Topic: WTF System Tools 2011  (Read 7594 times)

0 Members and 2 Guests are viewing this topic.

Offline NJAntman

  • Lt. Commander
  • *
  • Posts: 1565
  • Gender: Male
  • Jusssst short of a 1000 Taldren posts, damn!!
WTF System Tools 2011
« on: January 26, 2011, 10:50:08 pm »
Ouch! Picked up a bitch of a virus/spyware called System Tools 2011. Takes over everything, thwarted my active Avira and Spybot. Couldn't even use Task Manager or run stuff from the command prompt.

Checked its icon properties and it pointed to a file in My Docs/All Users/Application Data/. Couldn't delete it so I renamed it and rebooted. Seems to have stopped it and am running everything I can right now to nuke it. Crossing fingers.

Anybody else dealt with this bitch?

G.R.I.P. - Great Rid of Incumbent Politicians

Offline Starfox1701

  • Lt. Commander
  • *
  • Posts: 1052
Re: WTF System Tools 2011
« Reply #1 on: January 26, 2011, 11:37:52 pm »
This sounds like scare ware

Offline FA Frey XC

  • Site Owner
  • Administrator
  • Captain
  • *
  • Posts: 5695
  • Gender: Male
    • XenoCorp.Net
Re: WTF System Tools 2011
« Reply #2 on: January 27, 2011, 09:46:57 am »
Good luck. Lemme know if you need any help.

Regards,
Vice President of Technology,
Dynaverse Gaming Association
Owner, CEO XenoCorp Inc.


Offline Bonk

  • Commodore
  • *
  • Posts: 13298
  • You don't have to live like a refugee.
Re: WTF System Tools 2011
« Reply #3 on: January 27, 2011, 09:54:42 am »
I haven't come across that one myself, but I've found Malwarebytes' Anti-Malware will catch some of these nasties where others can't. (download from a clean machine)

Offline NJAntman

  • Lt. Commander
  • *
  • Posts: 1565
  • Gender: Male
  • Jusssst short of a 1000 Taldren posts, damn!!
Re: WTF System Tools 2011
« Reply #4 on: January 27, 2011, 10:41:07 am »
Seems to be working now, posting from that machine. Back-tracking the only change I made recently was letting my son start playing Left4Dead 1 & 2 which uses Steam so I disabled that on startup. Grasping at straws here.

Bit annoyed that it can get past Avira/Spybot, time to find a new mix a for the scanning cocktail. 
G.R.I.P. - Great Rid of Incumbent Politicians

Offline Bonk

  • Commodore
  • *
  • Posts: 13298
  • You don't have to live like a refugee.
Re: WTF System Tools 2011
« Reply #5 on: January 27, 2011, 12:05:44 pm »
I've been using either Avast or Microsoft Security Essentials (depending on licensing ;)) in combination with MBAM (on-demand mode install only when co-existing with other av) on the machines I've been cleaning up for family lately. As far as I can tell those are the best free solutions currently. Also, you may find Autopatcher useful in such cleanup/update situations - can save lots of time on updates.

Offline Dash Jones

  • Sub-Commander of the Dark Side
  • Captain
  • *
  • Posts: 6477
  • Gender: Male
Re: WTF System Tools 2011
« Reply #6 on: January 30, 2011, 06:30:44 am »
Ouch! Picked up a bitch of a virus/spyware called System Tools 2011. Takes over everything, thwarted my active Avira and Spybot. Couldn't even use Task Manager or run stuff from the command prompt.

Checked its icon properties and it pointed to a file in My Docs/All Users/Application Data/. Couldn't delete it so I renamed it and rebooted. Seems to have stopped it and am running everything I can right now to nuke it. Crossing fingers.

Anybody else dealt with this bitch?



yes, though that is the newer version of the same trojan/virus that has been operating for the past several years.  It started at least as early as 2007.  Unless they've adapted it, most likely it means that you are using XP, which it exploits to open up your computer as it then downloads probably about 300 other files...mostly other trojans, spyware, and stuff like that.

