Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Tool 2011...we're gonna need a bigger boat.


  • Please log in to reply
4 replies to this topic

#1 Baronpilot

Baronpilot

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 04 March 2011 - 06:10 PM

Greetings to all who read this.

Day three following an infection by the system tool Malware.

Running Vista, IE7. Mostly use Google Chrome these days, but was in IE7 when I got infected. I clicked on an image of the Wisconsin protests and everything turned to doo doo.

I use AVG antivirus Free edition, but have not updated for a few months. Bad, bad boy.

So, this version of System Tool 2011 will not allow me to do anything on the computer, unless I'm in safe mode. Of course, in safe mode System Tool does not load so....no problem.

I use PDAnet for my networking. (I'm in a rural area with a cell tower close by, so using my droid is the best internet connection)

PDAnet uses my Verizon Android phone as an internet connection, via a USB connection.

I've followed these instructions:

http://www.bleepingcomputer.com/virus-removal/remove-system-tool

The problem I have is that Safe Mode with Networking will not work with PDAnet. Ergo...

I can install Malwarebytes, but can't update it because there is no internet connection.

Malwarebytes I downloaded is Dec 2010 version. I can download software on my laptop, then move it to the infected desktop machine. I don't know how to update on the desktop without an internet connection.

After loading it and running Malwarebytes with full scan, per the "System Tool" instructions in the forum, I get a clean scan. No problems. So, I shut down and reboot into normal mode and...voila! System Tool 2011 is still there.

To summarize, I can't do anything with the machine in normal boot mode. System Tool is there and thwarts my every move. In Safe Mode I don't have the system tool problem, but can't get an internet connection to update Malwarebytes in Safe mode because I'm using PDAnet.

After this post I will look into a way to use PDAnet in Safe Mode.

Thanks for your help.

Baronpilot

BC AdBot (Login to Remove)

 


#2 Mortgage Nerd

Mortgage Nerd

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 07 March 2011 - 04:56 PM

Hi Baronpilot,

In my experience the virus you are describing will prevent you from running .exe files of any sort. The first step is to shut the virus down by downloading a program called RKill. Because the virus prevents .exe's from running, they have a clever workaround - executable files that have alternate file extensions that will still work. Start there.

Once you get the virus shut down, you should be able to run (and update) the Malwarebytes program, and it will take care of the virus for you.

It is also a great idea to keep up on your regular virus protection software updates, although in my experience this particular virus (and its closely related relatives) seem to get in and infect even computers that are running current virus protection.

Best of luck to you!

-Mortgage Nerd

#3 William Dorr

William Dorr

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:04 AM

Posted 07 March 2011 - 07:07 PM

I dealt with this thing about 2 weeks ago. It allows programs named explorer.exe to run, because if it didn't, Windows wouldn't run at all and then it couldn't harass you for $$$. In my case, the system I was trying to clean would not load Safe Mode, so I renamed SysInternals Process Explorer to explorer.exe and used that to kill the virus process (easily spotted if you have the Image Path column displayed, it'll be the only thing running from a temp directory under your profile path), and then I updated MBAM and cleaned without hassle from that point.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:04 AM

Posted 07 March 2011 - 09:56 PM

Nicely done. I would still run a online scan after cleanig the Temp files.
TFC by OT (Temp File Cleaner)
Please download TFC by Old Timer and save it to your desktop.
alternate download link

Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

Please perform a scan with Eset Online Antiivirus Scanner.
This scan requires Internet Explorer,Opera or Firefox to work. Vista/Windows 7 users need to run Internet Explorer as Administrator.
To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Check Remove found threats and Scan potentially unwanted applications. (If given the option, choose "Quarantine" instead of delete.)
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer.
  • If offered the option to get information or buy software at any point, just close the window.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply.
Note: A log.txt file will also be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
If you did not save the ESETScan log, click Posted Image > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Click Ok and the scan results will open in Notepad.
  • Copy and paste the contents of log.txt in your next reply.
-- Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.

NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Baronpilot

Baronpilot
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 08 March 2011 - 10:07 PM

Success! Thanks to all who replied.

After Mortgage Nerd reminded me of some of the notes in the Rkill procedure I did this:

1. I took everthing off my desktop and put it in folder.
2. I downloaded the bottom 4 version of Rkill from this link:
http://www.bleepingcomputer.com/download/anti-virus/rkill

3. I copied these four programs to the desktop.
(All this was accomplished in Safe Mode)

4. I had the computer boot normally...and when I got to the desktop I doubled clicked on the 4 Rkill icons like a lemur on crack. I stopped when I got a black command window.

Rkill found two suspicious files processes and stopped them. afterwards, I was able to function normally. I now could update malwarebytes, and ran the scan, yada yada yada....

All is well, so far.

Baronpilot




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users