Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Tool Virus


  • This topic is locked This topic is locked
9 replies to this topic

#1 ChrisDallen33

ChrisDallen33

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 30 December 2010 - 06:50 PM

My home PC appears to have been infected with the System Tool Virus

I am unable to access the antivirus that I have (Avast)

I downloaded and ran Malwarebytes in Safe Mode (the only way that I could) which ID'd infected files but did not remove the System Tools virus. It says that there are no files infected but the System Tools Virus is still active when I boot in normal mode.

I downloaded and Run Microsoft Malicious Software Removal Tool in Safe Mode which failed to ID any infected files but the System Tools Virus is still active when I boot in normal mode.

I've downloaded PCTools but have not used it.

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:06 AM

Posted 30 December 2010 - 07:07 PM

Hello ChrisDallen33 ,

Posted Image


Let's disable the main file manually so you can run some tools.

What I want you to look for is in Application Data (If using XP). There will be a folder, with a file in it of the same "name". This will appear random, but it has a pattern. Look for letters and numbers in this order: lower case, upper case, lower case, upper case, lower case, then 5 random numbers. For example:

Folder -----> pEeHl02508\pEeHl02508.exe <-----file inside

Delete the folder. Now, if you have no access to the internet, download the following tool to a flash drive from a different computer, then put it on the infected one and run it.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to chris.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 ChrisDallen33

ChrisDallen33
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 30 December 2010 - 11:12 PM

I've deleted the folder/file as instructed and run the ComboFix application. The log is attached.

Attached Files



#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:06 AM

Posted 31 December 2010 - 02:00 AM

Hello Chris :)

How is it running now please?

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

Folder::
c:\program files\alot
c:\program files\AskBarDis


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 ChrisDallen33

ChrisDallen33
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 31 December 2010 - 08:41 AM

Good Morning Tea,

It appears to be running better now (No more pop-ups or "invitations" to download System Tools. Following your next instructions now and will post soon.

Chris

#6 ChrisDallen33

ChrisDallen33
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 31 December 2010 - 08:54 AM

Good Morning again Tea,

ComboFix Take 2, that didn't take long at all...

Attached Files



#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:06 AM

Posted 31 December 2010 - 11:19 AM

Good morning to you too Chris :) Happy New Year!

Uninstall ComboFix by doing the following :

Click Start>Run>Type in, or copy and paste ComboFix /Uninstall > click OK

If you have any questions or concerns, please feel free to ask. Otherwise,.....

Take care,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 ChrisDallen33

ChrisDallen33
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 31 December 2010 - 11:30 AM

Will do. Have a happy and safe New Year's!

Thanks for everything!

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:06 AM

Posted 31 December 2010 - 12:03 PM

Most welcome. :)
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:06 AM

Posted 03 January 2011 - 02:31 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users