Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Fix bug, XP - SP3


  • Please log in to reply
3 replies to this topic

#1 Nawtheasta

Nawtheasta

  • Members
  • 403 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:10:30 PM

Posted 20 December 2011 - 12:50 AM

December 19, 2011
Well back again to request help from my friends at BC.
My sons laptop running XP SP3 seems to have been hit with the System Fix bug.

Note: Tonight we lost most desktop Icons. I cannot post logs from the scans mentioned below.

Last April I purchased ESET for his computer.
For the last several days the ESET start up scan has been showing:
Startup scanner file Operating memory a variant of Win32/Olmarik.AWO trojan unable to clean.
ESET has handled some of the infection this caused. On Saturdays I was able to update and run MBM which did find one infected file.
Tonight when he started the computer he started getting warnings as shown on BC "Remove System Fix (Uninstall Guide)"

Also the Desktop Icons started disappearing. When ESET finished it’s start up scan this evening it dealt with three infections which made the fake warnings disappear
MY SAS Icon was still present in lower right tool tray so I updated and ran a full scan. No infections were found.
Sorry if this is a bit rambling. Right now the computer is shut down. Don’t know if I will be able to connect to the internet or if I want to at this point.
Advise is appreciated.
From reading here at BC I think the next step would be unhide, MBAM and TDSSKiller but I am not sure what order to do this. Also saw a mention of Dial-a fix here on BC
Also if advise is going to be download Unhide or TDSS killer on a different computer please humor me and tell me exactly what to do. Do I download to my desktop and copy to a CD or can I download directly to a CD.
Also this desktop is Win 7 / 64 bit. Can I download a program here that will be used on his XP SP3 machine??
Help is greatly appreciated!
Best Regards
Nawtheasta

Hello December 20, 2011
Not trying to bump as it appears this nasty is troubling a lot of people.
Did need to advise of present symptoms. Currently my son’s computer has Zero Icons on the desktop and Zero in the start menu. At start up today I disconnected his wireless connection. Wireless Icon is now gone also. ESET amazing enough is still in the lower right toolbar. Did a manual scan this afternoon. ESET cleaned 4 items but was unable to clean two

Operating Memory. Win 32 / Olimark. TDL4 Trojan unable to clean.

Operating Memory.svchost.exe (1560) a variant of Win 32 / Olimark. AWO Trojan

I have been reading some of the removal guides about making a copy of TDSS killer, and unhide on an uninfected computer, burning to a CD/ DVD and running on the infected one. Without any Icons I do not know how to proceed.
Please help when you can.
Thanks Nawtheasta

Edited by Nawtheasta, 20 December 2011 - 06:00 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:30 PM

Posted 23 December 2011 - 01:46 PM

Try rerunning the ESET scan from safe mode with Networking
Then run Unhide,Tdss and MBAM ... Post the Tdss and MBam logs,
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Nawtheasta

Nawtheasta
  • Topic Starter

  • Members
  • 403 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:10:30 PM

Posted 23 December 2011 - 02:53 PM

Hi Boopme December 23, 2011
Wasn’t sure how to add an update so I waited for a reply. Here’s the latest news

The infected laptop has been disconnected from the internet since Monday. I plan to keep it that way until it’s disinfected.
By right clicking in the start panel I was able to unhide quite a bit.
I was able to access MBAM through program files. I had updated last weekend before things got real bad. Did a scan that found and dealt with 10 nasty’s.
Todays MBAM Scan was clean.
Todays SAS Scan was also clean.
ESET (In depth scan) today only finds the two items that it has been finding:

Operating Memory. Win 32 / Olimark. TDL4 Trojan unable to clean.

Operating Memory.svchost.exe (1560) a variant of Win 32 / Olimark. AWO Trojan

On ESET’s web site they have standalone tools for these.
As the laptop is offline I burned the tools to a DVD on my desktop and brought it to the Laptop
Tools are:

Win32/Olmarik. Shows size as 340 KB
Win32/OlmarikTdl4 Shows size as 88.1 KB

The DVD read OK in laptop. When file was clicked to run, instantaneously( 1-2 seconds) I get box saying that “Win32/Olmarik was not found on the system”.

The same message type appeared when I clicked Win32/OlmarikTdl4.

This just doesn’t seem that it had enough time to look at the disk.
It would make sense however if the Trojan had a self-defense action to avoid a scan by ESET’s tools. I contacted ESET for advice.
They responded:
“The ESET Olmarik tools were written to not scan your whole system, but to look at a specific target (i.e. operating system memory). This is why it takes only a few seconds.”

As the tools seem designed to find the infection shown in the ESET scan I am a bit puzzled as to why they found nothing.

ESET’s next advice is to run TDSSKiller

Would there be any value in renaming the ESET tools and running again??
I look forward to a response from my friends at BC
Very Best Regards
Nawtheasta
Merry Christmas to all!

#4 Nawtheasta

Nawtheasta
  • Topic Starter

  • Members
  • 403 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:10:30 PM

Posted 26 December 2011 - 10:26 PM

I hope everyone here had a nice Christmas. I don't wish the same to the Malware authors.I would like to think of them staring at 4 concrete walls for 20+ years
Anyway...
I seem to have cleaned my sons laptop and wanted to advise what I did.
To recap it was getting the symptoms as shown with the System Fix bug. I was going slow and getting fake but genuine looking warnings.ESET kept dealing with many things but always ended up with two Olimark infections it could not clean. SAS constantly found noting. I updated MBAM just before all icons disappeared.
At this point I disconnected the wireless internet as the lower right tool box still had a few icons present.
Was able to get back some icons by right clicking in start menu and manually unhideing.MBAM ran OK without using RKILL. It took out 10 infections. ESET indepth scan only had the two Olimark infections left.Seemed like the infection had been beaten down into a small box.
Olimark removal tools from ESET web site were downloaded on my desktop, copied to a DVD and brought to the laptop.They found nothing.
TDSSKiller was downloaded using my desktop ( On Firefox I reset the "download to" site to be my DVD burner. It downloaded directly to the disk without a problem)
Ran the DVD on the laptop and it found 1 infection. The instructions were left at cure , as advised by BC, and continue was pressed. Infection was removed at reboot.
ESET (in depth scan) and MBAM both came up clean.
The Unhide program was ran but icons brought back in "All programs" were empty. Only the ones I manually unhid worked. Programs were still present as I could access them using windows explore , Drive C, program files.As the laptop in question is used by my teenage son it it not a problem to manually make a few new desktop shortcuts.
I looked for the %Temp% files where BC indicated but could find nothing. Possibly ESET cleaned out the TEMP files. I did not manually clean out the temp files.
I saw references to JAVA in the ESET logs from when it was infected. First thing done when internet was reconnected was update JAVA.
Saw no older versions left in ADD/ Remove but I do see a Jre -6u26 on the desktop and in a OEM preinstall desktop folder. Not sure as to best way to remove.
Also I have now made a desktop Icon for Wireless network connections. I have told my son if anything suspicious starts downloading to immediately click this and disconnect the internet.
For now it appears we have cleaned things out as the computer seems back to normal.( I hope!)
Best Regards
Nawtheasta
P.S. I think disconnecting from the internet as quickly as possible was important as this infection seemed to want to keep "Phoning home". Just my thought

Edited by Nawtheasta, 26 December 2011 - 10:33 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users