It's a MAJOR pain to get rid of.  I'd be betting you may still have stuff running in the background if all you did was rename it.  It eventually has the ability to lock you out of administrative functions, just a heads up.
"All hominins are hominids, but not all hominids are hominins."


"Is this a Christian perspective?

Now where in the Bible does it say if someone does something stupid you should shoot them in the face?"

-------

We have whale farms in Jersey.   They're called McDonald's.

There is no "I" in team. There are two "I"s in Vin Diesel. screw you, team.

Offline NJAntman

  • Lt. Commander
  • *
  • Posts: 1565
  • Gender: Male
  • Jusssst short of a 1000 Taldren posts, damn!!
Re: WTF System Tools 2011
« Reply #7 on: February 04, 2011, 08:51:11 pm »
I haven't come across that one myself, but I've found Malwarebytes' Anti-Malware will catch some of these nasties where others can't. (download from a clean machine)


This seems to have spotted it on the second scan. Nice program, thanks for the link; looks like I've found a new mix. :thumbsup:
G.R.I.P. - Great Rid of Incumbent Politicians

Offline marstone

  • Because I can
  • Commander
  • *
  • Posts: 3014
  • Gender: Male
  • G.E.C.K. - The best kit to have
    • Ramblings on the Q3, blog
Re: WTF System Tools 2011
« Reply #8 on: February 04, 2011, 09:14:20 pm »
I haven't come across that one myself, but I've found Malwarebytes' Anti-Malware will catch some of these nasties where others can't. (download from a clean machine)


This seems to have spotted it on the second scan. Nice program, thanks for the link; looks like I've found a new mix. :thumbsup:


I like it alot also, has saved a few machines of people I know, when nothing else worked.
The smell of printer ink in the morning,
Tis the smell of programming.

Offline SkyFlyer

  • D.Net Beta Tester
  • Commander
  • *
  • Posts: 4240
  • Gender: Male
Re: WTF System Tools 2011
« Reply #9 on: February 16, 2011, 09:49:30 am »
I grabbed something like this a month or two ago... don't know where. It was either from a youtube video, a jvm (I don't remember which one, but it was something I had used before), or just a random website.
Life is short... running makes it seem longer.

"A god who let us prove his existence would be an idol" - Dietrich Bonhoeffer

Offline NJAntman

  • Lt. Commander
  • *
  • Posts: 1565
  • Gender: Male
  • Jusssst short of a 1000 Taldren posts, damn!!
Re: WTF System Tools 2011
« Reply #10 on: February 28, 2011, 04:28:56 pm »
Ugggg... the freaking thing is back. Different name but same setup and screens.

Found it this time in C:/documents and settings/nick/local settings/Temp/ and then some freaking collection of goobledy gook letters for a directory with the only file ckiofwshmof.exe.  I renamed the directory and rebooted, problem gone. BUT... I scanned the file with Avira, Spybot Search & Destroy, and Malwarebytes Anti-Malware and spotted nothing. Also noticed I cannot connect to the internet on that machine, but can with all others connected to this router. WTF?
G.R.I.P. - Great Rid of Incumbent Politicians

Offline NJAntman

  • Lt. Commander
  • *
  • Posts: 1565
  • Gender: Male
  • Jusssst short of a 1000 Taldren posts, damn!!
Re: WTF System Tools 2011
« Reply #11 on: February 28, 2011, 04:43:05 pm »
Seems it happened when my oldest son tried to watch a youtube vid.
 
And oddly I can get the internet to connect on the 3 other XP user accounts but not the one on which it happened. Maybe I'm just creeped out but when the internet won't connect on that one account the diagnose problem screen seems a bit off too.
G.R.I.P. - Great Rid of Incumbent Politicians

Offline Czar Mohab

  • Faith manages.
  • Lt.
  • *
  • Posts: 564
  • Gender: Male
  • Chewie - Go jiggle the handle!
Re: WTF System Tools 2011
« Reply #12 on: February 28, 2011, 06:27:57 pm »
Seems you may have also found the root of your problems already:

Back-tracking the only change I made recently was letting my son start playing Left4Dead 1 & 2


Seems it happened when my oldest son tried to watch a youtube vid.


