Topic: WTF System Tools 2011 (Read 6968 times)

NJAntman · « **on:** January 26, 2011, 10:50:08 pm »

Ouch! Picked up a bitch of a virus/spyware called System Tools 2011. Takes over everything, thwarted my active Avira and Spybot. Couldn't even use Task Manager or run stuff from the command prompt.

Checked its icon properties and it pointed to a file in My Docs/All Users/Application Data/. Couldn't delete it so I renamed it and rebooted. Seems to have stopped it and am running everything I can right now to nuke it. Crossing fingers.

Anybody else dealt with this bitch?

Starfox1701 · « **Reply #1 on:** January 26, 2011, 11:37:52 pm »

This sounds like scare ware

FA Frey XC · « **Reply #2 on:** January 27, 2011, 09:46:57 am »

Good luck. Lemme know if you need any help.

Regards,

Bonk · « **Reply #3 on:** January 27, 2011, 09:54:42 am »

I haven't come across that one myself, but I've found Malwarebytes' Anti-Malware will catch some of these nasties where others can't. (download from a clean machine)

NJAntman · « **Reply #4 on:** January 27, 2011, 10:41:07 am »

Seems to be working now, posting from that machine. Back-tracking the only change I made recently was letting my son start playing Left4Dead 1 & 2 which uses Steam so I disabled that on startup. Grasping at straws here.

Bit annoyed that it can get past Avira/Spybot, time to find a new mix a for the scanning cocktail.

Bonk · « **Reply #5 on:** January 27, 2011, 12:05:44 pm »

I've been using either Avast or Microsoft Security Essentials (depending on licensing

) in combination with MBAM (on-demand mode install only when co-existing with other av) on the machines I've been cleaning up for family lately. As far as I can tell those are the best free solutions currently. Also, you may find Autopatcher useful in such cleanup/update situations - can save lots of time on updates.

Dash Jones · « **Reply #6 on:** January 30, 2011, 06:30:44 am »

Quote from: NJAntman on January 26, 2011, 10:50:08 pm

Ouch! Picked up a bitch of a virus/spyware called System Tools 2011. Takes over everything, thwarted my active Avira and Spybot. Couldn't even use Task Manager or run stuff from the command prompt.

Checked its icon properties and it pointed to a file in My Docs/All Users/Application Data/. Couldn't delete it so I renamed it and rebooted. Seems to have stopped it and am running everything I can right now to nuke it. Crossing fingers.

Anybody else dealt with this bitch?

yes, though that is the newer version of the same trojan/virus that has been operating for the past several years. It started at least as early as 2007. Unless they've adapted it, most likely it means that you are using XP, which it exploits to open up your computer as it then downloads probably about 300 other files...mostly other trojans, spyware, and stuff like that.

It's a MAJOR pain to get rid of. I'd be betting you may still have stuff running in the background if all you did was rename it. It eventually has the ability to lock you out of administrative functions, just a heads up.

NJAntman · « **Reply #7 on:** February 04, 2011, 08:51:11 pm »

Quote from: Bonk_XC on January 27, 2011, 09:54:42 am

I haven't come across that one myself, but I've found Malwarebytes' Anti-Malware will catch some of these nasties where others can't. (download from a clean machine)

This seems to have spotted it on the second scan. Nice program, thanks for the link; looks like I've found a new mix.

marstone · « **Reply #8 on:** February 04, 2011, 09:14:20 pm »

Quote from: NJAntman on February 04, 2011, 08:51:11 pm

Quote from: Bonk_XC on January 27, 2011, 09:54:42 am
I haven't come across that one myself, but I've found Malwarebytes' Anti-Malware will catch some of these nasties where others can't. (download from a clean machine)

This seems to have spotted it on the second scan. Nice program, thanks for the link; looks like I've found a new mix.

I like it alot also, has saved a few machines of people I know, when nothing else worked.

SkyFlyer · « **Reply #9 on:** February 16, 2011, 09:49:30 am »

I grabbed something like this a month or two ago... don't know where. It was either from a youtube video, a jvm (I don't remember which one, but it was something I had used before), or just a random website.

NJAntman · « **Reply #10 on:** February 28, 2011, 04:28:56 pm »

Ugggg... the freaking thing is back. Different name but same setup and screens.

