Help with removal system32.exe "hanging man" virus

What a sad two weeks the system32.exe "hanging man virus" has given me . I am looking for some help and I thank you in advance.

I have a dell Precision 380 desk top winXP " protected" by Norton 360 v 3.

2 weeks ago I suddenly had pop up a terrible screen. It was black , showed a man hanging from the ceiling , had some arabeic writing on it and then a message in English saying I was doomed. There was a 'login window" asking for a password . It warned if I could not come up with the password , if I "xed" out the screen , I would lose all my .dll files and not be able to start my system. I "xed" out and first all my desktop icons begam to "melt' until non were recognizable . I noticed that Norton 360 which was running when I booted up , was no where to be found, It was uninstalled.

I shut down the system a rebooted. It would start and then immediately shut down. I tried this several times. Eventually , it finally stayed on and I reinstalled Norton 360 and scanned , nothing was found. I then started to use Norton to check registry and do other tasks. I got to the startup menu optimumization area of Norton and I removed several programs I did not want to have start up. While looking at what was on my startup menu, I noticed an Icon of a computer with jail bars in front of it and it sadi system32.exe.

I clicked on it a nd the hanging man reappeared and the same threat as above. This time when I 'xed" out , I could not reboot as an error message appeared on a black screen saying windows could not find system32.exe.

I tried safe mode it did not work. I tired to repair windows and got a BSOD. I tried ti reinstal windows and got BCOD.

I called Dell and bought a new Sata HD . I took out infected drive and externalized it in a casing and connected it to my computer as an external storage device.

I reinstalled windows on the new HD. I called Norton and they could not explain why Norton 360 did not protect me . I had my files backed up remotely by Norton and asked about downloading my stored files to the new HD. I was concerned that my data files could be infected. Norton told me they scanned it and it was clean. They said from my description, I was infected with a Master Boot Record virus.

As they fishihsed downloading my data, they informed me that they had detected a Trojan . Now my disk was infected with who knows what. Norton wanted me to pay them 200 dollars to clean the new HD. I told them the drive only cost me 59.00 dollars.

I proceeded to run Norton 360 , AVG, Regcur on both my HD and the externalizied infected drive. Several viruses were found on the external drive and one Trojan was removed from the new HD.

I was able to access my files on the external drive.I went in and looked around. I looked in the prgoramm file folder and to my horror , I found that same ICON of the computer with the jail bars called system32.exe. The various scans I ran did not get rid of this virus.

I went back into my main system and installed some software. I needed to reboot and did. When I tried to bring it up, I got the black screen and the error message saying I had a system32.exe issue again.

I called Dell and they told me to reinstall windows which I did. Since then I have run a multitude of antivirus programs , I have dared not enter the external drive , but I did scan it with everything including MS essentials and the MS malware removal tool.

I need to get my files off the external drive. I need to kill that system32.exe virus on the external drive, Can anyone tell me if there is a program to use on the external drive to clean it? Does anyone recognize the "hanging man' virus system32.exe?


Thanks.

 

Welcome to MajorGeeks!

Yes. But we need logs.

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

READ & RUN ME FIRST. Malware Removal Guide

If any of the scans will not run or download move on to the next one and let me know what happened like if there were any errors or if they just wouldn't download or run.

 

Ok, I think I have been helped. To review , I have a new HD and my old infected drive is externalized and now connected to USB MY goal is to get my files off the old HD. I tried to do this once after installing windows on the new HD , and then running Norton 360 v3, AVG 9.1 and Regcure spy ware , and all scanned both my new CD and externalized infected HD connected by USB. Nothing was found. So I went into my infected disk and triedto loomk at files . the files were all there. THEN , when I shut down the new HD and tried to reboot, I was attacked by the same system32 hanging man virus and it became necessary to reinstall windows on the new HD and start over. BTW, when I was checking out the infected disk, I found theicon of the MBRV "hanging man" in the program files and I became worried which was justified.

So after doing everything majpr geeks instructed, I found several threata on the Infected Drive including a "trojan.sytem32 " which I asume is the hanging man MBRV. I looked at the details and noticed that the trojan32.exe was on a string which had Norton on it. Just to remind major geeks, when I got attacked by the hanging man system32.exe virus I was runnibg Norton 360 v3.o and the hanging man not only defeated Norton 360 but uninstalled it!!!. When I told this to Norton, they told me they could not be 100% protective , yeah great .

So I submit the logs as requested. I was unable to run Combofix as per the message which "read me first " mentioned .

 

No antivirus is bulletproof. None! If they were we wouldn't have this forum with so many requests for help.

This says No action taken. Did you let Malwarebytes fix these after copying the log?

It looks like you ran MGtools on your C drive but E is the infected drive right? I'll need MGtools logs from the E drive if that is the infected drive.

 

I must have sent the wrong log , Idid quarn and delte the two. See logupload on this post. How do you run Mctools for my E drive(infected drive) I did not see the option , do I need to download it to the Edrive directly?

