Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Alert

'System Fix' VIRUS infected my HP desktop

Dec 20, 2011 11:39PM PST

This happened 2 weeks ago. I immediately did a system restore but that did nothing. Since then i shut it down and only use my laptop.
Foolish me, i had not updated my "Avast" (it is NOW of course) and the virus got in. I am now ready to REMOVE that garbage(created by human VERMIN) and of course,
Avast would not detect it once its inside. To make matters worse, my desktop has been in need of reformating due to what LITTLE memory it has had left(another thing i had put off) . It was already slow but now it crawls. Also, I can no longer open documents nor save them on disk,,which is why i need to remove the virus first before reformating. Is there a particular spyware scanner reccomended here? I also want to remove it manually. I am not PC savy in all things related to dealing with the registry etc etc. Im willing to learn step by step. I came across Wiki-Security
http://www.wiki-security.com/wiki/Parasite/SystemFix
At the bottom it has this>>
" Remove System Fix manually Another method to remove System Fix is to manually delete System Fix files in your system. Detect and remove the following System Fix files":
Processes 6DSS92c31Apgjk.exe %AllUsersProfile%\[RANDOM CHARACTERS].exe Other Files %Desktop%\System Fix.lnk %Temp%\smtmp\ %Temp%\smtmp\1 %Temp%\smtmp\2 %Temp%\smtmp\3 %Temp%\smtmp\4 %StartMenu%\Programs\System Fix\ %StartMenu%\Programs\System Fix\System Fix.lnk %StartMenu%\Programs\System Fix\Uninstall System Fix.lnk %AppData%\Microsoft\Internet Explorer\Quick Launch\System Fix.lnk Registry Keys HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'Yes' HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = '0' HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "CertificateRevocation" = '0' HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '.zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;' HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1' HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop "NoChangingWallPaper" = '1' HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDesktop" = '1' HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = '1' HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = '1' HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no' HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" = '0' HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" = '0' HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[RANDOM CHARACTERS].exe" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "<[RANDOM CHARACTERS]"
Any advice as how to do this, as if i were 9 years old??? Pretty PLEASE

Discussion is locked

- Collapse -
Please Follow These Instructions
Dec 21, 2011 12:26AM PST

Bleepingcomputer has an excellent step by step instruction for removing the malware.. It includes running "rkill", Malwarebytes and an Unhide.exe file after everything is cleaned off.. Follow the instructions to the letter.. If you can't download the files mentioned on the infected computer, then find a clean computer, download the files and copy them to a CD or flash drive, then transfer them to the problem machine.

http://www.bleepingcomputer.com/virus-removal/remove-system-fix

Hope this helps.

Grif

- Collapse -
My friend Grif!! thank you
Dec 21, 2011 12:42AM PST

I will give it a try. Id love to KILL that virus asap. Will update one and all

- Collapse -
there is also the"XP Home Security 2012 Virus"on my desktop
Dec 21, 2011 2:16AM PST

I didnt fall for this one..An"XP Home Security 2012" window popped up to 'warn me' of threats while i had been running the Avast.. Almost looked legit too!! Avast did spot the win32 ..cleaning that up now.

- Collapse -
Use The Same Cleanup Steps
Dec 21, 2011 2:35AM PST

The cleanup steps I provided earlier will also work for any remnants of the XP Home Security 2012 virus.. Following the same procedure to run "rkill", then Malwarebytes, etc. should remove both malware items.

Hope this helps.

Grif

- Collapse -
Grif ,again thanks
Dec 21, 2011 3:05AM PST

At this moment Avast's chest showed quite a few parasites ,,i hit repair and its off to the races right now. PC rebooted and is going through an indepth scan /delete phase ..will also run 'Bleeping' afterwards I LOVE killing viruses <<

- Collapse -
at a stand still
Dec 28, 2011 1:32AM PST

Avast had corralled all the various bugs and put them into the avast chest. I have tried to system restore to no avail because it wont recognize any dates earlier than a few days before. I re downloaded SpyBot..it did a great job as well in detecting the viruses. I opened up the guest account and did the same there. When i went back to the main user account,,the one that the PC was initially infected at, everything,,even Avast is gone, cant open anything ,cant go online either with that account (the guest acct i can but doesn't have admin abilities) All i want to do at this point is to find the docs that i know are still in this PC ,,save them on a disk and REFORMAT this computer!! Id love to think that the human VERMIN who creates these viruses would live terrible lives eventually.

- Collapse -
To Gain Access To The Hidden Administrator Account
Dec 28, 2011 6:15AM PST

First, the instructions I gave you did not include Spybot.. Did you run Rkill and Malwarebytes, etc. per the Bleepingcomputer.com instructions given earlier..? If not, try using them from the hidden administrator like this:

Assuming you have Windows XP on the computer (you haven't given us the operating system you have installed), restart the computer into Safe Mode.. Once there, you will see a log-in option for "administrator" as well as your normal account. Select "administrator" and if you haven't given it a password previously, leave the password blank and press the "Enter" key.. It should now start into the "administrator" account from which you can create a new account of your own, from which, you should be able to copy and paste your personal documents from your infected account to the new account.. Or you might even copy the documents to a flash drive, then wipe the drive and reinstall everything back to its factory state.

Hope this helps.

Grif

- Collapse -
ah ok Grif
Dec 28, 2011 10:03AM PST

I had not used the Rkill,,id forgotten about that particular app. Ill try again with your added advice,,yes it is XP. I have been in safe mode as admin,,all docs are missing as in the other user account.

- Collapse -
If Docs Are Missing....
Dec 29, 2011 12:54AM PST

After running all the steps mentioned, (rkill, malwarebytes, etc), be sure to run the "Unhide.exe" file listed at the bottom of the Bleepingcomputer.com instructions. It should bring back those files,,,,hopefully.

Hope this helps.

Grif

- Collapse -
Hi Grif!!
Nov 27, 2012 9:36AM PST

Ive finally tried to use Rkill on my old desktop as you had recommended.
My wife and I have a laptop and so i had put this PC aside. I now want to fix it.
well I had downloaded Rkill and ran it in safe mode ,,it of course it found many probs,'boot up viruses'/'malicious programs', I of course would need to pay a fee to get a license # to run it. Well, I also ran spybot afterwards and looked for a free solution =.long story short...
something went wrong and so no matter what i try to do i can not open windows at all.
This is what i get and no more than this--

"Windows could not start because the following file is missing or corrupt:
<Windows root>\system32\hal.dll.
Please re-install a copy of the above file"

I pulled out my original Windows XP CD to repair it. No go.
When i got to a point where it required my admin password,,it did not accept it.
I dont know what to do now!! Is it possible to reformat when it is in this state?

- Collapse -
Yes, You'll Need To Boot From The CD, But...
Nov 28, 2012 3:47AM PST

If the computer has a recovery disc or partition, that would be better.. The Recovery disc or partition will install the operating system, plus all the drivers and programs that came with the computer from the factory.. Using a standard Windows XP CD is fine but you'll need to install the drivers and programs afterward.

Hope this helps.

Grif

- Collapse -
Hi Grif
Dec 4, 2012 1:19AM PST

I do have the Recovery CD and the original Windows XP CD etc
I tried to run the Recovery CD to no avail ..I still get the
"Windows could not start because the following file is missing or corrupt:
<Windows root>\system32\hal.dll.
Please re-install a copy of the above file"

Id like to avoid bringing this PC into a shop..I should be able to reformat it at home right?