Found it this time in C:/documents and settings/nick/local settings/Temp/ and then some freaking collection of goobledy gook letters for a directory with the only file ckiofwshmof.exe. I renamed the directory and rebooted, problem gone. BUT... I scanned the file with Avira, Spybot Search & Destroy, and Malwarebytes Anti-Malware and spotted nothing. Also noticed I cannot connect to the internet on that machine, but can with all others connected to this router. WTF?

NJAntman · « **Reply #11 on:** February 28, 2011, 04:43:05 pm »

Seems it happened when my oldest son tried to watch a youtube vid.

And oddly I can get the internet to connect on the 3 other XP user accounts but not the one on which it happened. Maybe I'm just creeped out but when the internet won't connect on that one account the diagnose problem screen seems a bit off too.

Czar Mohab · « **Reply #12 on:** February 28, 2011, 06:27:57 pm »

Seems you may have also found the root of your problems already:

Quote from: NJAntman on January 27, 2011, 10:41:07 am

Back-tracking the only change I made recently was letting my son start playing Left4Dead 1 & 2

Quote from: NJAntman on February 28, 2011, 04:43:05 pm

Seems it happened when my oldest son tried to watch a youtube vid.

OK joke time's over.

Haven't dug deep into the bowels of XP in a long time, at least since Win7 Beta. However, back in those XP days I did have the occasional "death bug" as you've described. The solution was to find every entry and reference to the program and remove it, including the offending file itself, and all descendant and clone files. I remember that it was no easy task; one of the offending files had replicated itself into 10 different directories across two drives.

This link below should help get you started (or continued):
http://www.spywareremove.com/removeSystemTool2011.html

but like I said it isn't a quick job to fix a deep rooted nasty like you described.

Last virus I had experience with (Win7-coworker's machine) AVG found but couldn't delete. Had to turn off the start up entries, rename the directory, reboot, delete, delete from "add/remove programs" and reboot again, then rescan with AVG (found computer clean). Unfortunately, research after the fact led us to find the origin as being part of a divx player update, and not actually a virus per se, but definitely an unwanted and accidentally installed item.

Anyway, I do hope I was of at least some help.

NJAntman · « **Reply #13 on:** February 28, 2011, 08:27:34 pm »

OK, several scans later and it seeems to be gone again. yet I still cannot connect to the web from that user logon which is really pissing me off. Anyone know of a way I can check what is different from that damaged logon to the other 3 logon id's that still work? I figure it has to be something the scare-ware changed from that user account.

Really pisses me off knowing that I'll probably see this again on family computers.

FCM_SFHQ_XC · « **Reply #14 on:** February 28, 2011, 10:09:14 pm »

have you been through the standard networking diags?
computer obtaining an IP (correct IP?)
have you ensured that the 'virus' didnt alter your proxy settings(several will alter the proxy settings so it tries to go through a malicious proxy server instead of no proxy connection most users are set to)
is there any network activity showing anytime you try to get on?
etc.

NJAntman · « **Reply #15 on:** March 01, 2011, 03:43:59 pm »

I took a screen capture of the Tools/Internet Options/Advanced tab on one of the working accounts and compared it to all the others, no difference there.

The MSIE network diagnotic lists several ports that need to be opened. I'm a bit wary of that, if the scare-ware is still in there couldn't it be mimicking the diagnostic to get me to open those ports for it? Could those ports be open for the other user accounts that are still working but closed on the account that got hit?

I wish there was a repair Internet Explorer button. And this is a heck of a time to realize that without enough free space left on my C: drive that the System Restore no loger works, When it rains it pours.

Capt. Mike · « **Reply #16 on:** March 01, 2011, 05:22:44 pm »

All I can thing of is get an external hard drive, restore to it, then boot off the USB....

I'm have a doozy of a problem, trying to get an XP machine back up...new hard drive, format, gets about 82% done, then says it can't copy a file correctly...been doing it for days...

Any suggestions?

Mike

Tus-XC · « **Reply #17 on:** March 01, 2011, 06:09:37 pm »

NJ: I would go ahead and do what IE tells you do, if it says ports have been closed, then open them and see if that does any good. I got hit by this same one a year back, ended up backing my system up and then fraging the drive and starting from scratch.

Mike: Sounds like you have a bad drive, might want to return it.

NJAntman · « **Reply #18 on:** March 01, 2011, 08:18:29 pm »

The MSIE diagnostic returns the following message "Check firewall settings for HTTP port (80) HTTPS port (443) and FTP port (21)".

Still nervous about messing with ports so I went poking around and in Internet Options/Connections/LAN settings tab the use a proxy server for LAN was checked on the account that isn't working but nothing was checked in that tab section on any of the accounts that were working. So I went into the not working account and chose Automatically Detect Settings and now that account is connecting to the net. Hey FCM_SFHQ_XC, any ideas on what the "normal" settins in that tab shuold be?

I'm releaved that I can connect now but still suspicious. Wish I could take TUS's advice and start over but damn that seems daunting; never thought I'd come close to maxing out a 250GB HD but I'm nearly there so maybe it is time to get me one of those cheap 500GB and start over.

Czar Mohab · « **Reply #19 on:** March 01, 2011, 09:19:42 pm »

Quote from: NJAntman on March 01, 2011, 08:18:29 pm

I'm releaved that I can connect now but still suspicious. Wish I could take TUS's advice and start over but damn that seems daunting; never thought I'd come close to maxing out a 250GB HD but I'm nearly there so maybe it is time to get me one of those cheap 500GB and start over.

For you I wouldn't say start over yet. You could very easily add in an internal hard drive of similar stature to the one you have now. Then you could spread all your goods over the two HDDs. Since it is an internal, you could also install programs to that drive, as well as set backups from your primary (C:\) to it.

Quote from: NJAntman on March 01, 2011, 08:18:29 pm

So I went into the not working account and chose Automatically Detect Settings and now that account is connecting to the net. Hey FCM_SFHQ_XC, any ideas on what the "normal" settins in that tab shuold be?

While not directed at me, my internet options/connections/LAN settings only has "automatically detect..." checkbox checked. I've never touched it, so I'd assume that this could at least be something for you to comapre things to.

It sounds like your bug hijacked your internet explorer and was telling it to try to connect through the bug's host's server. Nice catch.

Lieutenant_Q · « **Reply #20 on:** March 01, 2011, 11:19:34 pm »

Just got back from a friends house whose computer got hit by this thing. My mother's had this about a month ago. Hers I was able to do a system restore and then an install of MBAM, problem solved. The friends computer took a little more coaxing, mostly because what ever this thing was doing it was blocking System Restore. He had already purchased a program called Spyware Doctor, we installed it while running Safe mode with Networking, updated it and ran the program in safe mode (despite Spyware Doctor saying it shouldn't be run in safe mode). It found the program and took it off, when I left his house it had booted normally with no sign of it on there. I left it running over night and told him to call me if it popped back up in the morning.

The only real difference between the two, was my mother was running 7, while my friend was still running XPSP3.

Dash Jones · « **Reply #21 on:** March 02, 2011, 01:25:08 pm »

Quote from: NJAntman on February 28, 2011, 08:27:34 pm

OK, several scans later and it seeems to be gone again. yet I still cannot connect to the web from that user logon which is really pissing me off. Anyone know of a way I can check what is different from that damaged logon to the other 3 logon id's that still work? I figure it has to be something the scare-ware changed from that user account.

Really pisses me off knowing that I'll probably see this again on family computers.

Only solution I ever found that actually worked completely was a complete reformat and reinstall of OS. On XP it goes undetectable by some Virus programs...the reason for that and the reason you may not be able to connect to the internet are interconnected, at least if it's the same that I had problems with.

What it does is to take up your admin rights. To see if it's done this, try to change something specific, like rollback on the window drivers. If it's taken your admin rights, you will not be allowed to do that.

The other thing it likes to do, and this will KILL your internet everytime, was to fool the anti-virus programs by interwriting and changing some key network files. The AV sees that it's infected and deletes them...and suddenly you have no connection. I've ONLY seen this done when you've actually gone after the trojan physically by trying to delete it's key files. The files themselves rename themselves, and after the first little file is on your computer, it rehashes itself with about several hundred others...so it's redundant. It normally has at least two different processes running at a time, so if you kill one process...it fades and appears as if you got it, but the second process bumps up a new name at random and restarts it under that one, so it once again has two processes.

