System Security 2012 Malware Removal & Rootkit Removal

System Security 2012 is a FAKE anti-malware/anti-virus scanner that takes control of your computer and force you to buy fake products that will not help you. If you see something call “System Security 2012″ please follow this instruction to remove this malware product.

One of my client reported that his computer was infected and his computer was running very slow. Since this was done remotely over logmein, I am limited in what I can do, which means I will not be booting into safe mode and most of the files need to be download online.

OS: Windows XP SP3

1. The computer was running very slowly, first thing I did was open task manager and end task any unimportant process running and look for suspicious process.
2. Discovered ping.exe which look suspicious and a cqjycekibznx1v.exe which also look suspicious
3. Ping.exe constantly comes back after end tasking, suggesting this is a malware of some type
4. cqjycekibznx1v.exe end task closed the system security 2012, suggesting this has to do with system security 2012 program.
   
5. I started out running malwarebytes, but since the CPU was running constantly at 100%, malwarebytes would hang every single time it tried scanning.
6. Download Tdsskiller from (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) if your internet browser it hijacked, please type in the link manually
7. Since CPU is running constantly at 100%, everything is running very slowly, it took about 2 min for the browser to start up. (use other browser other than IE if possible)
8. Run the Tdsskiller anti-rootkit scanner to scan for rootkit
9. tdsskiller found two different rootkit, rootkit.win32.zaccess.j under service cdrom.sys file and rootkit.boot.wistler.a under physical drive \device\harddisk0\DR0
   
10. Select Cure for both rootkit malware and select continue
11. Tdsskiller will attempt to cure the malware, reboot when its done
12. Once the computer has rebooted, I went ahead and login remotely again using logmein and started malwarebytes since the computer was running faster now.
13. Update malwarebytes and run a quick scan
14. Discovered additional files that needs to be removed (malware.packer) dwme.exe
    
15. Click “Remove selected” and restart computer again after the process is finished
16. Once the computer has rebooted, start malwarebytes again and run a full scan
17. Remove any additional malware  items – malware.packer, trojan.downloader
    system security 2012.ink (rouge.systemSecurity)
    ldr.ini (malware.trace)
    
18. Click “remove selected” and reboot computer when finished
19. Log into the computer and delete temporary internet setting
20. Restore IE setting by going to Tools – Internet Options – Advanced – Reset
21. Restore IE advanced setting by going to  Tools – Internet Options – Advanced – Reset Advance Setting
22. Check to make sure your not connected to a proxy server by going to  Tools – Internet Options – Connection – Lan Setting and make sure Proxy Server is not checked
23. Done!

*You might get faster results if you boot into safe mode to take care of this issue

*If you have a clean computer, use the clean computer to download the required program and use a usb stick to transfer the program over to save time or if your browser is hijacked.