Win7 near-total takeover by System Tool malware

Topic

New Reply

Win 7 64 bit with good protection is taken over by a malware identified as System Tools. The first attack came suddenly yesterday with a warning alert that looked like Microsoft Security Essentials. The laptop was total controlled by this attack. I was fooled by a request to download by what I accepted as Microsoft Security Essentials and allowed the download. I could not open any thing on the computer and finally shut it down with a long hold down of switch.

When the computer was rebooted it quickly came under the control of the attacker almost demanding that I pay to download a program that was the only thing that could fix this virus attack. After a scan it reported 38 different virus plus. The desktop background was changed to a large warning sign that was warning that my wife and children were in danger from this computer problem.

I tried many things (MSE, CCleaner, Spybot, Task Manager) that would not open and were reported as being infected. Finally thought to try and fix the desktop background and was successful at doing this and got full access of the computer back. I changed to new background and it replaced the full page warning.

It is difficult to describe this more but I need help in dealing with getting rid of it. At every reboot it is there to deal with and just changing the desktop background gets rid of it till a reboot. I have run full scans with all programs mentioned and the computer is reported clean.

HELP Please.
……..
Ray/FL

Reply | Quote

Replies

Download Malwarebytes Antimalware – it has a free version that will get you rid of this: http://www.malwarebytes.org/

For manual removal, check here:

Check this link: http://deletemalware.blogspot.com/2010/10/how-to-remove-system-tool-uninstall.html

It has detailed instructions on System Tools removal.

Reply | Quote

Download Malwarebytes Antimalware – it has a free version that will get you rid of this: http://www.malwarebytes.org/

For manual removal, check here:

Check this link: http://deletemalware.blogspot.com/2010/10/how-to-remove-system-tool-uninstall.html

It has detailed instructions on System Tools removal.

This page/site describes the malware very well (and with pictures) but the process to follow to fix/clean the problem is not so clear. It seems that you are finally directed to buy their anti-virus software. I will read it again but it does not appear clear or doable to me yet. What am I missing? Thanks for trying to help.
……
Ray/FL

Reply | Quote

Hi Ray,

Download malwarebytes from the first link I posted and execute it. Malwarebytes will remove the malware, you don’t need to buy anything.

If needed, boot your pc in safe mode with networking, go online and download malwarebytes then. As far as I could read, malwarebytes, which is free, removes System Tool.

Reply | Quote

Hi Ray,

Download malwarebytes from the first link I posted and execute it. Malwarebytes will remove the malware, you don’t need to buy anything.

If needed, boot your pc in safe mode with networking, go online and download malwarebytes then. As far as I could read, malwarebytes, which is free, removes System Tool.

I did in deed download the mentioned program at-http://www.malwarebytes.org/ and it removed the malware at least in the first reboot that was clean . I thank you much for this tool. This is a real pest.
……..
Ray/FL

Reply | Quote

Glad that malwarebytes could help you get rid of that malware. This is a tool to keep installed and at hand. A weekly or so scan with malwarebytes can do no harm.

Reply | Quote

Wanted to comment further on this pest of a malware. This morning the computer booted clean and thanks to http://www.malwarebytes.org/. Everything else failed to even see the problem. I follow the counsel of Fred Langa and I want to mention to him that Microsoft Security Essential did not prevent this attack even though it was current. CCleaner and Spybot let it hide also even though the UCA is fully active and enabled.

It is aggravating to me to have let this happen but it did and I ever so pleased that this group is here to HELP (save my XXX). Thanks.
………
Ray/FL

Reply | Quote

I follow the counsel of Fred Langa and I want to mention to him that Microsoft Security Essential did not prevent this attack even though it was current. CCleaner and Spybot let it hide also.
Ray/FL

To the best of my knowledge, there is no AV/AM that will protect you from yourself. Do you also have UAC disabled?

The first attack came suddenly yesterday with a warning alert that looked like Microsoft Security Essentials. The laptop was total controlled by this attack. I was fooled by a request to download by what I accepted as Microsoft Security Essentials and allowed the download.Ray/FL

For future reference, if you wish to update any of your AV/AM tools, launch the program and update it using its own “Update” button.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

… CCleaner and Spybot let it hide also …

To the best of my knowledge, there is no AV/AM that will protect you from yourself. Do you also have UAC disabled?

For future reference, if you wish to update any of your AV/AM tools, launch the program and update it using its own “Update” button.