I tracked down the processes, and deleted them there and in the configuration files as well as the registry...and at that point it started to do the same thing with the changing of the internet files, administrative rights...etc.

I'd probably suggest that you invest in an OS...even if it's linux, format the drive, and reinstall.

But that's just me.

Dash Jones · « **Reply #22 on:** March 02, 2011, 01:32:28 pm »

Quote from: Lieutenant_Q on March 01, 2011, 11:19:34 pm

Just got back from a friends house whose computer got hit by this thing. My mother's had this about a month ago. Hers I was able to do a system restore and then an install of MBAM, problem solved. The friends computer took a little more coaxing, mostly because what ever this thing was doing it was blocking System Restore. He had already purchased a program called Spyware Doctor, we installed it while running Safe mode with Networking, updated it and ran the program in safe mode (despite Spyware Doctor saying it shouldn't be run in safe mode). It found the program and took it off, when I left his house it had booted normally with no sign of it on there. I left it running over night and told him to call me if it popped back up in the morning.

The only real difference between the two, was my mother was running 7, while my friend was still running XPSP3.

That's a new one. I haven't heard it really popping up that much on 7. XP is extremely vulnerable as it seemed to target the specific files on it.

It works via IE...if you disconnect the internet and use another browser that actually seemed to stump it for awhile.

However, mine is old stuff, last run in I had with it that it really affected me was the beginning of last year.

I HAVE run across sites that try to put it on, Firefox and a combination of Norton seemed to catch it before it did anything on Win 7. If you son did anything that I was doing, he was looking for videos. I ran across a site with it just two days ago. I was looking for video on Dead Space via google. One of the (I think it was the fourth or fifth one down) links actually was a deceptive link and led directly to the malicious webpage.

If your son was looking for Dead Space videos via google it is possible that he stumbled across the same page I did.

FCM_SFHQ_XC · « **Reply #23 on:** March 03, 2011, 08:28:43 am »

Quote from: NJAntman on March 01, 2011, 08:18:29 pm

The MSIE diagnostic returns the following message "Check firewall settings for HTTP port (80) HTTPS port (443) and FTP port (21)".

Still nervous about messing with ports so I went poking around and in Internet Options/Connections/LAN settings tab the use a proxy server for LAN was checked on the account that isn't working but nothing was checked in that tab section on any of the accounts that were working. So I went into the not working account and chose Automatically Detect Settings and now that account is connecting to the net. Hey FCM_SFHQ_XC, any ideas on what the "normal" settins in that tab shuold be?

"Automatically Detect Settings" should be check the rest of it should not be for any standard network setup/connection
If the "Use proxy server" was checked then that will cause the broswer not to be able to connect, viruses usually will configure the browser to use a proxy, so it redirects you to a malicious server to proxy through.

knightstorm · « **Reply #24 on:** March 11, 2011, 05:45:17 pm »

I got a UAC prompt for a program I didn't recognize, as well as an authorization prompt from Zone Alarm. I immediately disconnected from the internet just before the prompt from something calling itself "vista security tools" came up. I was able to scan with Lavasoft Ad-Aware which detected and removed it.

NJAntman · « **Reply #25 on:** April 05, 2011, 05:58:30 pm »

Just shot myself in the foot. Trying to explain to my son why free music/video files are usually a trap so I let him create a registration for FilesTube to show him how what he was searching for just leads around in a circle jerk. Was on their site and the first tier of download sites they lead to for no more than 5 minutes. Soon as signed off Windows Restore pops up and when I tried to scan it all kinds of scam and scare warnings statrted to pop-up,it disabled Task Manager (still haven't gotten that back), and randomly hid half of my desktop icons, even cleared out my programs list.

Pulled the plug on my modem and got Malwarebytes to run a quick scan and it found 7 trojans along with registry entries. Starting the clean up process now; seriously thinking about a system reload cause I suspect there is still something buried deep.

Oh well needed to clean house anyway, but here is a write-up on the the bitch:
http://www.geek.com/articles/news/new-malware-tricks-users-into-thinking-hard-drive-failure-is-imminent-20110520/

News:

Topic: WTF System Tools 2011 (Read 6968 times) var addthis_config = {"data_track_clickback":true};

Topic: WTF System Tools 2011 (Read 6968 times)