Jump to content

Recommended Posts

Attempting to remove System Tool 2011 per instructions on forum. Downloaded MALWAREBYTES and ran successfully. Found 4 items but not SYSTEM TOOL 2011. Running Windows XP on HP MINI. SYSTEM TOOL 2011 is only affecting one user of six on computer. I have run MALWAREBYTES as adminsitrator, under affected user access in safe mode and regular mode. Affected user still showing systems.

Continued with instructions for when MALWAREBYTES does not solve the problem. Ran Defogger, Ran DDS, download attempted to run GMER. GMER started and then failed twice now it locks up the compute. Attempted to run in safemode but still locks computer.

Really Really starting to annoy me. help please.

Link to post
Share on other sites

Please post all logs generated thus far.

As far as Gmer goes only post the Quick Scan results as follows if you can get them successfully:

Very Important! BEFORE running Gmer, temporarily disable your antivirus and antimalware real-time protection and re-enable after the log is produced.

http://www.bleepingcomputer.com/forums/topic114351.html

Perform a Quick scan:

  • Double-click the Gmer EXE
  • When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  • When the scan is finished (a few seconds), save the scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Exit the Program
  • Save the Scan log as ARKQ.txt and post it in your next reply.

If not possible to get a Quick scan log then

Please download Rootkit Unhooker and save it on your desktop.

http://www.kernelmode.info/ARKs/RkU3.8.388.590.rar

If your unzipping program doesn't unzip RAR files, then you can download and install 7-Zip to accomplish that.

http://www.7-zip.org/

Just right click the RAR file you downloaded to your desktop, and choose the 7-Zip -> "Extract here" option from the context menu.

  • Temporarily disable your antivirus and antimalware real-time protection before performing a scan by following the directions that apply HERE
  • Double click RkU3.8.388.590.exe to run the program
  • Click the Report tab, then click Scan
  • Check Drivers, and Stealth Code
  • Uncheck the rest, then click OK
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  • Wait till the scanner has finished then go File > Save Report
  • Save the report somewhere you can find it. Click Close
  • Re-enable your security programs
  • Copy the entire contents of the report and paste it in your next reply.

Note - If You get this warning it is ok, just ignore it:

"Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

Link to post
Share on other sites

- closed antivirus and antimalware and attempted to run again without luck. Attached are all logs generated to-date

Please post all logs generated thus far.

As far as Gmer goes only post the Quick Scan results as follows if you can get them successfully:

Very Important! BEFORE running Gmer, temporarily disable your antivirus and antimalware real-time protection and re-enable after the log is produced.

http://www.bleepingcomputer.com/forums/topic114351.html

Perform a Quick scan:

  • Double-click the Gmer EXE
  • When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  • When the scan is finished (a few seconds), save the scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Exit the Program
  • Save the Scan log as ARKQ.txt and post it in your next reply.

If not possible to get a Quick scan log then

Please download Rootkit Unhooker and save it on your desktop.

http://www.kernelmode.info/ARKs/RkU3.8.388.590.rar

If your unzipping program doesn't unzip RAR files, then you can download and install 7-Zip to accomplish that.

http://www.7-zip.org/

Just right click the RAR file you downloaded to your desktop, and choose the 7-Zip -> "Extract here" option from the context menu.

  • Temporarily disable your antivirus and antimalware real-time protection before performing a scan by following the directions that apply HERE
  • Double click RkU3.8.388.590.exe to run the program
  • Click the Report tab, then click Scan
  • Check Drivers, and Stealth Code
  • Uncheck the rest, then click OK
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  • Wait till the scanner has finished then go File > Save Report
  • Save the report somewhere you can find it. Click Close
  • Re-enable your security programs
  • Copy the entire contents of the report and paste it in your next reply.

Note - If You get this warning it is ok, just ignore it:

"Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

arkq.txt

Attach.txt

DDS.txt

Link to post
Share on other sites

Your Gmer Quick scan is clean.

Your DDS.txt has one suspicious directory present but we have to run more detection and removal tools to see what else might be present.

Please copy/paste all logs into your topic - do NOT attach them!

Please do not quote my directions in your next reply - just post the logs I requested.

