Susan's Place Transgender Resources

I have ESET on my computer.  It's supposed to be the best anti-everything protection against vicious programs.  But this one got by the goalie.

It's called "System Tools" and it claims to be a computer protection program.  You don't have to do much for it to load on your computer.  Simply click on the wrong page.  I never accept any downloads unless I know what it is so this one got through another way.

Once it got onto my computer it prevented me from running any anti-malware programs, disabled Task Manager, disabled my CD drive from running any programs, disabled my email, removed all my desktop icons and any ability to change the blue screen it defaulted to and didn't show up anywhere in the programs list.

Then it started running its own scan and making up all these bogus viruses.  It then told you you have the viruses and you can remove them by clicking on a "clean" button.  What it does from there (and I read this, but did not fall for it) is remove a lot of good files.  Then it prompts you to buy their software to fix your computer.  And it reminds you every ten seconds or so, along with a warning sound.

I could not access sysedit or msconfig.  Nor could I stop the process with Task Manager.  None of the Microsoft protection programs would run.  ESET did not even see it. 

Happily there was a solution, System Restore.  That worked but what I don't know is if the malware is still on my hard drive.  All the detection programs I have couldn't find it.  So it's now a wait and see.

Just wanted everyone to know.  Be very careful.  This is one very diabolical threat.

Julie

free :)
http://www.microsoft.com/security_essentials/default.aspx (http://www.microsoft.com/security_essentials/default.aspx)

I have run into this one before and it is a doozie to remove.

The fastest and simplest solution I can think of is to reformat the hard drive an start again and restore your important work off backup discs. (I always keep backups, I hate having to rewrite assignments I spent hours working on)

The Anti-Virus companies have a hard time keeping up with detecting malware. The evil doers simply pack the evil file in a way that will make it undetectable by AV. Since the AV company hasn't received a copy of this particular piece of malware it won't detect it for the most part.

Your particular piece of malware sounds like one of those fake antivirus programs but I don't remember them ever going to extremes in disabling everything like that. Most of them simply want you to think it is a good program and to go purchase it. I see this all the time since I do computer security for a living.

You might try to use an online virus scanner. There is a good one at http://housecall.trendmicro.com/ (http://housecall.trendmicro.com/)

---

Post Merge: October 25, 2009, 03:55:52 AM

---

Quote from: Washu Chan on October 25, 2009, 03:37:09 AM
I have run into this one before and it is a doozie to remove.

The fastest and simplest solution I can think of is to reformat the hard drive an start again and restore your important work off backup discs. (I always keep backups, I hate having to rewrite assignments I spent hours working on)

This is the only way you can bring system integrity back to your system.

I've seen it before but didn't download it. I'm suspicious of downloads that I've never heard of. Also too many anti-virus downloads can mess up your hard drive.

Gennee  

Buy a Mac  >:-)

-={LR}=-

iMac 24"
MacBook Pro 15"

:)

Get rid of Micro$oft and get yourself Ubuntu linux :) you get no viruses and no malwares. it's so much stable and it's free.

Micro$oft took ideas off of other operating systems to make windows 7.
http://www.youtube.com/watch?v=DMm_ENYiFSA# (http://www.youtube.com/watch?v=DMm_ENYiFSA#)

Ubuntu 9.10 + a few Compiz effect, Screenlet And Cairo Dock
http://www.youtube.com/watch?v=t2yUXqTkWKw# (http://www.youtube.com/watch?v=t2yUXqTkWKw#)

I run windows without any antivirus and I rarely even run a malware scan these days. just use a hosts file and wipe hands on pants.

http://www.mvps.org/winhelp2002/hosts.htm (http://www.mvps.org/winhelp2002/hosts.htm)

this is also a nice way of blocking banner ads and completely removed 3rd party cookies. unless of course, you like banner ads (there are people that actually like them, really!) :)

Quote from: beth~chella on December 02, 2009, 01:00:05 AM
this is also a nice way of blocking banner ads ...

http://adblockplus.org/en/ (http://adblockplus.org/en/)

:P

yea, but you have to use firefox. eeeewwwww...   :-p

That's worse than my current plague.

The one I have first redirects me from one or two sites (including the forum I visit most often) and when I tried to remedy it it...

redirects me away from sites with programs that might fix it...

the one program I did manage to download it wont let run....

the programs I already have on here get stuck and never finish a scan...

it won't let me into safe mode in the usual fashion and when I do get into safe mode the blocked program still won't run...

and the thing is, of course, undetectable in terms of finding it and deleting it.

