Page 1 of 2 12 LastLast
Results 1 to 15 of 18
  1. #1
    Lounger
    Join Date
    Dec 2009
    Location
    Winter Haven, FL
    Posts
    26
    Thanks
    3
    Thanked 0 Times in 0 Posts

    Win7 near-total takeover by System Tool malware

    Win 7 64 bit with good protection is taken over by a malware identified as System Tools. The first attack came suddenly yesterday with a warning alert that looked like Microsoft Security Essentials. The laptop was total controlled by this attack. I was fooled by a request to download by what I accepted as Microsoft Security Essentials and allowed the download. I could not open any thing on the computer and finally shut it down with a long hold down of switch.

    When the computer was rebooted it quickly came under the control of the attacker almost demanding that I pay to download a program that was the only thing that could fix this virus attack. After a scan it reported 38 different virus plus. The desktop background was changed to a large warning sign that was warning that my wife and children were in danger from this computer problem.

    I tried many things (MSE, CCleaner, Spybot, Task Manager) that would not open and were reported as being infected. Finally thought to try and fix the desktop background and was successful at doing this and got full access of the computer back. I changed to new background and it replaced the full page warning.

    It is difficult to describe this more but I need help in dealing with getting rid of it. At every reboot it is there to deal with and just changing the desktop background gets rid of it till a reboot. I have run full scans with all programs mentioned and the computer is reported clean.

    HELP Please.
    ........
    Ray/FL

  2. #2
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    12,519
    Thanks
    152
    Thanked 1,398 Times in 1,221 Posts
    Download Malwarebytes Antimalware - it has a free version that will get you rid of this: http://www.malwarebytes.org/

    For manual removal, check here:

    Check this link: http://deletemalware.blogspot.com/20...uninstall.html

    It has detailed instructions on System Tools removal.
    Last edited by ruirib; 2011-02-19 at 16:30.

  3. #3
    Lounger
    Join Date
    Dec 2009
    Location
    Winter Haven, FL
    Posts
    26
    Thanks
    3
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by ruirib View Post
    Download Malwarebytes Antimalware - it has a free version that will get you rid of this: http://www.malwarebytes.org/

    For manual removal, check here:

    Check this link: http://deletemalware.blogspot.com/20...uninstall.html

    It has detailed instructions on System Tools removal.
    This page/site describes the malware very well (and with pictures) but the process to follow to fix/clean the problem is not so clear. It seems that you are finally directed to buy their anti-virus software. I will read it again but it does not appear clear or doable to me yet. What am I missing? Thanks for trying to help.
    ......
    Ray/FL

  4. #4
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    12,519
    Thanks
    152
    Thanked 1,398 Times in 1,221 Posts
    Hi Ray,

    Download malwarebytes from the first link I posted and execute it. Malwarebytes will remove the malware, you don't need to buy anything.

    If needed, boot your pc in safe mode with networking, go online and download malwarebytes then. As far as I could read, malwarebytes, which is free, removes System Tool.

  5. The Following User Says Thank You to ruirib For This Useful Post:

    rrevette (2011-02-22)

  6. #5
    Lounger
    Join Date
    Dec 2009
    Location
    Winter Haven, FL
    Posts
    26
    Thanks
    3
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by ruirib View Post
    Hi Ray,

    Download malwarebytes from the first link I posted and execute it. Malwarebytes will remove the malware, you don't need to buy anything.

    If needed, boot your pc in safe mode with networking, go online and download malwarebytes then. As far as I could read, malwarebytes, which is free, removes System Tool.
    I did in deed download the mentioned program at-http://www.malwarebytes.org/ and it removed the malware at least in the first reboot that was clean . I thank you much for this tool. This is a real pest.
    ........
    Ray/FL

  7. #6
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    12,519
    Thanks
    152
    Thanked 1,398 Times in 1,221 Posts
    Glad that malwarebytes could help you get rid of that malware. This is a tool to keep installed and at hand. A weekly or so scan with malwarebytes can do no harm.