Download TFC to your desktop

http://oldtimer.geekstogo.com/TFC.exe

  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean

It's normal after running TFC cleaner that the PC will be slower to boot the first time.

-------

Download Microsoft's Malicious Software Removal Tool (MSRT) to your desktop

Save and Rename it as You download it to explorer.exe

Double-click explorer.exe on your Desktop to run it

In the "Scan Type" window, select Full Scan

Perform a scan and the Click Finish when the scan is done.

Retrieve the MSRT log as follows, and post it in your next reply:

1) Click on Start, Run

2) Type or Copy/Paste the following command to the "Run Line" and Press Enter

notepad c:\windows\debug\mrt.log

==========

Please download exeHelper to your desktop.

Double-click on exeHelper.com to run the fix.

A black window should pop up, press any key to close once the fix is completed.

Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)

Do NOT reboot your computer and proceed on to downloading and running Combofix.

Please Run ComboFix by following the steps provided in exactly this sequence:

Here is a tutorial that describes how to download, install and run Combofix. Please thoroughly review it beofre proceeding:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! BEFORE downloading Combofix, temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Note: The above tutorial does not tell you to rename Combofix as I am about to instruct you to do in the following instructions, so make sure you complete the renaming step before launching Combofix.

Using ComboFix ->

Please download Combofix from HERE

I want you to rename Combofix.exe as you download it to iexplore.exe

Notes:

  • It is very important that save the newly renamed EXE file to your desktop.
  • You must rename Combofixe.exe as you download it and not after it is on your computer.
    You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
    • Open Firefox
    • Click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • Choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it explorer.exe

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

  • Close any open browsers and programs.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
  • If You are running Windows XP, and Combofix asks to install the Recovery Console, please allow it to do so or it WILL NOT perform it's normal malware removal capabilities. This is for your safety !!
  • If Combofix asks to update, allow it to do so!
  • If the explorer.exe (renamed Combofix) reverts back to combofix.exe when running, that is normal.

1. To Launch Combofix

Click Start --> Run, and enter this command exactly as shown:

"%userprofile%\desktop\iexplore.exe" /killall

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Please post C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

1. Downloaded and ran TFC.

2. Downloaded and Ran MSRT. Here is log

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v3.3, January 2010

Started On Sat Jan 23 09:29:13 2010

WARNING: Security policy doesn't allow for all actions MSRT may require.->Scan ERROR: resource process://pid:2580 (code 0x00000057 (87))

Results Summary:

----------------

No infection found.

Microsoft Windows Malicious Software Removal Tool Finished On Sat Jan 23 09:30:44 2010

Return code: 0 (0x0)

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v3.4, February 2010

Started On Sat Feb 13 02:34:39 2010

WARNING: Security policy doesn't allow for all actions MSRT may require.

Results Summary:

----------------

No infection found.

Microsoft Windows Malicious Software Removal Tool Finished On Sat Feb 13 10:21:42 2010

Return code: 0 (0x0)

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v3.5, March 2010

Started On Sat Mar 27 20:20:12 2010

WARNING: Security policy doesn't allow for all actions MSRT may require.

Results Summary:

----------------

No infection found.

Microsoft Windows Malicious Software Removal Tool Finished On Sat Mar 27 20:22:00 2010

Return code: 0 (0x0)

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v3.8, June 2010

Started On Sun Jun 20 18:59:33 2010

WARNING: Security policy doesn't allow for all actions MSRT may require.->Scan ERROR: resource process://pid:3376 (code 0x00000057 (87))

Results Summary:

----------------

No infection found.

Microsoft Windows Malicious Software Removal Tool Finished On Sun Jun 20 19:02:39 2010

Return code: 0 (0x0)

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v3.9, July 2010

Started On Thu Jul 15 15:03:21 2010

WARNING: Security policy doesn't allow for all actions MSRT may require.-> Sysclean ERROR: Internal error, code = 80508015

Results Summary:

----------------

No infection found.

Microsoft Windows Malicious Software Removal Tool Finished On Thu Jul 15 15:05:50 2010

Return code: 0 (0x0)

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v3.10, August 2010

Started On Wed Aug 11 21:11:40 2010

WARNING: Security policy doesn't allow for all actions MSRT may require.-> Sysclean ERROR: Internal error, code = 80508015

Results Summary:

----------------

No infection found.

