System Fix Virus Removal

Hello! Thank you very much to Grinler and this site for saving me time and money by posting on the System Fix Virus. The link to those instructions: http://www.bleepingcomputer.com/virus-removal/remove-system-fix

This is the first time I have been to this site. I am very grateful and felt compelled to make an addition to the instructions of a work-around I stumbled upon while try to fix my Windows XP that was not mentioned in the instructions. If it can help someone else, then I've done my part.

The problem I was having was I couldn't see anything so just getting started with these instructions wasn't working. Couldn't use Internet Explorer, couldn't see My Computer, etc. All files were hidden. Since I am a novice, I decided to try safe mode because I had seen other articles talking about starting in safe mode. When I started in safe mode, I was able to use an administrator account (that I didn't even know existed) to see a thumb drive that I had put all of the programs you would need to use to remove this cr*p I had dl'ed from my good computer. I was able to go through the entire process and it seemed to work, but when I restarted without safe mode, the virus was still there and my files were still hidden (some had returned but all files were empty).

Since I found that random administrator account in safe mode, I hit the start button and right clicked to open up all user accounts. I had done this before to view my son's account to see if the virus had hit there and noticed it took a couple of minutes to take hold, but back to the point... I created a new administrator account aptly named "virus". Before the virus took over the account, I uploaded the "IExplorer" named version of "IKill" and ran it. It worked!!! From there, the rest of the instructions worked flawlessly.

Just felt I should share.

Best Regards,
Mike B.

Thanks for the kind words and sharing your experience with Grinler's removal guide. He does work very hard to get these guides posted in a timely manner with step by step instructions.

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

• Go to > Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

• Then use Disk Cleanup to remove all but the most recently created Restore Point.
• Go to > Run... and type: Cleanmgr
• Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
• Click the "More Options" tab, then click the "Clean up" button under System Restore.
• Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
• Click Yes, then click Ok.
• Click Yes again when prompted with "Are you sure you want to perform these actions?"
• Disk Cleanup will remove the files and close automatically.

Vista and Windows 7 users can refer to these links:

• Create a New Restore Point in Vista or Windows 7
• Disk Cleanup in Vista
• Disk Cleanup in Windows 7

I was struck by the System Fix virus, and I was able to kill it using Bleeping Computer's instructions, rkill, the rootkit scanner, and unhide.
However there are a few improvements I would make in the instructions.
Rkill (downloaded under disguised name iexplore) will kill off the virus from memory, but leaves it still on disk. The virus will come back the life as soon as the computer is rebooted. Rkill reports the file names of everything it kills out of memory. After Rkill finishes, you should immediately use Windows Explorer to search for and delete ALL the files rkill reports. Malwarebytes did NOT detect or delete any of the System Fix files. It's doubtless a worth AV program, but it doesn't have System Fix's number yet.
For good measure I used Windows Explorer to search and destroy ALL files listed as part of System Fix off the hard drive. Them I used Regedit to exterminate all its registry entries.
When you come out of the System Fix killing, your files are still hidden, which is kind of alarming. However Unhide brings everything back.