  8. The Following User Says Thank You to ruirib For This Useful Post:

    rrevette (2011-02-22)

  9. #7
    Lounger
    Join Date
    Dec 2009
    Location
    Winter Haven, FL
    Posts
    26
    Thanks
    3
    Thanked 0 Times in 0 Posts
    Wanted to comment further on this pest of a malware. This morning the computer booted clean and thanks to http://www.malwarebytes.org/. Everything else failed to even see the problem. I follow the counsel of Fred Langa and I want to mention to him that Microsoft Security Essential did not prevent this attack even though it was current. CCleaner and Spybot let it hide also even though the UCA is fully active and enabled.

    It is aggravating to me to have let this happen but it did and I ever so pleased that this group is here to HELP (save my XXX). Thanks.
    .........
    Ray/FL
    Last edited by rrevette; 2011-02-20 at 16:10. Reason: To answer question re. UAC active or not

  10. #8
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    12,519
    Thanks
    152
    Thanked 1,398 Times in 1,221 Posts
    Unfortunately, no single anti-malware product can ensure full protection. Most regular members here will advise a layered approach and malwarebytes is a tool to keep in your arsenal.
    Besides using MSE, I use a HIPS (Online Armor) and keep the UAC active in its default settings, which I find pretty unintrusive. This gives me a reasanobly good multi-layered protection. Of course, I also keep malwarebytes at hand for a regular or an emergency scan.

  11. The Following User Says Thank You to ruirib For This Useful Post:

    rrevette (2011-02-22)

  12. #9
    Super Moderator bbearren's Avatar
    Join Date
    Dec 2009
    Location
    Polk County, Florida
    Posts
    3,760
    Thanks
    26
    Thanked 424 Times in 338 Posts
    Quote Originally Posted by rrevette View Post
    I follow the counsel of Fred Langa and I want to mention to him that Microsoft Security Essential did not prevent this attack even though it was current. CCleaner and Spybot let it hide also.
    Ray/FL
    To the best of my knowledge, there is no AV/AM that will protect you from yourself. Do you also have UAC disabled?

    Quote Originally Posted by rrevette View Post
    The first attack came suddenly yesterday with a warning alert that looked like Microsoft Security Essentials. The laptop was total controlled by this attack. I was fooled by a request to download by what I accepted as Microsoft Security Essentials and allowed the download.Ray/FL
    For future reference, if you wish to update any of your AV/AM tools, launch the program and update it using its own "Update" button.
    Last edited by bbearren; 2011-02-20 at 09:30.
    Create a fresh drive image before making system changes, in case you need to start over!

    "The problem is not the problem. The problem is your attitude about the problem. Savvy?"—Captain Jack Sparrow "When you're troubleshooting, start with the simple and proceed to the complex."—M.O. Johns "Experience is what you get when you're looking for something else."—Sir Thomas Robert Deware.
    Unleash Windows

  13. The Following User Says Thank You to bbearren For This Useful Post:

    Lugh (2011-02-24)

  14. #10
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    4,492
    Thanks
    284
    Thanked 577 Times in 480 Posts
    Quote Originally Posted by rrevette View Post
    ... CCleaner and Spybot let it hide also ...
    Quote Originally Posted by bbearren View Post
    To the best of my knowledge, there is no AV/AM that will protect you from yourself. Do you also have UAC disabled?



    For future reference, if you wish to update any of your AV/AM tools, launch the program and update it using its own "Update" button.
    And Ccleaner won't protect you from anything, it's very useful but it is not designed or promoted to do anything of the kind. I suggest you read up on the software you intend to use before you install it on your computer.

  15. #11
    Lounger
    Join Date
    Dec 2009
    Location
    St. Peters, Missouri, USA
    Posts
    42
    Thanks
    3
    Thanked 1 Time in 1 Post
    I have seen this problem so many times, people bring me their computers to clean up the mess caused by rogue anti-virus, and I have always been successful with Malwarebytes' Anti-Malware. I run Malwarebytes' in safemode because I find it has a better chance of finding and removing all of it. It was always my understanding (correct me if I am wrong) that anti-virus does not always stop an infection, but discovers infections after they hit the hard drive and then tries to quarantine them. But another thing I notice is that these infections have been disabling the anti-virus, therefore the anti-virus can't operate and do its job. Process Explorer also helps if you can find the process and stop it. I am paranoid, if it were my own computer getting infected, I would nuke the disk and reload windows.
    Bonnie

  16. #12
    Bronze Lounger DrWho's Avatar
    Join Date
    Dec 2009
    Location
    Central Florida
    Posts
    1,501
    Thanks
    30
    Thanked 205 Times in 163 Posts
    Likewise, I ascribe to the "Package" approach to system security. That's been my approach for many years, as a computer tech.
    Again, CCleaner is NOT a computer security program at all and is only designed to do what it's name suggests (Crap Cleaner). I've tried it twice on my own PC over the past few years and both times it has trashed my PC. I won't use it again.

