“System Tool 2011” trojan

Topic

New Reply

My older brother, who is not extremely computer literate, has a major problem with his computer. He lives in Maine, about 1000 miles from my location, so I cannot see firsthand what is going on. From what he tells me his computer has been taken over by the System Tool 2011 trojan/virus. He tells me that he cannot think of anything he did, did not click or open anything, it just suddenly appeared on his desktop and now he cannot open any app or access the Internet. He is still able to boot from safe mode but, again, cannot do anything further with the computer. I do not understand how this situation occured since he is running the Sunbelt Software VIPRE antivirus/antimalware/antispyware application with up to date definitions which it seems to me should have caught this bad guy.

There is a huge amount of references to System Tool 2011 (over one million) on the Internet but I don’t see much of anything that would help in this case. If anyone can give me some ideas how to help him from long distance, I would surely appreciate it. Sunbelt tech support is onboard with this but heaven only knows how long it may take them to do anything for him.

Reply | Quote

Replies

Unfortunately, no single antimalware solution catches all the malware.

The fact that he can boot in safe should help. He should boot in safe mode with networking, which will allow him to get to the internet. I found this advice elsewhere, so I am posting it as is:

1. download and run malwarebytes anti-malware.
2. download TFC (temporary file cleaner) from cnet, and run it.
3. download Norton Power Eraser from cnet and run it. Note that there are some cautionary warnings with this program as it apparently is very aggressive in finding malware and can result in false positives (which could create problems if you delete good files). In my case, Power Eraser only came up with one bad file, which had a random prefix (random.exe).

All this downloading and running of programs was done in safe mode with networking.

Of course, there could be other solutions, since it’s clear that the malware is being loaded from some entry used during the normal boot process, so a tool like autoruns could be used to identify the malware and stop it from loading. It requires some knowlegde though, so the previous advice should be easier to follow.

Reply | Quote

Malwarebytes Forum: How do I remove System Tool?
Have a look through the above link. He will need some guided help in removal of this. Give Sunbelt tech support a chance before
mucking around with various solutions.

Reply | Quote

Rui & Clint-

Thank you both for your response. Malwarebytes did the trick and his ‘puter is now back up and running (at least for the moment). In retrospect, it may be that VIPRE had been turned off for some reason but once we were back up and running I had him update to VIPRE 4 Premium which has the firewall built in so, hopefully, there will be no recurrences of such nastiness!

Thanks again for your help!

Reply | Quote

Rui & Clint-

Thank you both for your response. Malwarebytes did the trick and his ‘puter is now back up and running (at least for the moment). In retrospect, it may be that VIPRE had been turned off for some reason but once we were back up and running I had him update to VIPRE 4 Premium which has the firewall built in so, hopefully, there will be no recurrences of such nastiness!

Thanks again for your help!

In the forum where I found the info posted in my previous message, someone said malwarebytes wasn’t enough, but if it did the trick, so much the better. Glad to know it has been solved .

Reply | Quote

My older brother, who is not extremely computer literate, has a major problem with his computer. He lives in Maine, about 1000 miles from my location, so I cannot see firsthand what is going on.

For some of the future help sessions with your brother you may want to consider something like the FREE TeamViewer
TeamViewer – the All-In-One Solution for Remote Access and Support over the Internet

Reply | Quote

Tim-

Since my brother’s computer was initially hors de combat, we could not use remote access. I subscribe to LogMeIn Pro so, when he is up and running, I can remote to his computer. I will also check out Team Viewer.

Since we installed Malwarebytes in the process of solving the problem, I am suggesting to him that once a week or so, he temporarily shut down VIPRE and run Malwarebytes (just the old belt and suspenders approach).

Reply | Quote

Your brother doesn’t need to suspend Vipre to run Mbam. You can tell him to add Mbam to Vipre’s always allowed list, though.