OK joke time's over.

Haven't dug deep into the bowels of XP in a long time, at least since Win7 Beta. However, back in those XP days I did have the occasional "death bug" as you've described. The solution was to find every entry and reference to the program and remove it, including the offending file itself, and all descendant and clone files. I remember that it was no easy task; one of the offending files had replicated itself into 10 different directories across two drives.

This link below should help get you started (or continued):
http://www.spywareremove.com/removeSystemTool2011.html

but like I said it isn't a quick job to fix a deep rooted nasty like you described.

Last virus I had experience with (Win7-coworker's machine) AVG found but couldn't delete. Had to turn off the start up entries, rename the directory, reboot, delete, delete from "add/remove programs" and reboot again, then rescan with AVG (found computer clean). Unfortunately, research after the fact led us to find the origin as being part of a divx player update, and not actually a virus per se, but definitely an unwanted and accidentally installed item.

Anyway, I do hope I was of at least some help.
US Navy Veteran - Proud to Serve
Submariners Do It Underwater - Nukes Do It Back Aft - Pride Runs Deep
Have you thanked a Vet lately?

Subaru Owners Do It Horizontally Opposed!
Proud Owner - '08 WRX - '03 Baja - '98 Legacy

Offline NJAntman

  • Lt. Commander
  • *
  • Posts: 1565
  • Gender: Male
  • Jusssst short of a 1000 Taldren posts, damn!!
Re: WTF System Tools 2011
« Reply #13 on: February 28, 2011, 08:27:34 pm »
OK, several scans later and it seeems to be gone again. yet I still cannot connect to the web from that user logon which is really pissing me off. Anyone know of a way I can check what is different from that damaged logon to the other 3 logon id's that still work? I figure it has to be something the scare-ware changed from that user account.

Really pisses me off knowing that I'll probably see this again on family computers.
G.R.I.P. - Great Rid of Incumbent Politicians

Offline FCM_SFHQ_XC

  • There is life outside of Windows..
  • Administrator
  • Lt. Commander
  • *
  • Posts: 2267
  • Gender: Male
  • Starbase Atlantis [X-refit]
    • 9th Fleet
Re: WTF System Tools 2011
« Reply #14 on: February 28, 2011, 10:09:14 pm »
have you been through the standard networking diags?
computer obtaining an IP (correct IP?)
have you ensured that the 'virus' didnt alter your proxy settings(several will alter the proxy settings so it tries to go through a malicious proxy server instead of no proxy connection most users are set to)
is there any network activity showing anytime you try to get on?
etc.
Starfleet Headquarters out.

Fleet Commodore, XenoCorp, ISC Fleet.

Offline NJAntman

  • Lt. Commander
  • *
  • Posts: 1565
  • Gender: Male
  • Jusssst short of a 1000 Taldren posts, damn!!
Re: WTF System Tools 2011
« Reply #15 on: March 01, 2011, 03:43:59 pm »
I took a screen capture of the Tools/Internet Options/Advanced tab on one of the working accounts and compared it to all the others, no difference there.

The MSIE network diagnotic lists several ports that need to be opened. I'm a bit wary of that, if the scare-ware is still in there couldn't it be mimicking the diagnostic to get me to open those ports for it? Could those ports be open for the other user accounts that are still working but closed on the account that got hit?

I wish there was a repair Internet Explorer button. And this is a heck of a time to realize that without enough free space left on my C: drive that the System Restore no loger works, When it rains it pours.
G.R.I.P. - Great Rid of Incumbent Politicians

Offline Capt. Mike

  • Live from Granpa's Grotto
  • Captain
  • *
  • Posts: 6616
  • Gender: Male
Re: WTF System Tools 2011
« Reply #16 on: March 01, 2011, 05:22:44 pm »
All I can thing of is get an external hard drive, restore to it, then boot off the USB....