    Also, many users are under the misconception that just having Spybot S&D installed on their PC is protecting them from all malware.
    Nothing could be further from the truth. It's like having a car sitting in your yard, with no lic on it and no gas in the tank.....it's not going to take you anywhere.
    Spybot S&D requires a very specific setup, for it to ever work properly and then it needs to be updated (manually) every Wednesday when the updates are posted. And then the Immunize function needs to be run to immunize your browsers (it will protect both I.E. and Firefox) against spyware. It's not advertised as an Anti-Virus program and should not be used in place of a GOOD AV program, like AVG FREE or AVAST FREE.
    (you need NEVER pay for good computer security software.... the best in the world is FREE!!! )

    I've added Malware bytes to my own security package, because it does occasionally find and remove something that no other program will find.

    I just had to remove that POS, "System Tools" from a customer's PC recently. I removed most of it manually, but Malware Bytes got the rest of it.

    Any Security program that is installed but not kept up to date, at least once a week, is NO Protection at all.

    Cheers Mates!
    The Doctor
    Experience is truly the best teacher.

    Backup! Backup! Backup! GHOST Rocks!

  17. #13
    New Lounger
    Join Date
    Feb 2011
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts

    fake Antivirus Software

    It looks exactly like the problem I had. It had taken the same path and had blocked all attempts to start the antivirus software I had installed( Avira,spybot,MS Sec. Essentials,etc.). After several hours I found the following exe file: C:\ ProgramData\ePcNoMh01804.exe. After deleting this file my system was back to normal.
    Since that maleware asked for a credit card I wonder what other harm has been done to people that saw no other way but pay. The Feds should go and investigate.
    The dominating screen was blue with binaries in it.
    After that experience I will never feel save with my installed antivirus and maleware/spyware software again. They should have caught it and not allowwed to be taken over and rendered useless!!
    Last edited by klow717; 2011-02-24 at 13:57.

  18. #14
    Lounger
    Join Date
    May 2010
    Location
    Montreal
    Posts
    34
    Thanks
    5
    Thanked 3 Times in 2 Posts

    use hard drive externally to remove malware

    When you are already infected with rouge spy ware it is generally too difficult to remove from the same computer. The best solution is to buy a ide sata to usb cable kit. Remove the hard drive from the computer and run it externally on a working computer with the security tool you want to use completely up to date. As you hard drive is now external the malware process is not running in the background or interfering with the security tool so this is even better then using safe mode The cable kit with power attachment sell about $20-25 dollars and you can use it later to run large hard drives small hard drives sata cd and dvd write drives that are normally internal drives. For the price its a real bargain.










    Quote Originally Posted by klow717 View Post
    It looks exactly like the problem I had. It had taken the same path and had blocked all attempts to start the antivirus software I had installed( Avira,spybot,MS Sec. Essentials,etc.). After several hours I found the following exe file: C:\ ProgramData\ePcNoMh01804.exe. After deleting this file my system was back to normal.
    Since that maleware asked for a credit card I wonder what other harm has been done to people that saw no other way but pay. The Feds should go and investigate.
    The dominating screen was blue with binaries in it.
    After that experience I will never feel save with my installed antivirus and maleware/spyware software again. They should have caught it and not allowwed to be taken over and rendered useless!!

  19. #15
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,482
    Thanks
    176
    Thanked 152 Times in 129 Posts
    Actually, removing the drive and running antivirus from another computer is doing the job exactly backwards. Download and update the Portable Version (not available for Malwarebytes, but available for such programs as Super Antispyware) and run the antivirus program in Windows Safe Mode on the infected computer. If anything is removed, run it again, until nothing further shows up. Then reboot and do a final cleanup with CCleaner, either in Safe Mode or in Windows Normal Mode. If all of this fails, it's time to reformat and reinstall Windows.
    -- Bob Primak --

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •