Jump to content

System Tool 2011


Recommended Posts

Greetings to the Malwarebytes.org Community,

Tonight, an end-user reported a malware/spyware infection on one of the multiple PCs in which I support.

The PC is running Windows XP SP3, with all current updates, Symantec Endpoint Protection 12.0 (Small Business Version), and the latest database version of MalwareBytes.

I observed the following rogue spyware program actively running on the desktop:

System Tool 2011

Unable to launch and run the installed anti-virus program as well as mbam.exe, I searched the Malwarebytes.org Support Forum and attempted to resolve per the instructions/steps outlined in the following thread (which outlines steps to take to remove this rogue program for another Support Forum member using Windows XP SP3):

System Tool 2011 - Malwarebytes Forum

Per the instructions for procedure according to Malwarebytes.org Support Forum user "maniac", the first step is to download and run one of 6 process killer tools.

I downloaded and ran every single tool listed and I am unable to locate the associated log file that should be "found at the root of your installed hard drive entitled rkill.log".

I was still unable to locate this log file subsequent to showing hidden files and folders as well as subsequent to multiple reboots.

Moving on to the second step outlined in the aforementioned thread, I was unable to execute or launch the MalwareBytes application.

After rebooting in Safe Mode, I was able to execute mbam.exe and update the database. I performed a Full Scan (while in Safe Mode) and the only infected registry setting detected was the disabled Windows Security Center alert. I decided to resolve that anyway (remove the registry entry) and rebooted the PC.

Therefore, I moved onto the third step found in that thread, which was to download and run dds.scr.

After running dds.scr, the logfile only displays the version which was just installed. Nothing else.

Moving on, according to the thread, I should download ComboFix, rename it to "Combo-Fix", when saving, and execute. Apparently, just as with every other attempt to run an application, the rogue program System Tool 2011, prohibits the application from being launched.

Any suggestions?

Thank you for taking the time to review this thread and offer any solution(s) or alternate steps to take.

I look forward to receiving any and all responses.

Link to post
Share on other sites

Hello stevefromdafutcha

Welcome to Malwarebytes.

Boot into safe mode to run the following please.

=====================

  • Download OTL to your desktop.
  • Double click on OTL to run it.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Link to post
Share on other sites

Hello stevefromdafutcha

Welcome to Malwarebytes.

Boot into safe mode to run the following please.

=====================

  • Download OTL to your desktop.
  • Double click on OTL to run it.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Hi Kadah,

Thank you very much for your prompt response!

Due to the inability to preform the steps outlined in the other thread, I resumed performing the last suggestion by "maniac".

This suggestion was to manually delete the malware folder in C:\Documents and Settings\All Users\Application Data

The malware folder for System Tool 2011 is/was a folder named by a random string of numbers and letters.

I was not able to delete this folder because the program's process was in use, therefore I had to boot into Safe Mode and manually delete the malware folder.

After the folder was deleted, I rebooted and logged into the local user account from which I discovered the malware, and everything seems to be operating normally.

Just for safe measure, I am currently performing a full system antivirus scan and will follow up with a Malwarebytes scan.

Would you still like for me to download and run OTL?

I most likely did not phrase my original post exactly how I should have; I am more curious as to why the first 3 or 4 outlined steps as described by "maniac" did not and would not work for me.

Please get back to me at your convenience.

Thanks again, and I look forward to chatting again.

Link to post
Share on other sites

Ok let me know if any more problems are found this infection usually only drops itself.

The steps didn't work because security tool blocks almost every .exe application that opens.

It has a whitelist of programs that it will allow you to run such as files that have to run.

You can post the OTL if you want.

Link to post
Share on other sites

  • 2 weeks later...

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.