Microsoft Windows Malicious Software Removal Tool Finished On Wed Aug 11 21:16:28 2010

Return code: 0 (0x0)

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v3.11, September 2010

Started On Thu Sep 16 11:03:04 2010

WARNING: Security policy doesn't allow for all actions MSRT may require.

Engine internal result code = 80508015

Results Summary:

----------------

No infection found.

Microsoft Windows Malicious Software Removal Tool Finished On Thu Sep 16 11:07:47 2010

Return code: 0 (0x0)

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v3.12, October 2010

Started On Wed Oct 13 03:01:48 2010

WARNING: Security policy doesn't allow for all actions MSRT may require.

Engine internal result code = 80508015

Results Summary:

----------------

No infection found.

Microsoft Windows Malicious Software Removal Tool Finished On Wed Oct 13 03:05:04 2010

Return code: 0 (0x0)

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v3.13, November 2010

Started On Wed Nov 10 14:04:13 2010

->Scan ERROR: resource process://pid:216 (code 0x00000057 (87))

->Scan ERROR: resource process://pid:4684 (code 0x00000057 (87))

->Scan ERROR: resource process://pid:3992 (code 0x00000057 (87))

->Scan ERROR: resource process://pid:6780 (code 0x00000057 (87))

->Scan ERROR: resource process://pid:6896 (code 0x00000057 (87))

Engine internal result code = 80508015

Results Summary:

----------------

No infection found.

Microsoft Windows Malicious Software Removal Tool Finished On Wed Nov 10 14:17:08 2010

Return code: 0 (0x0)

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v3.14, December 2010

Started On Wed Dec 15 20:40:41 2010

Engine internal result code = 80508015

Results Summary:

----------------

No infection found.

Microsoft Windows Malicious Software Removal Tool Finished On Wed Dec 15 20:43:42 2010

Return code: 0 (0x0)

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v3.14, December 2010

Started On Tue Dec 21 00:24:27 2010

Extended Scan Results

----------------

->Scan ERROR: resource file://C:\hiberfil.sys (code 0x00000020 (32))

->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000020 (32))

No infection found as part of the extended scan

Results Summary:

----------------

No infection found.

Microsoft Windows Malicious Software Removal Tool Finished On Tue Dec 21 07:28:15 2010

Return code: 0 (0x0)

3. Ran EXEHELPER. Here is log

exeHelper by Raktor

Build 20100414

Run at 07:32:03 on 12/21/10

Now searching...

Checking for numerical processes...

Checking for sysguard processes...

Checking for bad processes...

Checking for bad files...

Checking for bad registry entries...

Resetting filetype association for .exe

Resetting filetype association for .com

Resetting userinit and shell values...

Resetting policies...

--Finished--

4. Attempted to download and run COMBOFIX twice. Ensured ANTIVIRUS and ANTIMALWARE were off both times. Once file downloaded and I tried to launch using the command line provided it brought up a progress bar and then said some installation files were corrupt and to get a fresh copy of COMBOFIX. Tried twice no luck.

I am standing by for more direction.

Link to post
Share on other sites

Please try running Combofix in safe mode with networking

Reboot your computer > tap F8 repeatedly on startup until an advanced option menu appears > arrow up to Safe mode with networking and select that option.

Run exehelper.

Now delete the copy of ComboFix on your desktop and download a new copy.

Then try launching Combofix again and see if it works now.

If not, you should try downloading (and renaming) Combofix on another CLEAN PC, transfer it to USB, and then copy it to the infected machine and run from there.

=====

If still no joy run Download OTL and save it on your desktop:

http://oldtimer.geekstogo.com/OTL.exe

  • Close all open windows on the Task Bar. Click the OTL icon (for Vista or Win 7, right click the icon and Run as Administrator) to start the program.
  • Now click Run Scan at Top left and let the program run uninterrupted. The scan may take 5-10 minutes.
  • Do NOT touch your keyboard until the scan is done!!
  • It will produce two (2) logs on your desktop, one will pop up called OTL.txt; the other will be named Extras.txt.
  • Copy/Paste OTL.txt and attach Extras.txt into your next reply,
  • Exit OTL by clicking the X at top right.

Link to post
Share on other sites

  • 1 month later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.