topsnipe61 Posted December 17, 2010 ID:362152 Share Posted December 17, 2010 Attempting to remove System Tool 2011 per instructions on forum. Downloaded MALWAREBYTES and ran successfully. Found 4 items but not SYSTEM TOOL 2011. Running Windows XP on HP MINI. SYSTEM TOOL 2011 is only affecting one user of six on computer. I have run MALWAREBYTES as adminsitrator, under affected user access in safe mode and regular mode. Affected user still showing systems. Continued with instructions for when MALWAREBYTES does not solve the problem. Ran Defogger, Ran DDS, download attempted to run GMER. GMER started and then failed twice now it locks up the compute. Attempted to run in safemode but still locks computer. Really Really starting to annoy me. help please. Link to post Share on other sites More sharing options...
negster22 Posted December 17, 2010 ID:362174 Share Posted December 17, 2010 Please post all logs generated thus far.As far as Gmer goes only post the Quick Scan results as follows if you can get them successfully:Very Important! BEFORE running Gmer, temporarily disable your antivirus and antimalware real-time protection and re-enable after the log is produced.http://www.bleepingcomputer.com/forums/topic114351.htmlPerform a Quick scan:Double-click the Gmer EXE When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.When the scan is finished (a few seconds), save the scan log to the Windows clipboard Open Notepad or a similar text editor Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl VExit the ProgramSave the Scan log as ARKQ.txt and post it in your next reply.If not possible to get a Quick scan log thenPlease download Rootkit Unhooker and save it on your desktop.http://www.kernelmode.info/ARKs/RkU3.8.388.590.rarIf your unzipping program doesn't unzip RAR files, then you can download and install 7-Zip to accomplish that.http://www.7-zip.org/Just right click the RAR file you downloaded to your desktop, and choose the 7-Zip -> "Extract here" option from the context menu. Temporarily disable your antivirus and antimalware real-time protection before performing a scan by following the directions that apply HERE Double click RkU3.8.388.590.exe to run the program Click the Report tab, then click Scan Check Drivers, and Stealth Code Uncheck the rest, then click OK When prompted to Select Disks for Scan, make sure C:\ is checked and click OK Wait till the scanner has finished then go File > Save Report Save the report somewhere you can find it. Click Close Re-enable your security programs Copy the entire contents of the report and paste it in your next reply.Note - If You get this warning it is ok, just ignore it: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?" Link to post Share on other sites More sharing options...
topsnipe61 Posted December 20, 2010 Author ID:363470 Share Posted December 20, 2010 - closed antivirus and antimalware and attempted to run again without luck. Attached are all logs generated to-datePlease post all logs generated thus far.As far as Gmer goes only post the Quick Scan results as follows if you can get them successfully:Very Important! BEFORE running Gmer, temporarily disable your antivirus and antimalware real-time protection and re-enable after the log is produced.http://www.bleepingcomputer.com/forums/topic114351.htmlPerform a Quick scan:Double-click the Gmer EXE When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.When the scan is finished (a few seconds), save the scan log to the Windows clipboard Open Notepad or a similar text editor Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl VExit the ProgramSave the Scan log as ARKQ.txt and post it in your next reply.If not possible to get a Quick scan log thenPlease download Rootkit Unhooker and save it on your desktop.http://www.kernelmode.info/ARKs/RkU3.8.388.590.rarIf your unzipping program doesn't unzip RAR files, then you can download and install 7-Zip to accomplish that.http://www.7-zip.org/Just right click the RAR file you downloaded to your desktop, and choose the 7-Zip -> "Extract here" option from the context menu. Temporarily disable your antivirus and antimalware real-time protection before performing a scan by following the directions that apply HERE Double click RkU3.8.388.590.exe to run the program Click the Report tab, then click Scan Check Drivers, and Stealth Code Uncheck the rest, then click OK When prompted to Select Disks for Scan, make sure C:\ is checked and click OK Wait till the scanner has finished then go File > Save Report Save the report somewhere you can find it. Click Close Re-enable your security programs Copy the entire contents of the report and paste it in your next reply.Note - If You get this warning it is ok, just ignore it: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?"arkq.txtAttach.txtDDS.txt Link to post Share on other sites More sharing options...
