Need suggestions on how to remove System Tools 2011

[BLK1985]

My brother Lap Top is infected with the System Tools 2011 Malware program. He is running Windows 7 Ultimate.

I searched around on my computer to figure out how to get rid of this. It says boot in safe mode networking. And to run Rkill.exe which we didnt have but I some how managed to get that installed on his computer. I ran the Rkill and it didnt find anything, then if you start systems tool then it wont allow you to run the rkill.exe.

If Systems Tool is running you need to reboot into safe mode for it to allow you to do anything. I did and ran the malwarebytes thinking maybe it will find it. No such luck.

I tried to install hijackthis but I cant get that installed. System Tools says it is infected in normal mode and then in safe mode you cant install anything.

One thing I thought of is, is there somewhere in the Registry that I can delete this? I have looked but I dont know what or where to look for this to start with. I can get to Registry Editor in safe mode, not in normal(again it says its infected).

If I cant do the registry editor way what else do I have to get this out of the computer? I worked on someone elses last week with this too and I ended up doing a System Recovery but really dont want to do that here since my brother does use it for College.

 

[voyagerfan99]

The program is disabled in Safe Mode. Download Rkill in normal mode. Click it multiple times. System Tools will say it's infected. Rkill will open multiple windows and eventually kill the virus process. Then run malwarebytes and hijakthis and post both logs.

 

[BLK1985]

The program is disabled in Safe Mode. Download Rkill in normal mode. Click it multiple times. It'll open multiple windows and eventually kill the virus process. Then run malwarebytes and hijakthis and post both logs.

I tried this. I was double clicking the icon as fast as I could for probably 30 seconds and it still would not open.

 

[voyagerfan99]

Johnb will be here eventually. He can help you more.

 

[gamblingman]

Please follow these instructions in NORMAL BOOT. Do not do anything else on the computer while following these instructions.

--------
First:
Download and run first Rkill.scr, or if you can not get the .scr to run then download Rkill.com. As you have done with the RKill.exe, keep trying to run each file until it submits a log of malicious processes stopped. But DO NOT reboot the system until instructed to do so by combofix.

• NOTE: If you can not download these files, then download them on another computer and transfer them onto a flash drive then transfer the files off the flash drive onto the infected computer. After you have transferred the files to the infected computer, do not use this flash drive on any other computers until we make sure any infections did not save to it.

Second:
Download and Run ComboFix
If you already have Combofix, please delete the copy you already have, and download it again as it's updated regularly.

• Download this file here:

http://www.bleepingcomputer.com/download/anti-virus/combofix​

• NOTE:If you can not download this file, then download it on another computer and transfer it onto a flash drive, then transfer the file off the flash drive onto the infected computer. After you have transferred the file to the infected computer, do not use this flash drive on any other computers until we make sure any infections did not save to it.

• Then double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.


Third:
Create a HijackThis log by doing the following:

Download HijackThis from HERE

Choose to "Run" HijackThis

Click Do a system scan and save a logfile

Most of what HijackThis lists will be harmless or even essential, don't fix anything yet.

Post the logfile that HijackThis produces in your next post.


Forth:
In your next reply please post:

• The ComboFix log
• A HiJackThis log
• An update on how your computer is running

 

[voyagerfan99]

Gamblingman, are you authorized to tell people to run Combofix? Only those trained in the use of the program can inform others to use Combofix.

 

[gamblingman]

yes

 

[voyagerfan99]

yes

Okay sorry about that. I know there was an issue with someone writing a CF script last week.

 

[johnb35]

To properly run rkill you need to click on it to run it and if the infection says its infected just keep running it, don't click on it in succession, just wait for the infection to say its infected and rerun it. Eventually rkill will overpower the infection and temporarily kill it.

However, please download this and run it.

http://download.bleepingcomputer.com/grinler/iExplore.exe

It's actually rkill but labeled internet explorer, hopefully it will fool the infection to let it run. After rkill disables the active infection then you may download and run malwarebytes and hijackthis. If rkill still won't work then download this file to a usb flash drive and then boot to safe mode, place combofix on your desktop and run it.

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

• Download this file here :
  
  http://www.bleepingcomputer.com/download/anti-virus/combofix
  
• Then double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.


In your next reply please post:

• The ComboFix log
• A fresh HiJackThis log
• An update on how your computer is running

 

[BLK1985]

To properly run rkill you need to click on it to run it and if the infection says its infected just keep running it, don't click on it in succession, just wait for the infection to say its infected and rerun it. Eventually rkill will overpower the infection and temporarily kill it.

