System Security 2009 Analysis and Removal
April 10, 2009 by Shanmuga
Filed under Featured, Rogue Security Software, spyware removal
System Security 2009 is one of the newest entrants into the family of rogue antisecurity software. Once installed it surreptiously downloads and installs a malicious backdoor trojan that runs in the background and allows remote access to the compromised system.
A rogue security software belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.
Note: Visiting some of the domains mentioned below may harm your computer system.
I came across this pest when I visited a hacked website. A dialog box popped up that warned about the presence of multitude of malware and offered a free scan. The scan insisted on running irrespective of the buttons pressed. The scan presented a deceptive Windows Explorer like interface inside the browser. The result of the fake scan predictably finds hundreds of threats to your system.
The rogue attack originated from onlinebrandsecurity .com hosted at IP 91.212.65.55 located in Ukraine hosted by Eurohost LLC and registered to one Karen Patterson who used a temporary, disposable email id to register the domain. This IP is also home to Youronlinestability .com, Networkstabilityscan .com, Scanprotectiononline .com and Internetsafetyexamine .com. Onlinebrandsecurity.com does not host a website, it just hosts the javascript code and gif images that simulates the fake scan and couple of malware dropper files.
Image courtesy of Robtex
Unlike many rogue antisecurity software installer sites, you will not get infected if you visit the site directly, you need to re-directed from another infected site to experience the true purpose of this site.
The following text only view of the website gives an idea of how the fake scan is perperated:
[javascript][page_progressbar.gif]
System Tasks
[i5000000.gif] [1]View system information
[i6000000.gif] [2]Add or remove programs
[i7000000.gif] [3]Change a settings
Other Places
[i1000000.gif] [4]My Network Places
[i2000000.gif] [5]My Documents
[i3000000.gif] [6]Shared Documents
[i4000000.gif] [7]Control Panel
Details
My Computer
System FolderSystem scan progress
[inf20000.gif] 7 trojans
[folder.gif] Shared Documents
[inf20000.gif] 103 trojans
[folder.gif] My Documents
Hard drives
[inf20000.gif] 362 trojans
[hdd.gif] Local Disk (C:)
[inf20000.gif] 155 trojans
[hdd.gif] Local Disk (D:)
DVD
[dvd.gif] DVD-RAM Drive (E:)
0%
Now scanning: none
Your Computer is Infected!
Threats and actions:
Name Risk level Date Files infected State
[qicon.gif] Email-Worm.Win32.Net Critical 11.18.2008 35 Waiting
removal
[qicon.gif] Email-Worm.Win32.Myd Critical 11.18.2008 35 Waiting
removal
[qicon.gif] Trojan-Downloader.Win Critical 11.18.2008 35 Waiting
removal
Description:
This program is potentially dangerous for your system.
Trojan-Downloader stealing passwords, credit cards and other personal
information from your computer.
Advice:
You need to remove this threat as soon as possible!
[8]Full system cleanup
The site downloads ws.zip, extracts and runs an install.exe (103976 bytes) file which has a mere 15% detection rate at virustotal.com. This file drops the system security 2009 rogue on your system. Once it is securely installed, the scare messages start popping up all over. The popups appeared very frequently and stayed on top until killed. One of the fake message announced that the Firefox browser was infected with a worm called ‘Lsas.Blaster.Keyloger‘.
It proceeds to download an installer pv.exe (163,344 bytes) file identified as a trojan by 60% of the scanners at virustotal. The trojan while installing masquerades as ctf loader (a microsoft file) and as Skype file.
This scareware uses the payment processor securesoftwarepays .com through Electronicbillinghost .com.
System Security 2009 -- Associated Files and Folders (Some of the file and folder names may be randomly generated)
- C:\Documents and Settings\All Users\Application Data\03395734\03395734.exe
- C:\Documents and Settings\All Users\Application Data\03395734\03395734.glu
- C:\Documents and Settings\All Users\Application Data\03395734\pc03395734cnf
- C:\Documents and Settings\All Users\Application Data\03395734\pc03395734ins
- C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\System Security\System Security 2009 Support.lnk
- C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\System Security\System Security 2009.lnk
- C:\Documents and Settings\malwarehelp.org\Desktop\System Security 2009.lnk
- C:\Documents and Settings\All Users\Application Data\03395734
- C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\System Security
System Security 2009 -- Associated Registry keys and values
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\03395734
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\systemsecurity2009
System Security 2009 -- Associated Domains
- Onlinebrandsecurity .com
- Youronlinestability .com
- Networkstabilityscan .com
- Scanprotectiononline .com
- Internetsafetyexamine .com
- Electronicbillinghost .com
- securesoftwarepays .com
System Security 2009 -- Removal (How to remove System Security 2009)
The free version of MalwareBytes’s Anti-Malware appear to remove this rogue security software.
- Dowonload and Install MalwareBytes’s Anti-Malware.
- Boot in to Windows Safe mode.
- Click to scan with your chosen software. Check mark all instances of the rogue antispyware and delete them.
- Turn System Restore off and on.
- Download, install scan and clean the temporary files with CCleaner.
You should now be clean of this rogue.
If you still see symptoms associated with this rogue anti-spyware, please post your problem at one of the Recommended Online Forums for Malware Help.
System Security 2009 -- Rogue Gallery
System Security 2009 -- Video
Note: The above installation was tested on a fully patched Windows XP SP3 running updated versions of Internet Explorer 8 and Firefox 3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.
i have system security 2009 verson 4.51 please help me get rid of it
The version I haqve disables the keybord on start up so I can not acess safe mode
SAY GOOD-BYE TO “SYSTEM SECURITY” MALWARE
1. Go to: C:\Documents and Settings\All Users\Application Data
2. Find a “number” for folder. On my computer it was “19550004.”
3. Open this folder.
4. See 2 files with the same names “19550004″. One is a ‘file’ and one is an application.
5. You cannot delete them but you can RENAME them.
(For the sake of good taste, I won’t tell you what I renamed them, but I simply wrote a four letter word in front of the two “number” files.
6. Restart your computer and presto! No more “System Security” on my computer!
Thanks à lot, Jay: it worked!