negster22 Posted December 21, 2010 ID:363643 Share Posted December 21, 2010 Your Gmer Quick scan is clean.Your DDS.txt has one suspicious directory present but we have to run more detection and removal tools to see what else might be present.Please copy/paste all logs into your topic - do NOT attach them!Please do not quote my directions in your next reply - just post the logs I requested.Download TFC to your desktophttp://oldtimer.geekstogo.com/TFC.exe Close any open windows.Double click the TFC icon to run the programTFC will close all open programs itself in order to run,Click the Start button to begin the process.Allow TFC to run uninterrupted.The program should not take long to finish it's jobOnce its finished it should automatically reboot your machine,if it doesn't, manually reboot to ensure a complete cleanIt's normal after running TFC cleaner that the PC will be slower to boot the first time.-------Download Microsoft's Malicious Software Removal Tool (MSRT) to your desktopSave and Rename it as You download it to explorer.exeDouble-click explorer.exe on your Desktop to run itIn the "Scan Type" window, select Full Scan Perform a scan and the Click Finish when the scan is done.Retrieve the MSRT log as follows, and post it in your next reply:1) Click on Start, Run2) Type or Copy/Paste the following command to the "Run Line" and Press Enternotepad c:\windows\debug\mrt.log==========Please download exeHelper to your desktop.Double-click on exeHelper.com to run the fix.A black window should pop up, press any key to close once the fix is completed.Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)Do NOT reboot your computer and proceed on to downloading and running Combofix.Please Run ComboFix by following the steps provided in exactly this sequence:Here is a tutorial that describes how to download, install and run Combofix. Please thoroughly review it beofre proceeding:http://www.bleepingcomputer.com/combofix/how-to-use-combofixVery Important! BEFORE downloading Combofix, temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:http://www.bleepingcomputer.com/forums/topic114351.htmlNote: The above tutorial does not tell you to rename Combofix as I am about to instruct you to do in the following instructions, so make sure you complete the renaming step before launching Combofix.Using ComboFix ->Please download Combofix from HEREI want you to rename Combofix.exe as you download it to iexplore.exeNotes:It is very important that save the newly renamed EXE file to your desktop.You must rename Combofixe.exe as you download it and not after it is on your computer.You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:Open FirefoxClick Tools -> Options -> MainUnder the downloads section check the button that says "Always ask me where to save files".Click OK[*]For Internet Explorer:Choose to save, not open the fileWhen prompted - save the file to your desktop, and rename it explorer.exeRunning CombofixIn the event you already have Combofix, please delete it as this is a new version.Close any open browsers and programs.Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.If You are running Windows XP, and Combofix asks to install the Recovery Console, please allow it to do so or it WILL NOT perform it's normal malware removal capabilities. This is for your safety !!If Combofix asks to update, allow it to do so!If the explorer.exe (renamed Combofix) reverts back to combofix.exe when running, that is normal. 1. To Launch Combofix Click Start --> Run, and enter this command exactly as shown:"%userprofile%\desktop\iexplore.exe" /killall 2. When finished, it will produce a logfile located at C:\ComboFix.txt 3. Post the contents of that log in your next reply.Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang. Please post C:\ComboFix.txt in your next reply. Link to post Share on other sites More sharing options...
topsnipe61 Posted December 21, 2010 Author ID:363809 Share Posted December 21, 2010 1. Downloaded and ran TFC.2. Downloaded and Ran MSRT. Here is log---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v3.3, January 2010Started On Sat Jan 23 09:29:13 2010WARNING: Security policy doesn't allow for all actions MSRT may require.->Scan ERROR: resource process://pid:2580 (code 0x00000057 (87))Results Summary:----------------No infection found.Microsoft Windows Malicious Software Removal Tool Finished On Sat Jan 23 09:30:44 2010Return code: 0 (0x0)---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v3.4, February 2010Started On Sat Feb 13 02:34:39 2010WARNING: Security policy doesn't allow for all actions MSRT may require.Results Summary:----------------No infection found.Microsoft Windows Malicious Software Removal Tool Finished On Sat Feb 13 10:21:42 2010Return code: 0 (0x0)---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v3.5, March 2010Started On Sat Mar 27 20:20:12 2010WARNING: Security policy doesn't allow for all actions MSRT may require.Results Summary:----------------No infection found.Microsoft Windows Malicious Software Removal Tool Finished On Sat Mar 27 20:22:00 2010Return code: 0 (0x0)---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v3.8, June 2010Started On Sun Jun 20 18:59:33 2010WARNING: Security policy doesn't allow for all actions MSRT may require.