I have tried this numerous times, it does not work in this case. Is there anything else I can do?

 

[johnb35]

Boot to safe mode with networking and run combofix from the link I gave you.

 

[FatalityTech]

The fix posted does in fact do the job nicely. when you run rkill (iExplore.exe) don't click on the pop up from system tools. Just keep clicking on it and system tools will disappear temporarily. Then update MWB and run a full scan.

I have done this on two computers now. It works i swear and about how long it takes for rkill to work varies, the first time i did this it took after only 10 secs or so. Then it took me about 3 mins on the laptop.

Bleeping computer has the rkill file named several other things as well, give them a try.

But it does work

 

[BLK1985]

ComboFix 10-12-28.01 - David 12/28/2010 20:32:32.1.2 - x64 NETWORK
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3933.3272 [GMT -6:00]
Running from: c:\users\David\Downloads\ComboFix.exe
AV: Sophos Anti-Virus *Disabled/Updated* {479CCF92-4960-B3E0-7373-BF453B467D2C}
SP: Sophos Anti-Virus *Disabled/Updated* {FCFD2E76-6F5A-BC6E-49C3-843740C13791}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\dJaMc06300
c:\programdata\dJaMc06300\dJaMc06300
c:\programdata\dJaMc06300\dJaMc06300.exe
c:\users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tool
c:\users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tool\System Tool 2011.lnk
c:\users\David\Desktop\System Tool 2011.lnk

.
((((((((((((((((((((((((( Files Created from 2010-11-28 to 2010-12-29 )))))))))))))))))))))))))))))))
.

2010-12-29 02:38 . 2010-12-29 02:38 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-12-29 00:11 . 2010-12-29 00:12 -------- d--h--w- c:\windows\AxInstSV
2010-12-29 00:10 . 2010-11-10 05:35 8199504 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B259B72F-F416-4B9E-AAE9-66344FEFD84F}\mpengine.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~2\Sophos\SOPHOS~1\sophos_detoured.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

R1 SAVOnAccess;SAVOnAccess;c:\windows\system32\DRIVERS\savonaccess.sys [2010-06-04 111608]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2010-01-10 80936]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
R3 CAXHWAZL;CAXHWAZL;c:\windows\system32\DRIVERS\CAXHWAZL.sys [2007-08-03 293376]
R3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2010-04-20 50688]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-28 1255736]
R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-09-24 306416]
R4 SophosBootDriver;SophosBootDriver;c:\windows\system32\DRIVERS\SophosBootDriver.sys [2010-01-09 23360]
S1 VWiFiFlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 SAVService;Sophos Anti-Virus;c:\program files (x86)\Sophos\Sophos Anti-Virus\SavService.exe [2010-01-09 98304]
S3 NETw5s64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [2010-01-13 7675392]
S3 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2mdx64.sys [2008-03-04 58456]
S3 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sdx64.sys [2008-03-03 51672]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-10 389120]


[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.

--------- x86-64 -----------


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
"AppInit_DLLs"=c:\progra~2\Sophos\SOPHOS~1\sophos_detoured_x64.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\David\AppData\Roaming\Mozilla\Firefox\Profiles\hy6wywvl.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Skype extension for Firefox: {B13721C7-F507-4982-B2E5-502A71474FED} - c:\program files (x86)\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}
FF - Ext: Move Media Player: [email protected] - c:\users\David\AppData\Roaming\Move Networks
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -

Wow6432Node-HKLM-RunOnce-<NO NAME> - (no file)
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10e.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10e.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-12-28 20:46:13
ComboFix-quarantined-files.txt 2010-12-29 02:46

Pre-Run: 174,321,131,520 bytes free
Post-Run: 174,211,829,760 bytes free

- - End Of File - - A9F98B57B6FE4BAFDCCDBC8F945EF4CC

 

[BLK1985]

It would not allow me to create the log in the .txt file. So here are two screen shots. The part that is highlighted is the end of the first pic. So below that in the second pic is the rest of the log.

It appears to be running like normal and System Tool 2011 is no longer on the desktop. I am so effing happy, this has been a PITA for me. I wish I would have known about combofix earlier.

 

[johnb35]

Looks like you are good to go.

 

[BLK1985]

In the Hijackthis log should I be fixing the ones where it shows files missing?

 

[johnb35]

No. Leave them alone, they show missing because you are running a 64bit version of windows.

 

[BLK1985]

Alright thanks for your help.

 

[JHM]

deleted