I really don't want to reformat the drive because i don't have hardly anything backed up (I know, I know...) and I don't have the spare $$$ right now to get my usual tech guy to clean it up....and most maddening, I tried to use system restore only to find it has been disabled since the last time it was reformatted.

GRRR!!!

I'll be looking into some of the linked sites in this thread tomorrow, maybe I'll get lucky.

have you tried hijack this or malware bytes?

Laura, that sounds a lot like what happened with the malware I had.  All I had to do was use system restore and the problem was solved.

Except that since restore was disabled, there's no "clean" save to go back to.

Quote from: beth~chella on December 02, 2009, 12:05:25 PM
have you tried hijack this or malware bytes?

hijackthis just creates a log which is greek to me.

malwarebytes is the program that wouldn't run.

laura, if you want to post your logs I can help you and tell you what to uncheck. PM if you prefer.

Apparently it won't let HJT run either....

Okay, I'm just gonna say it once: "Next time, buy a Mac.  It will last you 4 times as long, and you won't need anti-virus software because Macs don't accept .exe files."

unless, of course, you run boot camp, parallels or any other VM software and then your mac is just as much a liability. ;-)

Laura, HJK wouldn't run, even in safe mode?

Quote from: beth~chella on December 02, 2009, 11:49:16 PM
unless, of course, you run boot camp, parallels or any other VM software and then your mac is just as much a liability. ;-)

I don't even know what "boot camp" is.  What I do know is that I've had my Mac laptop (Mac OS X Version 10.5.eight) for 3 years and it's still going strong with LOTS of room left on it.  I've never been scared to go to ANY site or open ANY email, and it's just been lovely. :)

know what? me either. I haven't had a virus or single piece of malware in well over 15 years, and I visit warez sites a few times a week. As funny as it might sound, the last virus I had was playing around with linux and trying to get virtual box to open a compromised program. hilarity obviously ensued.

Bootcamp is the software that allows you install and run windows programs on your mac. apparently '4 times as long' came up much quicker than you expected because your non intel based mac is at the end of it's lifetime and it's time for a hardware upgrade. neener neener :-p

if the amount of storage is the determining factor, I have 3+ terrabytes spread out over my PC and my Mac only has 500gb, so there LOL

Quote from: beth~chella on December 02, 2009, 11:49:16 PM
unless, of course, you run boot camp, parallels or any other VM software and then your mac is just as much a liability. ;-)

Laura, HJK wouldn't run, even in safe mode?

I haven't tried that...but it wouldn't let malwarebytes run in safe mode so I'm pessimistic.

HJT isn't quite the same as malware bytes, it only looks in key places like the BHOs, registry settings and stuff like that. give it a try, it should work OK in safe mode.

Quote from: beth~chella on December 02, 2009, 11:49:16 PM
unless, of course, you run boot camp, parallels or any other VM software and then your mac is just as much a liability. ;-)

Laura, HJK wouldn't run, even in safe mode?

Apparently not.

Of course, It's possible that it's keeping HJT from installing since it hasn't turned up on the program list or the desktop.

In fact, in my ignorance, I'm fairly sure it hasn't installed and that is more likely what is wrong than it not running in safe mode.

I had something similar. It posed as an anti virus program disabling malwarebytes and AVG. I immediately did a system restore before it could do damage. Then I reinstalled malwarebytes and got rid of it. Nasty. Good thing I was running Firefox because if it was IE, I would have been cooked.

Maggie

it's been a little while since I used HJT, but if I recall it doesn't actually "install" it's just a self contained executable.

have you ran MSCONFIG and unchecked as many startup items as you can?

yes

all I know is that both in normal mode and in safe mode, when I click on the hijackthis.exe it pops up the little gray box in which I can click "run" and I click run and nothing happens.

laura, you got it to run the first time and it gave you a log, right? do you still happen to have it?

you can also right click hijackthis.exe and uncheck the warning box to see if that helps too but I doubt it.

---

Post Merge: December 04, 2009, 01:28:58 AM

---

try stinger, it's bailed me out several times before trying to fix people's puters.

http://vil.nai.com/vil/stinger/ (http://vil.nai.com/vil/stinger/)

Quote from: beth~chella on December 04, 2009, 01:26:21 AM
laura, you got it to run the first time and it gave you a log, right? do you still happen to have it?

No. back before the last crash...couple years ago or more ago, I had it and used it to solve another problem. But apparently I never reinstalled it after the hard drive was replaced.

I know what it does from my previous experience but it hasn't worked at al this time.

Quote
you can also right click hijackthis.exe and uncheck the warning box to see if that helps too but I doubt it.

---

Post Merge: December 04, 2009, 01:28:58 AM

---

try stinger, it's bailed me out several times before trying to fix people's puters.

http://vil.nai.com/vil/stinger/ (http://vil.nai.com/vil/stinger/)

Will look into this.

Quote from: qRachelp on December 02, 2009, 11:45:30 PM
Okay, I'm just gonna say it once: "Next time, buy a Mac.  It will last you 4 times as long, and you won't need anti-virus software because Macs don't accept .exe files."

Give me the money to buy a Mac system and all the software I'll need to run all the files I have and ensure all my files transfer over and I'll be happy to switch.

Quote from: Matthew J. F on December 01, 2009, 10:31:10 PM
Get rid of Micro$oft and get yourself Ubuntu linux :) you get no viruses and no malwares. it's so much stable and it's free.

Micro$oft took ideas off of other operating systems to make windows 7.
http://www.youtube.com/watch?v=DMm_ENYiFSA# (http://www.youtube.com/watch?v=DMm_ENYiFSA#)

Ubuntu 9.10 + a few Compiz effect, Screenlet And Cairo Dock
http://www.youtube.com/watch?v=t2yUXqTkWKw# (http://www.youtube.com/watch?v=t2yUXqTkWKw#)

That's why Microsoft is the monopoly that it is.

Gennee

ok, I ran stinger and it found and fixed 11 violations but...not the one I was after.

I'll see if it changed anything about what fixes would work later tonight.

hopefully one of those 11 items was what prevented you from using HJT or Malware bytes. Stinger doesn't exactly look for minor infections, it tends to focus on the more nasty ones like rootkits and stuff like that, if it found 11 serious infections you may not be able to completely remove them all and a reformat and reinstall might be in order.

good luck!!
if you can get HJT to work, i can still take a look at your log files.

Quote from: FlanKitty on October 09, 2009, 05:43:33 PM
free :)
http://www.microsoft.com/security_essentials/default.aspx (http://www.microsoft.com/security_essentials/default.aspx)

Yeah, I just ran into this little bugger.  Thanks for the warning.  The MS program totally quashed it.  Thanks Ladies!

Quote from: Julie Marie on October 09, 2009, 05:40:43 PM
I have ESET on my computer.  It's supposed to be the best anti-everything protection against vicious programs.  But this one got by the goalie.

It's called "System Tools" and it claims to be a computer protection program.  You don't have to do much for it to load on your computer.  Simply click on the wrong page.  I never accept any downloads unless I know what it is so this one got through another way.

Once it got onto my computer it prevented me from running any anti-malware programs, disabled Task Manager, disabled my CD drive from running any programs, disabled my email, removed all my desktop icons and any ability to change the blue screen it defaulted to and didn't show up anywhere in the programs list.

Then it started running its own scan and making up all these bogus viruses.  It then told you you have the viruses and you can remove them by clicking on a "clean" button.  What it does from there (and I read this, but did not fall for it) is remove a lot of good files.  Then it prompts you to buy their software to fix your computer.  And it reminds you every ten seconds or so, along with a warning sound.

I could not access sysedit or msconfig.  Nor could I stop the process with Task Manager.  None of the Microsoft protection programs would run.  ESET did not even see it. 

Happily there was a solution, System Restore.  That worked but what I don't know is if the malware is still on my hard drive.  All the detection programs I have couldn't find it.  So it's now a wait and see.

Just wanted everyone to know.  Be very careful.  This is one very diabolical threat.

Julie

Yeah, this one is a fun one (being sarcastic).

System Restore is generally the easiest method for disabling it.  However, it will still reside on your hard drive, waiting to be activated again, usually by some rogue site.

To get rid of it for good, go here http://www.softsailor.com/downloads/8726-malwarebytes-anti-malware.html (http://www.softsailor.com/downloads/8726-malwarebytes-anti-malware.html) and download MalwareBytes Anti Malware.  It will locate all the malware, including the little nasty you mentioned, show them to you, and ask you what you want to do next (I recommend the "delete" option).  It will then be off your hard drive as well.

An option to System Restore is logging onto Windows in "Safe" mode, which disables everything except that which is needed to run your machine, in order to get around the malware's built in protections, and then run the tool I mentioned.  System Restore, if you have the time (I suggest making the time) does have one advantage over Safe Mode, in that it removes the malware's registry entries prior to running the tool, simplifying things considerably.

Hope this helps.

Well, I tried again, and neither malwarebytes or hijackthis will open and run either in normal mode or safe mode.