And Ccleaner won’t protect you from anything, it’s very useful but it is not designed or promoted to do anything of the kind. I suggest you read up on the software you intend to use before you install it on your computer.

Reply | Quote

I have seen this problem so many times, people bring me their computers to clean up the mess caused by rogue anti-virus, and I have always been successful with Malwarebytes’ Anti-Malware. I run Malwarebytes’ in safemode because I find it has a better chance of finding and removing all of it. It was always my understanding (correct me if I am wrong) that anti-virus does not always stop an infection, but discovers infections after they hit the hard drive and then tries to quarantine them. But another thing I notice is that these infections have been disabling the anti-virus, therefore the anti-virus can’t operate and do its job. Process Explorer also helps if you can find the process and stop it. I am paranoid, if it were my own computer getting infected, I would nuke the disk and reload windows.

Reply | Quote

It was always my understanding (correct me if I am wrong) that anti-virus does not always stop an infection, but discovers infections after they hit the hard drive and then tries to quarantine them.

Files do have to download to be scanned. Once Windows has received the full file, it is scanned and if necessary deleted/quarantined before control is passed back to the program that downloaded the file. This should prevent execution and infection. The problem lately is that AV software can’t always update quickly enough to recognize malware…

Reply | Quote

Unfortunately, no single anti-malware product can ensure full protection. Most regular members here will advise a layered approach and malwarebytes is a tool to keep in your arsenal.
Besides using MSE, I use a HIPS (Online Armor) and keep the UAC active in its default settings, which I find pretty unintrusive. This gives me a reasanobly good multi-layered protection. Of course, I also keep malwarebytes at hand for a regular or an emergency scan.

Reply | Quote

Likewise, I ascribe to the “Package” approach to system security. That’s been my approach for many years, as a computer tech.
Again, CCleaner is NOT a computer security program at all and is only designed to do what it’s name suggests (Crap Cleaner). I’ve tried it twice on my own PC over the past few years and both times it has trashed my PC. I won’t use it again.

Also, many users are under the misconception that just having Spybot S&D installed on their PC is protecting them from all malware.
Nothing could be further from the truth. It’s like having a car sitting in your yard, with no lic on it and no gas in the tank…..it’s not going to take you anywhere.
Spybot S&D requires a very specific setup, for it to ever work properly and then it needs to be updated (manually) every Wednesday when the updates are posted. And then the Immunize function needs to be run to immunize your browsers (it will protect both I.E. and Firefox) against spyware. It’s not advertised as an Anti-Virus program and should not be used in place of a GOOD AV program, like AVG FREE or AVAST FREE.
(you need NEVER pay for good computer security software…. the best in the world is FREE!!! )

I’ve added Malware bytes to my own security package, because it does occasionally find and remove something that no other program will find.

I just had to remove that POS, “System Tools” from a customer’s PC recently. I removed most of it manually, but Malware Bytes got the rest of it.

Any Security program that is installed but not kept up to date, at least once a week, is NO Protection at all.

Cheers Mates!
The Doctor

Reply | Quote

It looks exactly like the problem I had. It had taken the same path and had blocked all attempts to start the antivirus software I had installed( Avira,spybot,MS Sec. Essentials,etc.). After several hours I found the following exe file: C: ProgramDataePcNoMh01804.exe. After deleting this file my system was back to normal.
Since that maleware asked for a credit card I wonder what other harm has been done to people that saw no other way but pay. The Feds should go and investigate.
The dominating screen was blue with binaries in it.
After that experience I will never feel save with my installed antivirus and maleware/spyware software again. They should have caught it and not allowwed to be taken over and rendered useless!!

Reply | Quote

When you are already infected with rouge spy ware it is generally too difficult to remove from the same computer. The best solution is to buy a ide sata to usb cable kit. Remove the hard drive from the computer and run it externally on a working computer with the security tool you want to use completely up to date. As you hard drive is now external the malware process is not running in the background or interfering with the security tool so this is even better then using safe mode The cable kit with power attachment sell about $20-25 dollars and you can use it later to run large hard drives small hard drives sata cd and dvd write drives that are normally internal drives. For the price its a real bargain.