Thanks

 

Yes. Unlike an antivirus MGtools will only scan the drive it is on.

 

Ok, here are the remaining issues.

1.MCTOOLS run on E drive and logs are not appearing for send or upload. I have downloaded MCTOOLS on E drive and put it into program files folder where I ran it. It is the same folder which has the Hanging Man Virus System32.exe Icon. I run it , it says its complete, but I see no logs or files for that run to send Major Geeks. The only folder of zip MCTOOLS is the one on the C drive and the C drive desktop and I think those are the logs for MCTOOLS from the C drive run. So am I running MCTOOLS correctly on E drive and how do I get the specifc logs from E drive MCTOOLS run to major geeks?

2.The fact that system 32.exe icon is still on E drive in program files filder , does that mean virus is still active? Could Icon be just a harmless residual waiting to be deleted? Would the antivirus programs have removed this icon if they were sucessfull in getting rid of the program?
3. I have been trying to upload the screen shot to major geeks of the system32.exe icon, but I fail as the system says I exceed its upload capacity. How can I get the screen shot to Major Geeks?
4. What do I do about the Combofix issues?
5.How do I know when its safe to open and copy or move files from my E drive to my C drive?

 

You need it in the Root of the drive. E:\MGtools for it to run correctly.

We'll get to that.

After we remove the malicious files from the drive.

Try this first please, before running the MGtools scan. Run this on the E drive. Using Dr.Web CureIt

 

Ok, here is the DrWeb.txt report. It found 4 viruses. I think 3/4 were related to MGtools as I forgot to remove MGtools on both the E and C drives before the scan. No sign of hanging man system32.exe virus. I sent report from MGtools but I still am not sure I did it correctly. I did download E/MGtools and ran it from there but looking at the scan in progress , it still looks like it was scan C drive.

PresentlyI am using Norton 360 v 3. But with all the programs recommended by Major Geeks, which one or more should I use after all this is over for best protection? Did you get the screen shot of Icon from Hanging Man virus system32.exe?

 

Okay, I was telling you the wrong procedure for running MGtools on the E drive. You can only get it to run on a drive that is bootable. Not on an external drive. So if you want to hook up the drive to make it bootable then run MGtools on it you can do that.

Dr Web didn't find anything useful and I have never heard of this hanging man virus so without the information provided by MGtools we may never figure this out. I can't even guarantee MGtools will help us find it but that's about our only choice since none of the malware scanners are turning up results.

 

Well, thanks for the MGtools clarification. Orignially when I crashed 3 weeks ago I was unable to repair the drive by using my reisntallation disks. I could wipe it out , so that would defeat purpose of getting my files. I have been on the drive since I externalized it and the files are fine. I am just leary about transferring them to my C drive but I may have to take the chance. I dont know how to boot a damaged drive if their is a way .

On another note, a dell rep sugggested i make a bootable Ubuntu disk which is Linuix. He said many people do this to grab files and its safe from windows based spyware. I tried but I really have no idea what to do. Do you have any suggestions to safely get my files off the infected drive?

Thanks

 

You can boot it using a Rescue CD like the Avira AntiVir Rescue System or Ultimate Boot CD. They are Linux based.

I'm wondering if this is an actual virus or a program that someone might have installed without your knowledge. Dr Web should have picked up something. Does someone have access to your computer that might have done this?

 

I would like to try the rescue programs. What do I do, download to a CD (can I down load it to the C drive) and then what just followdirection to boot the E drive?

I believe I did it to myself. I was downloading Youtube music videos and I got a popup saying "click link to never heard beatles live performances" I did that and the hanging man apppeared. Did you get the screen shot with the hanging man icon? By the way, the hanging man message said all my dll extentions would be wiped out whatever that means.

Thank for all your help.

 

I just noticed that the Dr Web scan was from the C drive. Was there an option to scan the E drive? Are you sure that E is the right drive letter?

Can you boot with the infected drive or is it corrupted and will not boot?

You will need to burn one of the Rescue files to a CD and run it on the infected drive. (I will post instructions). But the infected drive has to be the main bootable drive. It's already infected so booting with it shouldn't cause any more problems than are already there.

1. Download the Avira AntiVir Rescue System
- If you need a free burning application, CDBurnerXP works on all operating systems from Microsoft Windows 2000 SP4 onwards.
2. Place a blank CD in your burner and double-click on the downloaded file.
3. The program will automatically burn the CD for you.
4. Place the burned CD into the affected computer and start the computer with the CD in the CD tray.
5. On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.
6. Click on the Configuration button.

- Select Scan all files
- Select Try to repair infected files and Rename files, if they cannot be removed
- Select Scan for dialers
- Select Scan for joke programs (Jokes)
- Select Scan for games
- Select Scan for spyware (SPR)

7. Click on Virus scanner
8. Click on Start scanner at the bottom of the screen.

9. Let Avira finish it's scan and then remove any threats found and then exit out of the scanner.
10. Take the CD out of the CD/DVD tray and then restart the computer.

If needed see this Tutorial for the Avira Rescue CD