*sigh*

Quote from: Laura Hope on December 13, 2009, 04:56:12 AM
Well, I tried again, and neither malwarebytes or hijackthis will open and run either in normal mode or safe mode.

*sigh*

Then one of two things is going on here, either you did not run System Restore, or you decided to revisit the site that installed the attack software (that's what takeover programs are, which is what you are dealing with).  The only other option is that this is not malware, it is an actual virus.

Go online, and shut down your currently installed AV.  Head over to http://us.trendmicro.com/us/housecall/ (http://us.trendmicro.com/us/housecall/) , and run a full scan.  This will tell you which virus you have.  Let TM House Call remove it (just do whatever it says on the screen), if it can.

If Trend Micro can't remove the infection, or the infection is so bad you can't even run that remote scan, then your computer is toast, and you should stop using it online (each computer you connect to gets infected, potentially including this site).

for clarification - system restore was (unknowingly) turned off and there was no clean save point to restore to.

system restore is fine for dealing with configuration changes, but it should never be used as a form of removing infections since any good piece of malware will infect your system restore checkpoints. the first step of trying to manually remove any infection is to turn off system restore.

You've probably picked up a rootkit and those can be very difficult to identify, let alone remove/repair.

I wouldn't say your computer is "toast" by any means. you don't even necessarily need to lose any data if you just install a second instance of windows and migrate your data (minus programs) over. very few modern viruses/spyware are TSR and even most worms can't propagate through separate windows installed on the same hard drive since they require exploits of running operating systems.

The guy who built it is very good and he can fix the problem....I just don't have the spare cash to pay him too right now...maybe in a month or so.

Hi Laura (same one I met on HD?), I can't remember the security suggestion page I read this on... but I do remember there was something about re-naming antimalware so as to fool the bug into letting it install.  Might be worth a go.

I basically ignore any 'helpful' little pop-ups saying I have a virus & can 'click here' to download a whizzbang tool to fix it, I run XP pro (32bit) with Avira  for my anti virus & Comodo firewall pro (because XPs fire wall is a joke).  I don't really have any weird things that happen except the occasional glitch that can happen on a PC.

Recently I've been getting into using Ubuntu 9.10 (64 bit), Ubuntu is looking fairly good ;-)

I get a lot of really good advice from Computer Interested Types http://computertypes.proboards.com/index.cgi? (http://computertypes.proboards.com/index.cgi?)

It was previously on MSN then moved to proboards in 2008.

I've been a member there for over 10 years now. They have a number of really smart, knowledgeable people so every bit of advice is cross checked by one of them.

Personally, I wouldn't run any invasive software without checking with them first.

M$ actually has a nice set of tools and Kaspersky also has its rescue disk which is pretty good as well.

For rootkits:
http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx (http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx)

McAfee has a decent anti-rootkit tool (Rootkit Detective) as well.

Also from the Sysinternals toolkit is autoruns which will list what executables are being launched @ start:
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx (http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx)

Kaspersky Rescue Disk:
http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk/kav_rescue_2008.iso (http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk/kav_rescue_2008.iso)

This will download an ISO that you will then use a program to create a bootable CD. Reboot the machine and be sure to boot from the CD. Have your Internet connection up and running because the program will update itself.

The third link didn't work.

I downloaded and ran the first two....and I have no idea what the results mean.
???

Hmmm, third link works fine for me even though I am on a different computer and on a different browser version and network. Try typing it in because if you can make a bootable CD with that image it can really help out.

But, as for the first two... there are .CHM files included in the zip, those are help files and the info can help you in determining what you are looking at.

For the rootkit revealer, how many entries were returned? Did you save the scan as a text file and, if so, can you post that on here please?

For autoruns, you can Google the names of what is set to start up automatically and see if any come back as known viruses, trojans, etc.

Also there is a Windows SysInternals forum that can be somewhat helpful.

http://forum.sysinternals.com/ (http://forum.sysinternals.com/)

I'll run it again tomorrow and show you the log

---

Post Merge: January 03, 2010, 04:31:44 PM

---

I had trouble saving the report in a format i could transfer here (it said it was saving as a txt file but then i couldn't find it...I'm such a dunce on the tech stuff)

So here's a screenshot of the report:

(https://www.susans.org/proxy.php?request=http%3A%2F%2Fimg684.imageshack.us%2Fimg684%2F4113%2F71947661.jpg&hash=9fa3acd0c02a72646e2a0c4af31fd0950904a319)


Maybe that will tell you something

Did you run this as a local administrator?

Saving as a text file: File->Save
and then save it to a folder that you can find easily.

Could you do a file search for:
TDSS*.*

and post the results?

The search found nothing

Quote from: qRachelp on December 02, 2009, 11:45:30 PM
Okay, I'm just gonna say it once: "Next time, buy a Mac.  It will last you 4 times as long, and you won't need anti-virus software because Macs don't accept .exe files."

I wondered when someone was gonna jump in there ::)

iMac here, love it, especially since I hooked the LaCie 1 terabyte external to it via firewire and run "Time machine" daily

just sayin' is all ;)

and if you can't afford to buy a mac try one or two flavors of Linux. Those are free and don't accept .exe files also.

---

Post Merge: January 14, 2010, 11:07:14 AM

---

Quote from: Mia B on January 14, 2010, 12:02:31 AM
and if you can't afford to buy a mac try one or two flavors of Linux. There are over two hundred flavors of Linux so far. Linux doesn't use .exe files and is free to download.

Here are two popular links of Linux you can download and burn to a CD.

Linux Mint (http://www.linuxmint.com/download.php)

and Ubuntu (http://www.ubuntu.com/)

Mint has pre-installed audio/video codecs is pretty much the difference. Ubuntu however has a great community and is becoming very easy to use with each release. They also both use very little resources so they are both pretty good with old machines. I recommend burning the ISO image to disk and doing what is called a LiveCD run. That is putting the disc in the computer you are going to test it on and booting it from the CD. It will start and ask if you are testing. This will then run the Operating System from your RAM and CD without any changes to your Hard Drive. I dual-boot so I can choose whatever Microsoft I need or a flavor of Linux on startup. If you ever decide to go this route and need a little help you can ask me :)

I'll help you out the best I can.

Just to say there is another one doing the rounds...."Anti-Virus Live"

This interesting little bug is very similar to "System Tools", but takes things a step further, buy using randomised filenames and re-infection subroutines. Nothing will work, with all ".exe" files being blocked then reported as a virus, and explorer being re-routed to some "interesting" porn sites. Safe mode also ran infected, with malware clearing tools/restore etc. failing as re-infection happened as quickly as cleaning occurred.

OK there is some good news.....well not very good...we did manage to recover the infected laptop by removing the HDD and running it on a Linux machine to retrieve the static data...but a full wipe and re-install of windows and all apps was required to clear the bugs.

Been running an Ibook for 7 years now, on constantly, one freeze, no viruses. 

Macs are not impervious and not viruses are an .exe file.

Many, many Windows, Mac and Linux systems are compromised and the owners have no idea. Not all are obvious and if you never check, you never know. Mac owners especially tend to take a head in the sand approach.

Besides, buying a Mac isn't exactly a cheap fix for a virus.

I fixed that one on someone's computer. Didn't have to reformat or anything. I just killed the process (with a special program) and then used malware bytes. You can also, if you're quick, press cnt-alt-del before the process starts (you have to be fast) and then use malware bytes.

You're lucky you had the system restore work, the one person's computer I was working on (roomie's moms) wouldn't even let a system restore happen.

As for my own computer, I use a mac.

I hate Macs :P And Linux is great, except when your PC is a gaming machine or you want to use programs that just won't run on Linux.

My favourite protection is AVG Internet Security. All-in-one anti-virus, anti-rootkit, anti-spyware, firewall, and more importantly, a link scanner, that tells you if a site's dangerous before you click the link. Also has other very helpful goodies :)

One doesn't have to have an expensive computer to run Mac OS. Recently I just switched my netbook from Mac OS Snow Leopard. Operating systems like anything else that is software are a bit of a subjective choice.

Mac OS works fine on my MSI Wind u100 but, I never really liked the interface as much as my normal linux setup (openbox, tint2, wbar,xcompmgr). Being able to run things that have official ports was nice though.

Truth be told, I have never had a problem running any major operating system that wasn't Windows with regards to viruses. Ecomstation was nice, and ran 16-it windows programs. Solaris was good, just not great hardware compatibility, BSD seems to work as well as linux, but there does seem to be less hardware that works with it as well.

In any case Linux Mint, (ubuntu based distro with nonfree codecs installed by default) MEPIS, (debian based, no beta software) or Mandriva are really peoples best bet for a cheap operating system that is user friendly and resistant to all of those viruses and spyware that seem to plague the Windows world.

I have had this problem and I ran restore from dos by pushing f8 or f1 or  something while your computer is booting up.  This was with windows Vista.   Look in your manual.   I think I also solved it by running the choice of the last working operating system.   I don't remember exactly.   I just read and push buttons until it works.   Sooner or later it does.   Check on the manual for the windows version you have.   You can find different versions from Windows for dummies to more complicated manuals.