delete it... when I use the program to tell me the process that has the file, it comes up blank!

I've tried Safe Mode.. Safe Mode with Networking... I've even tried the Avira Boot CD... I just don't know how to clear this thing. It blocks me from running regedit, etc. I've cleared the registry of entries anyway, removed all traces of login.exe and the other #'d.exe programs... there is nothing odd running in taskmgr.. but still it persists.

I suspect a rootkit but I"m not sure what else to do... help please!!! thx!

I continue to try things with no solution in site... this has been going on for 4 days now... I'd really love some help with this please.... so frustrating!!

just wondering how long I can expect to wait for some advice - my PC is basically useless at the moment. thx.

Please download the current version of HijackThis from HERE

• Double click and run the installer.
  
• It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  
• After installing, you should get the user agreement, press accept and Hijack This will run.
  
• Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.
  

Hi.. and thanks.. but as I mentioned, after install when I go to run the program, it starts to run and then shuts down on its own... it doesn't load notepad with the log and subsequent attempts to run the program fail with an error message: Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item.

This happen regardless of whether I'm in safe mode or regular mode.. its the same for malwarebytes or any other spyware/malware/virus software. I've never seen the likes of this before but it basically identifies the software as a scanner and stops its, somehow corrupts the file and prevents future usage of it.

I've tried renaming the installer, install path and program names as well and still the program only runs for perhaps 2 seconds then shuts down.

Would love to fix this!!!! Thx again for your help!

no worries.. but I'm still awaiting further instruction as to what to do since I cannot run hijackthis.. thx.

bump for help since my thread was hijacked....

Hello.
What a mess you have there. Lets get rid of some un-needed software first.

• Open HijackThis.
  
• When Hijack This opens, click "Open the Misc Tools section"
  
• Then select "Open Uninstall Manager"
  
• Click on "Save List..." (generates uninstall_list.txt)
  
• Click Save, copy and paste the results in your next post.
  

Here is the list.. but realize that I cannot run the Scan.. the results up top are from another user that hijacked this thread (thx by the way!) thus I'm not sure if you were referrring to my issue.. or his?

Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flex Builder 3
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AGEIA PhysX v7.11.13
Allok RM RMVB to AVI MPEG DVD Converter 3.1.1207
AnswerWorks 5.0 English Runtime
AnswerWorks 5.0 English Runtime
Apple Mobile Device Support
Apple Software Update
Black Hawk Down Server Manager
Bonjour
BookSmart 2.0 2.0
BookSmart 2.0.1 2.0.1
BookSmart 1.9.5 1.9.5
BookSmart 1.9.7 1.9.7
BookSmart 1.9.9 1.9.9
Canon Pro9500 series Printer Driver
Canon Utilities Easy-PhotoPrint Pro
Citrix Presentation Server Client - Web Only
Click to Convert 6.0
Company of Heroes
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
DEVIL MAY CRY 4
DFBHDPinger v6.0
Dfine 2.0
DigitalPro
Executor v0.99b
ExifPro 1.0 Photo Viewer
FlashGet 1.9.6.1073
FotoFusionV4
Foxit Reader
Genie Backup Manager Pro 8.0
Genuine Fractals 5.0
GeoSetter 3.1.5
Hide Folder 3.1
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
HP Precisionscan Pro 3.1
IDdownloader 1.0.0.0 BETA
IDimager Professional Desktop Edition 4.2.0.5
IDimager Professional Desktop Edition 4.9.9.0
IDimager Professional Desktop UPDATE 4.9.9.3
ImgBurn
Intellihance Pro 4.2
iTunes
Java(TM) 6 Update 7
Lightroom
Lucis Pro
MainType 2.1.1
Malwarebytes' Anti-Malware
MEDITECH core
MEDITECH MagicCS Connect (Incomplete Install)
MEDITECH RAT
MEDITECH Workstation3.x
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
MonacoOPTIX 2.0
Mozilla Firefox (2.0.0.20)
Mozilla Thunderbird (2.0.0.22)
MSXML 4.0 SP2 Parser and SDK
NVIDIA Drivers
NVIDIA ForceWare Network Access Manager
Ocean Express
OpenAL
PDF Settings
pdfFactory Pro
Pen Tablet
PhotoFrame Pro 3.1 Demo
PhotoTools 1.0 Professional Edition
''Pixel Creator Pro v4.2 Productivity Suite''
Plants Vs Zombies
PowerISO
Qimage 30 Day Trial
QuickBooks Premier: Professional Services Edition 2009
Quicken 2009
QuickTime
Realtek High Definition Audio Driver
Replay Media Catcher 3.02
RocketBowl Plus
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB958644)
Sharpener Pro 3.0
SupportSoft Assisted Service
System Requirements Lab
TextPad 5
The Chronicles of Spellborn
ThumbsPlus version 7 SP2
Tiffen Dfx v1.0 for Photoshop
TurboTax 2008
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wmaiper
TurboTax 2008 wrapper
Tweak UI
UltraMon
Update for Windows XP (KB898461)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Vertus Fluid Mask 3 3.0.10
Viveza
VLC media player 0.9.0-test3-20080729-0131
WinRAR archiver
World of Warcraft
Yahtzee Texas Hold'em

