"System Tools" Malware - Avoid this one!

[Tammy Hope]

unless, of course, you run boot camp, parallels or any other VM software and then your mac is just as much a liability. ;-)

Laura, HJK wouldn't run, even in safe mode?

I haven't tried that...but it wouldn't let malwarebytes run in safe mode so I'm pessimistic.

[lizbeth]

HJT isn't quite the same as malware bytes, it only looks in key places like the BHOs, registry settings and stuff like that. give it a try, it should work OK in safe mode.

[Tammy Hope]

unless, of course, you run boot camp, parallels or any other VM software and then your mac is just as much a liability. ;-)

Laura, HJK wouldn't run, even in safe mode?

Apparently not.

Of course, It's possible that it's keeping HJT from installing since it hasn't turned up on the program list or the desktop.

In fact, in my ignorance, I'm fairly sure it hasn't installed and that is more likely what is wrong than it not running in safe mode.

[MaggieB]

I had something similar. It posed as an anti virus program disabling malwarebytes and AVG. I immediately did a system restore before it could do damage. Then I reinstalled malwarebytes and got rid of it. Nasty. Good thing I was running Firefox because if it was IE, I would have been cooked.

Maggie

[lizbeth]

it's been a little while since I used HJT, but if I recall it doesn't actually "install" it's just a self contained executable.

have you ran MSCONFIG and unchecked as many startup items as you can?

[Tammy Hope]

yes

all I know is that both in normal mode and in safe mode, when I click on the hijackthis.exe it pops up the little gray box in which I can click "run" and I click run and nothing happens.

[lizbeth]

laura, you got it to run the first time and it gave you a log, right? do you still happen to have it?

you can also right click hijackthis.exe and uncheck the warning box to see if that helps too but I doubt it.
Post Merge: December 04, 2009, 01:28:58 AM
try stinger, it's bailed me out several times before trying to fix people's puters.

http://vil.nai.com/vil/stinger/

[Tammy Hope]

laura, you got it to run the first time and it gave you a log, right? do you still happen to have it?

No. back before the last crash...couple years ago or more ago, I had it and used it to solve another problem. But apparently I never reinstalled it after the hard drive was replaced.

I know what it does from my previous experience but it hasn't worked at al this time.

you can also right click hijackthis.exe and uncheck the warning box to see if that helps too but I doubt it.
Post Merge: December 04, 2009, 01:28:58 AM
try stinger, it's bailed me out several times before trying to fix people's puters.

http://vil.nai.com/vil/stinger/

Will look into this.

[Julie Marie]

Okay, I'm just gonna say it once: "Next time, buy a Mac.  It will last you 4 times as long, and you won't need anti-virus software because Macs don't accept .exe files."

Give me the money to buy a Mac system and all the software I'll need to run all the files I have and ensure all my files transfer over and I'll be happy to switch.

[gennee]

Get rid of Micro$oft and get yourself Ubuntu linux you get no viruses and no malwares. it's so much stable and it's free.

Micro$oft took ideas off of other operating systems to make windows 7.


Ubuntu 9.10 + a few Compiz effect, Screenlet And Cairo Dock

That's why Microsoft is the monopoly that it is.

Gennee

[Tammy Hope]

ok, I ran stinger and it found and fixed 11 violations but...not the one I was after.

I'll see if it changed anything about what fixes would work later tonight.

[lizbeth]

hopefully one of those 11 items was what prevented you from using HJT or Malware bytes. Stinger doesn't exactly look for minor infections, it tends to focus on the more nasty ones like rootkits and stuff like that, if it found 11 serious infections you may not be able to completely remove them all and a reformat and reinstall might be in order.

good luck!!
if you can get HJT to work, i can still take a look at your log files.

[jenga]

free
http://www.microsoft.com/security_essentials/default.aspx

Yeah, I just ran into this little bugger.  Thanks for the warning.  The MS program totally quashed it.  Thanks Ladies!

[CA_Medicine_Woman]

I have ESET on my computer.  It's supposed to be the best anti-everything protection against vicious programs.  But this one got by the goalie.

It's called "System Tools" and it claims to be a computer protection program.  You don't have to do much for it to load on your computer.  Simply click on the wrong page.  I never accept any downloads unless I know what it is so this one got through another way.

Once it got onto my computer it prevented me from running any anti-malware programs, disabled Task Manager, disabled my CD drive from running any programs, disabled my email, removed all my desktop icons and any ability to change the blue screen it defaulted to and didn't show up anywhere in the programs list.

Then it started running its own scan and making up all these bogus viruses.  It then told you you have the viruses and you can remove them by clicking on a "clean" button.  What it does from there (and I read this, but did not fall for it) is remove a lot of good files.  Then it prompts you to buy their software to fix your computer.  And it reminds you every ten seconds or so, along with a warning sound.

I could not access sysedit or msconfig.  Nor could I stop the process with Task Manager.  None of the Microsoft protection programs would run.  ESET did not even see it. 

Happily there was a solution, System Restore.  That worked but what I don't know is if the malware is still on my hard drive.  All the detection programs I have couldn't find it.  So it's now a wait and see.

Just wanted everyone to know.  Be very careful.  This is one very diabolical threat.

Julie

Yeah, this one is a fun one (being sarcastic).

System Restore is generally the easiest method for disabling it.  However, it will still reside on your hard drive, waiting to be activated again, usually by some rogue site.

To get rid of it for good, go here http://www.softsailor.com/downloads/8726-malwarebytes-anti-malware.html and download MalwareBytes Anti Malware.  It will locate all the malware, including the little nasty you mentioned, show them to you, and ask you what you want to do next (I recommend the "delete" option).  It will then be off your hard drive as well.

An option to System Restore is logging onto Windows in "Safe" mode, which disables everything except that which is needed to run your machine, in order to get around the malware's built in protections, and then run the tool I mentioned.  System Restore, if you have the time (I suggest making the time) does have one advantage over Safe Mode, in that it removes the malware's registry entries prior to running the tool, simplifying things considerably.

Hope this helps.

[Tammy Hope]

Well, I tried again, and neither malwarebytes or hijackthis will open and run either in normal mode or safe mode.

*sigh*

[CA_Medicine_Woman]

Well, I tried again, and neither malwarebytes or hijackthis will open and run either in normal mode or safe mode.

*sigh*

Then one of two things is going on here, either you did not run System Restore, or you decided to revisit the site that installed the attack software (that's what takeover programs are, which is what you are dealing with).  The only other option is that this is not malware, it is an actual virus.

Go online, and shut down your currently installed AV.  Head over to http://us.trendmicro.com/us/housecall/ , and run a full scan.  This will tell you which virus you have.  Let TM House Call remove it (just do whatever it says on the screen), if it can.

If Trend Micro can't remove the infection, or the infection is so bad you can't even run that remote scan, then your computer is toast, and you should stop using it online (each computer you connect to gets infected, potentially including this site).

[Tammy Hope]

for clarification - system restore was (unknowingly) turned off and there was no clean save point to restore to.

[lizbeth]

system restore is fine for dealing with configuration changes, but it should never be used as a form of removing infections since any good piece of malware will infect your system restore checkpoints. the first step of trying to manually remove any infection is to turn off system restore.

You've probably picked up a rootkit and those can be very difficult to identify, let alone remove/repair.

I wouldn't say your computer is "toast" by any means. you don't even necessarily need to lose any data if you just install a second instance of windows and migrate your data (minus programs) over. very few modern viruses/spyware are TSR and even most worms can't propagate through separate windows installed on the same hard drive since they require exploits of running operating systems.

[Tammy Hope]

The guy who built it is very good and he can fix the problem....I just don't have the spare cash to pay him too right now...maybe in a month or so.

[memy]

Hi Laura (same one I met on HD?), I can't remember the security suggestion page I read this on... but I do remember there was something about re-naming antimalware so as to fool the bug into letting it install.  Might be worth a go.

I basically ignore any 'helpful' little pop-ups saying I have a virus & can 'click here' to download a whizzbang tool to fix it, I run XP pro (32bit) with Avira  for my anti virus & Comodo firewall pro (because XPs fire wall is a joke).  I don't really have any weird things that happen except the occasional glitch that can happen on a PC.

Recently I've been getting into using Ubuntu 9.10 (64 bit), Ubuntu is looking fairly good ;-)