It looks exactly like the problem I had. It had taken the same path and had blocked all attempts to start the antivirus software I had installed( Avira,spybot,MS Sec. Essentials,etc.). After several hours I found the following exe file: C: ProgramDataePcNoMh01804.exe. After deleting this file my system was back to normal.
Since that maleware asked for a credit card I wonder what other harm has been done to people that saw no other way but pay. The Feds should go and investigate.
The dominating screen was blue with binaries in it.
After that experience I will never feel save with my installed antivirus and maleware/spyware software again. They should have caught it and not allowwed to be taken over and rendered useless!!

Reply | Quote

Actually, removing the drive and running antivirus from another computer is doing the job exactly backwards. Download and update the Portable Version (not available for Malwarebytes, but available for such programs as Super Antispyware) and run the antivirus program in Windows Safe Mode on the infected computer. If anything is removed, run it again, until nothing further shows up. Then reboot and do a final cleanup with CCleaner, either in Safe Mode or in Windows Normal Mode. If all of this fails, it’s time to reformat and reinstall Windows.

-- rc primak

Reply | Quote

I have had the best luck removing garbage like Security tool (including one infection earlier today on a customer’s pc) and other Fake Anti-Virus programs by booting the computer off of a boot cd, like those from UBCD4WIN. I can then edit the registry, remove the baddies manually, and run scanners while in UBCD mode. I create a customized disc that I rebuild every month or so. That way it has updated programs and definitions for AntiVir and SuperAntiSpyware built onto the disc. That said, creating and using boot cd’s isn’t for everyone. I’ve been working on computers for nearly 4 decades, pc’s for 3.

There are good reasons to pay for software you use, even if there are free versions available, like AVG, Avast and Mallwarebytes. The paid versions are often better, offer support (or better support) and offer real-time protection. Malwarebytes does a very good job of preventing garbage from even getting into the pc when it runs all the time – It’s call the Pro version and costs $25 per license. You can schedule updates and scans automatically. While I am a reseller, I am only pitching the protection, and you can purchase it yourself from their website.

Cleaning up a pc after it is messed up can be very difficult, and sometimes, almost, impossible, to do in a reasonable amount of time. If it takes several hours to clean a machine, time is better spent, I feel, saving data files, verifying what software is installed on the pc, locating licenses and cd/dvd packages, and Windows itself for the reload process.

A note on Malwarebytes – while you can slave your hard drive via an external enclosure connecting it to a good computer to repair it from, Malwarebytes will do nothing to clean that hard drive. It does not scan all hard drives that are connected to the computer it is scanning, it uses the registry to decide how and what to scan. If the external drive shows itself a drive f:, say, when Malwarebytes scans the registry, it will see references to drive c:, but not f:, since no programs are install on it (per the pc it is now connected to).

On the other hand, SuperAntiSpyware will scan that external drive, removing junk as necessary – though not from within the registry on that drive, only the files themselves.

There are a significant number of Windows bugs which “permit” malware to infect our computers and then they block our anti-malware programs from operating. Even keeping your AV program up to date is not enough, when there are corrupted web pages out there with malware attacks buitl into them. And, sadly, some people who react to seeing an infestation like we are discussing and purchase what the malware attacker is offering, giving their credit card info, and their personal info to a stranger who will then use it and resell it to as many other people as possible.

Randy

Reply | Quote

There is no security product that can protect you from the greatest security risk of all – you, the PC user. You cannot make your PC impregnable with security software. [/SIZE][/SIZE][/FONT]

The idea of perfect computer security is a myth. Banks have dealt with fraud for many, many decades; forget the Internet – Fraud existed back in the days of credit card machines with carbon paper forms. The technology of fraud gets better each year. Fraud remains consistent. From a banking perspective, the cost to obey government regulations dwarfs the cost of any individual case of fraud. Don’t be fooled that Banks are meeting these costs – it is the consumer (us) that ultimately pays for them (and through the nose) every time.[/SIZE]

As malware is ultimately just a program it just needs one click to be installed. If the program is able to mimic your existing security product via animation, cloak itself and somehow disengage your real existing security product through some kind of back ‘zero day’ backdoor its job done!

A customer of mine recently paid for the very rouge product mentioned and when advised to notify her credit card company, did so, only to find that her card had indeed been used fraudulently abroad. A case of wiping the slate, removing liability and the new card’s in the post mate! So from a banking perspective, fraud has never qualified as a major threat.

A banker looks at his balance sheets and writes off fraud as simply a cost of doing business. Such fraud may amount to billions of pounds each year, but the cost is spread across all sectors of the banking industry and ultimately indirectly to us all as paying customers all over the world.

[/SIZE]
[/FONT]

Reply | Quote