Please download Ice Sword from HERE

1. Download the zip to your desktop and extract it.
   
2. Open the Ice Sword folder and then launch IceSword.exe.
   
3. Then look in the left hand bottom of the program and press "Registry"
   
4. When the registry list opens, drag the line between the two windows so you can see which registry hive you need.
   
5. Next, open the HKEY_LOCAL_MACHINE, and navigate to the following key:
   
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
   
   
6. Now look in the right side pane for two run values that are just random numbers.
   
7. Once you have found the value(s), right click it and press "Delete"
   
8. Okay the prompt and close IceSword.
   

thx but no dice there... I checked this and removed anything a few days ago that looked ugly. After I did that and cleared my Windows/Temp folder, I was able to use regedit again.. but - things are still majorly borked with my PC.

For example, now programs such as Directory Opus and Ultramon are crashing on me even though I've used them for years without a problem.

Here's the results of looking at the registry with Icesword... any other ideas? This thing must be deeply rooted - I think bootstrap or loading with Windows for sure - are there tools to look at this? Thx!

bumpy to top.. thx.

Lets try this.

• Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
  Link 1
  Link 2
  
• Double click DDS.scr to run.
  
• When complete, two logs will open. Save both of the report to your Desktop.
  
• Copy and paste DDS.txt back here, I don't need to see attach.txt.
  

tried to run it.. it said:
Windows cannot find 'cmd'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

When I tried to run CMD from the RUN prompt - I got the same message!

Help!!

Ok.. I downloaded a new version of CMD and stuck it in the windows\system32 folder and ran the D.D.S - but.. after 10 mins of waiting.. I have nothing showing up.. just the DDS screen as follows:

bump for advice.. thx.

no help yet so off to bed.. by the way - tried to run hijack this and malware via hirens boot cd - no luck there either - there I get an error 500006 - no ideas on google and no where to turn for help.

Looks like my restore points are gone as well now - I don't have any listed and can't go back to July in the restore routine....

I would greatly appreciate some advice - I think this has just about stumped everyone!

I wouldn't say everyone, I haven't given up yet. Lets try IceSword again, but this time, lets try the other hive.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Take me a screenshot of that run key (remember to switch hive from HKLM to HKCU)

Here you go... not much there to help I'm sure... still can't run hijackthis or malwarebytes.. and I cannot start the windows audio service .... is there any hope for this?

Hello.

• Download combofix from here
  Link 1
  Link 2
  
  1. If you are using Firefox, make sure that your download settings are as follows:
  
  * Tools->Options->Main tab
  * Set to "Always ask me where to Save the files".
  
  2. During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV.
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.