->Scan ERROR: resource process://pid:3376 (code 0x00000057 (87))Results Summary:----------------No infection found.Microsoft Windows Malicious Software Removal Tool Finished On Sun Jun 20 19:02:39 2010Return code: 0 (0x0)---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v3.9, July 2010Started On Thu Jul 15 15:03:21 2010WARNING: Security policy doesn't allow for all actions MSRT may require.-> Sysclean ERROR: Internal error, code = 80508015Results Summary:----------------No infection found.Microsoft Windows Malicious Software Removal Tool Finished On Thu Jul 15 15:05:50 2010Return code: 0 (0x0)---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v3.10, August 2010Started On Wed Aug 11 21:11:40 2010WARNING: Security policy doesn't allow for all actions MSRT may require.-> Sysclean ERROR: Internal error, code = 80508015Results Summary:----------------No infection found.Microsoft Windows Malicious Software Removal Tool Finished On Wed Aug 11 21:16:28 2010Return code: 0 (0x0)---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v3.11, September 2010Started On Thu Sep 16 11:03:04 2010WARNING: Security policy doesn't allow for all actions MSRT may require.Engine internal result code = 80508015Results Summary:----------------No infection found.Microsoft Windows Malicious Software Removal Tool Finished On Thu Sep 16 11:07:47 2010Return code: 0 (0x0)---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v3.12, October 2010Started On Wed Oct 13 03:01:48 2010WARNING: Security policy doesn't allow for all actions MSRT may require.Engine internal result code = 80508015Results Summary:----------------No infection found.Microsoft Windows Malicious Software Removal Tool Finished On Wed Oct 13 03:05:04 2010Return code: 0 (0x0)---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v3.13, November 2010Started On Wed Nov 10 14:04:13 2010->Scan ERROR: resource process://pid:216 (code 0x00000057 (87))->Scan ERROR: resource process://pid:4684 (code 0x00000057 (87))->Scan ERROR: resource process://pid:3992 (code 0x00000057 (87))->Scan ERROR: resource process://pid:6780 (code 0x00000057 (87))->Scan ERROR: resource process://pid:6896 (code 0x00000057 (87))Engine internal result code = 80508015Results Summary:----------------No infection found.Microsoft Windows Malicious Software Removal Tool Finished On Wed Nov 10 14:17:08 2010Return code: 0 (0x0)---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v3.14, December 2010Started On Wed Dec 15 20:40:41 2010Engine internal result code = 80508015Results Summary:----------------No infection found.Microsoft Windows Malicious Software Removal Tool Finished On Wed Dec 15 20:43:42 2010Return code: 0 (0x0)---------------------------------------------------------------------------------------Microsoft Windows Malicious Software Removal Tool v3.14, December 2010Started On Tue Dec 21 00:24:27 2010Extended Scan Results----------------->Scan ERROR: resource file://C:\hiberfil.sys (code 0x00000020 (32))->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000020 (32))No infection found as part of the extended scanResults Summary:----------------No infection found.Microsoft Windows Malicious Software Removal Tool Finished On Tue Dec 21 07:28:15 2010Return code: 0 (0x0)3. Ran EXEHELPER. Here is logexeHelper by RaktorBuild 20100414Run at 07:32:03 on 12/21/10Now searching...Checking for numerical processes...Checking for sysguard processes...Checking for bad processes...Checking for bad files...Checking for bad registry entries...Resetting filetype association for .exeResetting filetype association for .comResetting userinit and shell values...Resetting policies...--Finished--4. Attempted to download and run COMBOFIX twice. Ensured ANTIVIRUS and ANTIMALWARE were off both times. Once file downloaded and I tried to launch using the command line provided it brought up a progress bar and then said some installation files were corrupt and to get a fresh copy of COMBOFIX. Tried twice no luck.I am standing by for more direction. Link to post Share on other sites More sharing options...
negster22 Posted December 21, 2010 ID:363874 Share Posted December 21, 2010 Please try running Combofix in safe mode with networkingReboot your computer > tap F8 repeatedly on startup until an advanced option menu appears > arrow up to Safe mode with networking and select that option.Run exehelper.Now delete the copy of ComboFix on your desktop and download a new copy.Then try launching Combofix again and see if it works now.If not, you should try downloading (and renaming) Combofix on another CLEAN PC, transfer it to USB, and then copy it to the infected machine and run from there.=====If still no joy run Download OTL and save it on your desktop: http://oldtimer.geekstogo.com/OTL.exe Close all open windows on the Task Bar. Click the OTL icon (for Vista or Win 7, right click the icon and Run as Administrator) to start the program.Now click Run Scan at Top left and let the program run uninterrupted. The scan may take 5-10 minutes.Do NOT touch your keyboard until the scan is done!!It will produce two (2) logs on your desktop, one will pop up called OTL.txt; the other will be named Extras.txt.Copy/Paste OTL.txt and attach Extras.txt into your next reply, Exit OTL by clicking the X at top right. Link to post Share on other sites More sharing options...
Staff screen317 Posted February 8, 2011 Staff ID:386273 Share Posted February 8, 2011 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts