System tools Virus

[DaveB]

Hi Chaps..

There I was, sitting in the toyroom minding my own business when in comes offspring. 'Can you come and look at my pc please daddy' Why is it such a simple question can make you feel dread to the pit of your stomach? This time, it was with some justification!

She'd pulled the network cable and pwr lead when things started to look odd so I plugged it back in and turned it on. At the main screen was a nice little window saying 'your system is infected with multiple viruses' with a company logo 'System Tools' on the top line. Where did you get this from.. I didn't! Ah! After scratching my head and fearing the worst.. I tried various things but the program had cleverly disabled all exe files. It seemed the only way out was to do as it asked and connect to the internet to let the program 'System Tools' remove the viruses. At that point, I'd seen enough. I asked Helen to go to the office pc and google System tools virus and up came a host of info. The virus is of course the program itself. I dread to think what info it would have gathered had we gone online and done as it asked or what damage it would have done. Fear not though.. it is possible to remove it. Going the 'manual' way is almost if not impossible. The automatic way was to download a prog called Malwarebytes Anti-Malware on another pc.. rename it as the virus knows the prog name.. restart the pc in safe mode (with networking) then run the Malware prog. Finally, get a copy of 'host' (a link was provided but I took one from another pc.. they all look the same!).. go to System32/drivers/etc and delete the copy of host there then replace it with the 'good' one. Restart the pc.. hold your breath and the end result is a clean system.
It's a bugger and no mistakin. Had we not had other means of getting online, I'm not sure what we'd have done. It's classified as Dangerous with a 'Medium' damage level so it's a seriously nasty bit of kit.

While looking through her system after the virus had been removed, I found various artifacts and unused Norton progs. Believe it or not, these were more difficult to remove! Uninstall didn't work.. it reported an error so I tried 'repair' hoping that a repaired version would uninstall but no.. another error reported. In the end, I went digging in the registry and binned as many keys as I could THEN noticed she had CCleaner. What a Bobby Dazzler that little program is. I'd not used it before but it is user friendly and you don't end up doing things you have no idea of which the consequences will be Gone, at last, is Norton

ATB
DaveB

[Angus Prune]

Glad to hear you were able to sort it Dave. My kids have also managed to pick up dodgy stuff a few times and as a result I have Malwarebytes and CCleaner installed on all our machines. One tip I picked up with Malwarebytes is to keep a copy of the executable mbam.exe renamed as mbam.com which will still run if you get infected by a virus that prevents you from running .exe files.

[DarrenL]

I always keep a USB handy with tools that I put onto PCs and laptops.

Then if it gets taken over by one of these hijacking malwares that disable the AV and all apps until you run "their" AV I'd shut the PC and reboot in safe mode run:

Rkill by Bleepingcomputer - kills known processes that the malware uses from restarting.
TDSSKiller by Kaspersky Labs, kills the rootkit malware once you have stopped their processes above.
Malwarebytes - removes any references and cleans PC.

Only ever had to do it once though, but it's good to be ready just in case. The one I removed was calling itself "AntiVir Pro"


ps, these kind of malware are picked up by clicking on rogue Flash adverts that appear to be videos that want you to click on to see something funny or shocking.

[DaveB]

TksVM for the tips guys Keeping Malwarebytes and other handy tools on a stick is very sound advice

Although she's running WinXP SP3, the System Tools virus can attack all MS platforms from WinMe to Win7. After I'd managed to remove it, Helen said she might go for a Mac! Dear me.. I didn't realise viruses could cause that sort of stress As a final act of security, I added KasperskyAV (thank goodness I had one user left on my 3 user license) so fingers crossed, she's adequately covered now

ATB
DaveB

[Paul K]

Forgive me ignoramance, but do you download and install something like Malwarebytes direct to which ever drive letter your stick is, and then run it from there ? In my case I have three USB ports which become drives L: M: and N: when they have a stick in...I could run it from any of those, yes ?

And...along with Malwarebytes, what other things should I have on this stick ?

Thanks for info, chaps

[DarrenL]

I keep the installation progs on a USB stick, I then install them to the PC (Anti-Malware folder) before anything happens as it can be a problem running a USB port in safe mode. But if you get a new PC, laptop or you are setting something up for a friend you know you have what you need on the stick to install (keeping versions updated). You can of course run them from the USB stick if the PC is able to be booted, for detecting anf removing some malware that doesn't take over the system.

Generally I have these antivirus/malware progs on the USB

Malwarebytes
Ccleaner
TDSSKiller
rKill
Norton_removal_tool
Microsoft Malicious Software Removal Tool
Adaware (free version)
Microsoft Security Essentials installer.

If there was a problem I'd also visit bitdefender which has removal tools for many different types of malware - http://www.bitdefender.com/site/Downloa ... movalTool/

and check http://www.securelist.com/en/ for latest news, descriptions and links to other online checks from Kaspersky.



That should do it.

[ianhind]

This is another one to add to the armoury:

http://www.mcafee.com/us/downloads/free ... inger.aspx

[DaveB]

Hi Paul..

Good info from the chaps there. If you happen to get such a virus, the Malwarebytes prog (for example) is an exe file so pretty much runs and finds the infected files on the run. I was a bit dubious of the USB ports working on my daughters pc as it's dog old now.. an Asus AMD mobo with a Via chipset of all things plus, I wasn't sure of the wisdom of starting in Safe Mode with Networking. However, it came together. I executed the 'renamed' exe from the stick and in short order, it found its way online.. updated and ran.. all very efficient I have to say. The instructions say install it to your desktop and run it from there but I don't think I did that, I can't remember doing it that way anyway.. it was over 24hrs ago now
Thank goodness that in these days of 'you pay for everything', there are people out there who make these progs for free. Hats off to them one and all

ATB
DaveB

[Paul K]

Great info here, thanks all. I think I'd better start putting together a stick of some kind. I have to admit, since getting the new computer with Win7, I've relied almost exclusively on Microsoft Security Essentials...which will probably cause a sharp intake of breath with some.

[DarrenL]

Not quite the same but I am finding the automatic Microsoft Fix it Solutions to be very good as well for fixing problems either from removal of malware or software or just computer brain farts.

http://support.microsoft.com/fixit/

I had problems with Windows Aero Glass not coming back after shutting FSX down sometimes and the downloader fixed it.

It's a bit like veryfying the game cache on steam, it checks and mends MS files (that might have been damaged or deleted by malware or AV cleaning).