I'm have a doozy of a problem, trying to get an XP machine back up...new hard drive, format, gets about 82% done, then says it can't copy a file correctly...been doing it for days...

Any suggestions?

Mike
Summum ius summa iniuria.

The more law, the less justice.

Cicero, De Officiis, I, 33

"It doesn't, and you can't, I won't, and it don't
it hasn't, it isn't, it even ain't, and it shouldn't
it couldn't"
FZ, 1974

My chops were not as fast...[but] I just leaned more on what was in my mind than what was in my chops.  I learned a long time ago that one note can go a long way if it's the right one, and it will probably whip the guy with twenty notes.
 --Les Paul

Offline Tus-XC

  • Capt
  • XenoCorp® Member
  • Commander
  • *
  • Posts: 2789
  • Gender: Male
Re: WTF System Tools 2011
« Reply #17 on: March 01, 2011, 06:09:37 pm »
NJ:  I would go ahead and do what IE tells you do, if it says ports have been closed, then open them and see if that does any good.  I got hit by this same one a year back, ended up backing my system up and then fraging the drive and starting from scratch.

Mike:  Sounds like you have a bad drive, might want to return it.
Rob

"Elige Sortem Tuam"

Offline NJAntman

  • Lt. Commander
  • *
  • Posts: 1565
  • Gender: Male
  • Jusssst short of a 1000 Taldren posts, damn!!
Re: WTF System Tools 2011
« Reply #18 on: March 01, 2011, 08:18:29 pm »
The MSIE diagnostic returns the following message "Check firewall settings for HTTP port (80) HTTPS port (443) and FTP port (21)".

Still nervous about messing with ports so I went poking around and in Internet Options/Connections/LAN settings tab the use a proxy server for LAN was checked on the account that isn't working but nothing was checked in that tab section on any of the accounts that were working. So I went into the not working account and chose Automatically Detect Settings and now that account is connecting to the net. Hey FCM_SFHQ_XC, any ideas on what the "normal" settins in that tab shuold be?

I'm releaved that I can connect now but still suspicious. Wish I could take TUS's advice and start over but damn that seems daunting; never thought I'd come close to maxing out a 250GB HD but I'm nearly there so maybe it is time to get me one of those cheap 500GB and start over.
G.R.I.P. - Great Rid of Incumbent Politicians

Offline Czar Mohab

  • Faith manages.
  • Lt.
  • *
  • Posts: 564
  • Gender: Male
  • Chewie - Go jiggle the handle!
Re: WTF System Tools 2011
« Reply #19 on: March 01, 2011, 09:19:42 pm »
I'm releaved that I can connect now but still suspicious. Wish I could take TUS's advice and start over but damn that seems daunting; never thought I'd come close to maxing out a 250GB HD but I'm nearly there so maybe it is time to get me one of those cheap 500GB and start over.

For you I wouldn't say start over yet. You could very easily add in an internal hard drive of similar stature to the one you have now. Then you could spread all your goods over the two HDDs. Since it is an internal, you could also install programs to that drive, as well as set backups from your primary (C:\) to it.

So I went into the not working account and chose Automatically Detect Settings and now that account is connecting to the net. Hey FCM_SFHQ_XC, any ideas on what the "normal" settins in that tab shuold be?


While not directed at me, my internet options/connections/LAN settings only has "automatically detect..." checkbox checked. I've never touched it, so I'd assume that this could at least be something for you to comapre things to.

It sounds like your bug hijacked your internet explorer and was telling it to try to connect through the bug's host's server. Nice catch.

US Navy Veteran - Proud to Serve
Submariners Do It Underwater - Nukes Do It Back Aft - Pride Runs Deep
Have you thanked a Vet lately?

Subaru Owners Do It Horizontally Opposed!
Proud Owner - '08 WRX - '03 Baja - '98 Legacy