Reply | Quote

Oh Man, my sympathies. I had a somewhat similar experience with a nasty piece of work called “Security Essentials 2011” and what a nightmare it was/still is. Just a quick back story. I built a system for my mom b/c she wanted to learn to get on the net, email, etc. She is absolutely 1000% computer illiterate, so much so she thus far cannot grasp the concept of using a mouse, clicking on an icon, anything. I bring this up b/c although the computer was connected to the net, I had installed Norton Internet Security 2010, updated it with the latest definitions and made sure that both Automatic Live Update and Pulse Updates were enabled, had installed all MS updates for XP. The machine is fine for weeks then one day while I’m over at my Mom’s I see all these virus warnings and whatnot from this rogue software. What confounded me is that this software had to somehow “seek out” and find this system that supposedly had the latest virus definitions on it and was “stealthed” by Norton’s firewall because I know for a fact that my Mom couldn’t have launched IE or FF if her children’s lives depended on it (I have to remind her what the mouse is) and no one else has used the machine.

I tried everything I could find to get rid of that mess. MBAM was no go, rkill got shut down, changing extensions to .com and whatnot had no effect, it still shut them down as soon as they tried to execute. Finally for some reason it did let SuperAntispyware’s software launch with the .com extension (that was the only one) but once it finally finished the scan and I removed everything it had marked the machine would not boot, not into safe mode, last known good, nothing. Right now I don’t remember the particular sequence of events but it just keeps cycling through the initial boot sequence. It reaches a certain point and then just reboots. There is no error message or anything (that I can remember) it just keeps rebooting. When I have some spare time and can somehow find the drivers for it I am just going to reinstall XP Pro on it. I think that somehow this program dug itself deep into some system files and when SAS deleted the files it had marked as spyware/trojans it hosed the whole shootin’ match.

You know, I really do hope that there is a special place in hell for the people who write these viruses, trojans, malware, spyware and so on. My only real regret is that I cannot be the one to send them there. If the U.S. spent half as much for a “War on Viruses” or whatnot as it has wasted on its War on Drugs or War on Terror, completely ignored international borders so that the writers had no place to hide and held public executions of the ones they found, the problem might just go away. The real terrorists are going to be the ones who manage to cripple the U.S. infrastructures because we have become so dependent on computers to live a day to day existence and they need to be dealt with.

I’m sorry, I just really HATE the people who do this. Best of luck to you Mainer.

Val

Reply | Quote

This same trojan is discussed in another thread.Perhaps this OP’s approach will help others. This points out 2 things that many of us advocate here. 1) It is imperative to be proactive in out PC security using good AV and AM apps to combat these nasties as well as keeping our PC’s Up To Date (Sorry Fred, I do recommend installing patches. Never had a problem) I also do recommend upgrading to Win 7 as it does seem much more secure. 2) Imaging!!!! Up To Date Images allow restoration in minutes. Many discussions on this topic may be found in this forum.

Reply | Quote

Valek-
Your trojan is different from what my brother had but is obviously similar. When I reported that his problem was fixed (on 12-19-2010) I should have mentioned that it was necessary to use “Safe Mode With Networking” to download and install Malwarebytes (which solved the problem). Trying to boot with basic “Safe Mode” would not work, the computer was still locked up.
I agree with your feelings about the hackers that use tactics like this but my guess is that they are motivated by greed. I imagine that there are many naive, non-computer literate people who are taken in by this type of scare tactic and pay out good money to “ransom” their computer. Anything for a buck…

Ted-
I was curious why I didn’t find anything when I initially did a search for “System Tool” so I checked out the other thread and found that it was posted after my initial post. I quite agree with your comments about up-to-date protection and imaging. One note of caution re: imaging- if you have a “bad guy” residing on your computer when you do an image, it will be right back there when you do a restore.

I have been using Sunbelt Software VIPRE antivirus/antispyware/antimalware for quite some time and have been happy with it in combination with Malwarebytes. I have not had occasion to use the service, but Sunbelt has a (free) malware removal service for subscribers and there have been many favorable comments about this.

Thanks agan to one and all for the comments and assistance. My brother was one happy camper when we got his computer back in service!

Reply | Quote

Ted-
I was curious why I didn’t find anything when I initially did a search for “System Tool” so I checked out the other thread and found that it was posted after my initial post. I quite agree with your comments about up-to-date protection and imaging. One note of caution re: imaging- if you have a “bad guy” residing on your computer when you do an image, it will be right back there when you do a restore.

Yes, there is that. The Images must be created when the system is free of nasties. I also clean all temp. files (evrything I can clean out) then defrag just before creating my Images.

Reply | Quote