Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

system tool 2011


  • This topic is locked This topic is locked

#1
richardgardiner84

richardgardiner84

    New Member

  • Member
  • Pip
  • 9 posts
My P.C has been infected with the system tool 2011 malware. i am unable to use any removal software during normal start up and any thing i run in safe mode will not remove it. Also i am unable to connect to the internet in safemode.

HELP PLEASE

Thanks in advance

Richard Gardiner
  • 0

Advertisements


#2
Cold Titanium

Cold Titanium

    Trusted Helper

  • Malware Removal
  • 1,735 posts
Hello richardgardiner84 and welcome to G2G!

My name is Cold Titanium ;) , and I will be assisting you with your problem. I am still in training, so all my replies need to be checked by an expert first. So there may be a slight delay in between replies.

Please follow all of my instructions without skipping anything. Also, please refrain from experimenting around whilst I am helping you. At times some of the things I tell you to do may seem unnecessary and frustrating, but just stick to it and we'll get through :D

;) Note: Please save these instructions in a file or print them out, as the internet may not be available while we are fixing the system.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I am clearing my response with the expert now... ;)
  • 0

#3
richardgardiner84

richardgardiner84

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
is there any thing i can do whilst we wait? should my pc be on in safe or normal mode?
  • 0

#4
Cold Titanium

Cold Titanium

    Trusted Helper

  • Malware Removal
  • 1,735 posts
Not at the moment :D Don't worry, my instructor is usually pretty quick with replies.
  • 0

#5
richardgardiner84

richardgardiner84

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
is it ok that im unable to use the internet on the infected pc? im currently on an uninfected pc in another room?
  • 0

#6
Cold Titanium

Cold Titanium

    Trusted Helper

  • Malware Removal
  • 1,735 posts
Do you have a flash drive that you can use?
  • 0

#7
richardgardiner84

richardgardiner84

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
yes
  • 0

#8
Cold Titanium

Cold Titanium

    Trusted Helper

  • Malware Removal
  • 1,735 posts
Then we'll be ok :D
  • 0

#9
Cold Titanium

Cold Titanium

    Trusted Helper

  • Malware Removal
  • 1,735 posts
Ok here's the deal:

Since you can't use the internet on the infected system you'll have transfer all the files using the flash drive. First though you need to run a tool to "vaccinate" the flash drive to protect the clean computer.


Step #1


Do this in your clean system

  • 1 - Flash Drive Disinfector
    Download Flash_Disinfector.exe by sUBs from here and save it to your desktop.
    • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    • Wait until it has finished scanning and then exit the program.
    • Reboot your computer when done.

      Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you run it. Don't delete this folder...it will help protect your drives from future infection.


    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


    You'll have to transfer all these over onto the infected system using the flash drive.


    Step #2


    There are 3 different versions of rkill:

    Download to your desktop and then double-click to open.


    If the first one does not work then try the next and so on...



    If you get rkill to run then do the following steps, else come back here and tell me...


    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


    Step #3


    If you get rkill to run then do this...

    You may need to paste this fix into a text file then place the file on the drive and copy/paste from there on the infected system.


    • Download OTL to your desktop.
    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • When the window appears, underneath Output at the top make sure it is set to Standard Output.
    • Ensure the Use SafeList is selected for Extra Registry
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      msconfig
      safebootminimal
      safebootnetwork
      activex
      netsvcs
      drivers32 /all
      %SYSTEMDRIVE%\*.*
      %systemroot%\system32\*.wt
      %systemroot%\system32\*.ruy
      %systemroot%\Fonts\*.com
      %systemroot%\Fonts\*.dll
      %systemroot%\Fonts\*.ini
      %systemroot%\Fonts\*.ini2
      %systemroot%\system32\spool\prtprocs\w32x86\*.*
      %systemroot%\REPAIR\*.bak1
      %systemroot%\REPAIR\*.ini
      %systemroot%\system32\*.jpg
      %systemroot%\*.scr
      %systemroot%\*._sy
      %APPDATA%\Adobe\Update\*.*
      %ALLUSERSPROFILE%\Favorites\*.*
      %APPDATA%\Microsoft\*.*
      %PROGRAMFILES%\*.*
      %APPDATA%\Update\*.*
      %systemroot%\*. /mp /s
      CREATERESTOREPOINT
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles
      %systemroot%\System32\config\*.sav
      %systemroot%\system32\user32.dll /md5
      %systemroot%\system32\ws2_32.dll /md5
      %systemroot%\system32\ws2help.dll /md5
      HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs


    • Click the Run Scan button. Do not change any settings unless otherwise told to do so.
    • When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.



    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




    Step #4

    • Download GMER to your desktop
    • Right-Click and extract it to the desktop
    • Double-Click gmer.exe
    • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
    • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
      [list]
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish. (Please be patient as it can take some time to complete)

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


After it finishes scanning
  • Click on the [Save..] button, and in the File name area, type in "ark.txt"
  • Save it to your desktop

Post ark.txt in your next reply


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I'd like to see OTL.txt, Extras.txt, and ark.txt in your next reply... :D
  • 0

#10
richardgardiner84

richardgardiner84

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
i cant download the flash drive disinfector. it keeps saying error copying file or folder, cannot copy Flash_Disinfector[1]: make sure disk is full write proof...
  • 0

Advertisements


#11
richardgardiner84

richardgardiner84

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
my avg is say that the flash drive disinfector is a trojan horse and recommends moving to the vault
  • 0

#12
Cold Titanium

Cold Titanium

    Trusted Helper

  • Malware Removal
  • 1,735 posts
Can you disable AVG for now?
  • 0

#13
richardgardiner84

richardgardiner84

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
i can but its now coming up with threat name win32 which ive heard of before
  • 0

#14
richardgardiner84

richardgardiner84

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
im unable to run any of the rkills on the infected pc
  • 0

#15
Cold Titanium

Cold Titanium

    Trusted Helper

  • Malware Removal
  • 1,735 posts
what version of avg are you using?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP