Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Fix


  • Please log in to reply
7 replies to this topic

#1 QQQQ

QQQQ

  • Members
  • 387 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 AM

Posted 03 December 2011 - 09:47 AM

Had a customer get this last week http://www.bleepingcomputer.com/virus-removal/remove-system-fix and it wasn't nice at all to me. I logged on as the user to see what the infection was and then logged off and went to another computer to visit Bleepingcomputer to find out how to get rid of it. I downloaded all required removal tools and then tried to get to the admin share of that PC by the run command \\pcname\c$ but nothing showed up, everything was hidden. So I copied the tools to my USB drive and went that route, I was able to run Rkill and it showed me the long crazy named exe file that it killed and I made a note of the location of that file in the all users folder. So I scan for rootkit with Tdsskiller and none found so I installed Malwarebytes, updated and let a full scan run, it found 9 infections but it didn't show the exe Rkill had found. Since the files were still hidden I could not manually delete the exe and Malwarebytes was wanting to reboot after the scan so I rebooted. Upon logging back in I started the unhide tool and in the middle of running that the infection came back. Problem is I could no longer run Rkill, it got hidden from me along with the "run" command on the start menu. So I decided to boot from Microsoft DART CD (Diagnostic and Recovery Tool) and it saw the Windows XP installation and attached to it, but I still could not browse any files to manually remove the infection, they were all hidden! I was able to use the DART CD to restore the system to an earlier restore point and got rid of the infection that way, but most users don't have access to a DART CD and that's why I am posting here. Part of the removal procedure is to use the run command on the start menu to run Rkill but you can't if it isn't there. I am not sure if this is new behavior for this infection or not, but wanted to post my findings so that a possible solution for typical users could hopefully be found. I consider BleepingComputer an excellent site and want it to stay that way, if I can help on this I will, just let me know what you need.
The PC I experienced this on is now clean and I deleted all of the restore points on it for safe measure, then created a new restore point called clean. I still have access to that PC if needed but I don't know if it will be of any help as it is now clean.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:29 AM

Posted 05 December 2011 - 09:49 PM

Part of the removal procedure is to use the run command on the start menu to run Rkill but you can't if it isn't there.

Actually, that is an alternate way of running RKill.

Step 4 says you can double-click on the iExplore.exe to run RKill

Once it is downloaded, double-click on the iExplore.exe icon in order to automatically attempt to stop any processes associated with System Fix and other Rogue programs. If you cannot find the iExplore.exe icon that you downloaded, you can also execute the program by doing the following steps based on your version of Windows:


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 QQQQ

QQQQ
  • Topic Starter

  • Members
  • 387 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 AM

Posted 06 December 2011 - 09:10 AM

That's what I did initially because it was visible on the desktop. After the Malwarebyte's scan it wanted a reboot which I did, that's when the infection came back and it hid all of the tools I had copied to the desktop. That's when I was going to try the alternate method via the run line but noticed it wasn't there.
I am wondering if the "windows key +r" would have opened the run command, was the run command just hidden but still executable? (Didn't think of the windows key +r till just now.)

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:29 AM

Posted 06 December 2011 - 09:18 AM

WINKEY + R is a commonly used keyboard shortcut and should work even if RUN is hidden from the Start menu.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Hula Lou

Hula Lou

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 06 December 2011 - 01:45 PM

I have the System Fix malware on XP box as well, and I'm following the instructions at http://www.bleepingcomputer.com/virus-removal/remove-system-fix with a USB Drive.

I'm using the USB drive because System Fix has hidden everything: file systems, desktop icons, start menu contents. I don't have access to IE or any browsers, even in Safe Mode

My immediate problem: I can't get the RKill app from the USB Drive to the desktop. I plug it in, XP pops up the "Adding New Hardware" dialog above the task bar, but then once it's ready there's no icon for me to click, no Windows Explorer dialog boxes for me to browse to it.

I'm able to get the RUN command by using [WindowKey]+R. What would the syntax be to activate iexplore.exe from there?

In other words, rather than type %userprofile%\desktop\iexplore.exe what would I type?

Thanks!

#6 QQQQ

QQQQ
  • Topic Starter

  • Members
  • 387 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 AM

Posted 06 December 2011 - 02:30 PM

Thanks quietman7!

Hula I am not sure about your question, are you trying to run the Rkill that is named iexplore.exe? If so then it appears you have the syntax correct. Just execute that in the run/open box.

It looks like the self help instructions have changed since I used them and it now has you remove this in safe mode with networking.

#7 Hula Lou

Hula Lou

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 06 December 2011 - 03:01 PM

Hi QQQQ,

Thanks for your response.

RKill isn't on my desktop. It's on the USB Drive, and I can't transfer it to the desktop.

System Fix has hidden the directory listings, so I can't drag (or copy/paste) RKill from the from the USB drive to the desktop.

I tried e:%\iexplore.exe but no luck. What's the syntax for executing a .exe file that is not on the C drive?

Thank you, HL

#8 QQQQ

QQQQ
  • Topic Starter

  • Members
  • 387 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 AM

Posted 06 December 2011 - 04:44 PM

Okay you are close, if the USB drive is "e" for you then you would type e:\iexplore.exe (or e:\rkill.com)
Good Luck Hula!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users