Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

System Tool virus

Posted on 2011-02-24
16
Medium Priority
?
584 Views
Last Modified: 2012-05-11
Hi All,
I have one user profile infected with the fake AV System Tool virus?
The environment is about 40 users connecting to 2003 Server Ent.Ed. running AD, terminal services, Symantec Enterprise Ed. (soon to be upgraded to EndPoint) .  The users connect via RDP using WYSE thin-clients.

I know this may be a loaded question, but how did the user get infected?  They "claim" they were working as usual then their desktop changed...hmmm?

Thanks in advance for any prompt feedback on this.
0
Comment
Question by:zemarc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
  • +3
16 Comments
 

Author Comment

by:zemarc
ID: 34976850
Added note:
I've seen several posts on this and most are on stand-alone machines.
Is the approach the same for a client-server environment?  What is the best approach to fixing this?
Thanks for your prompt reply.

Signed,
Desparately Seeking Solutions
0
 
LVL 1

Expert Comment

by:csaroli
ID: 34976869
Isn't that what they always say?  Anyways loaded is right, they can come from anywhere.  Do they have email, could be junk mail.  Do they have outside internet access, could have went to a bad site or opened up a popup (did you check their browsing history). That being said I have symantec endpoint on all my customers and they still get spyware, you won't find a program that stops everything.  IF you are looking for some tools to get rid of this I find that malwarebytes does a good job, also combofix (THough i wouldn't use this on a server).   Sorry i'm not more help....
0
 

Author Comment

by:zemarc
ID: 34976954
hi csaroli,
I ran malwarebytes and it found nothing.
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 
LVL 1

Expert Comment

by:csaroli
ID: 34977008
what is the name of the fake av tool that has infected the machine, maybe a screen shot?
0
 

Author Comment

by:zemarc
ID: 34977169
the screen shot can be seen here:
http://www.symantec.com/connect/forums/system-tool-malware-or-spyware

However, I found a suspicious file at %AppData%\[randomstring.exe].  It was create around the time the problem was reported and the user was listed in the Permissions....so I bit the bullet and deleted it.
I logged in as the user and it hasn't popped up....(yet).  I plan to run more scans, install all updates,etc. while I can?  If it seems to good to be true it probably is... my guard is still way up... the thing could be morphing into something else...or be deeply embedded somewhere else...

I welcome your feedback...
0
 
LVL 5

Expert Comment

by:shadowmantx
ID: 34977272
If you are an advanced IT tech, one thing you can do is use Knoppix or Unbuntu boot cd.  You can do a google search since it is a freeware Linux OS and burn a cd.

It will load the complete OS off the cd and allow you to explore the hard drive...keeping your hard drive OS and data files intact.  Click on the hard drive and change the read/write settings so you can make changes to the hard drive on the trouble virus files that are loading.  Set the view for details and search for the date around the virus incident.  Look under the hidden system folders, Local Settings and Application data especially the Startup items.  After you're done, just click turn off and restart.  Repeat if the virus persists.
0
 
LVL 23

Assisted Solution

by:edbedb
edbedb earned 500 total points
ID: 34977817
That malware is not very sophisticated. You deleted the program file so it's gone.

The only thing left is to remove the startup entry in the registry but that's optional.
0
 
LVL 38

Expert Comment

by:younghv
ID: 34978307

This variant of malware is one of the few that require a "Safe Mode" boot (with networking) to clean with Malwarebytes.

Please review the detailed instructions here:
http://www.bleepingcomputer.com/virus-removal/remove-system-tool 
********************

This is actually a pretty nasty piece of malware.
We have had a couple of questions about this variant over the past few days - here is one example:
http://www.experts-exchange.com/Q_26833850.html
********************

0
 
LVL 1

Expert Comment

by:csaroli
ID: 34983031
yes, bleeping computer forums is a good resource for malware, and i agree with younghv, try malwarebytes in safemode.  I might also suggest turninf off system restore
0
 
LVL 38

Assisted Solution

by:younghv
younghv earned 500 total points
ID: 34983058
Please don't ever turn off System Restore until after the system has been repaired.
Any restore point (even if infected) is better than none at all.

Viruses in System Volume Information (System Restore)
http://www.experts-exchange.com/A_1934.html
0
 
LVL 22

Expert Comment

by:optoma
ID: 34983460
You may as well run these in case a rootkit is also present. Post logs if needed
TdssKiller and Hitmanpro.
http://support.kaspersky.com/viruses/solutions?qid=208280684
http://www.surfright.nl/en/hitmanpro
0
 
LVL 38

Expert Comment

by:younghv
ID: 34983804
@optoma,
The malware has already been identified as "System Tool".

Neither of your recommendations are called for - or needed.
0
 
LVL 22

Accepted Solution

by:
optoma earned 1000 total points
ID: 34984578
@Zemarc,
In some cases when the Malware was detained in swift time, there is no need for any other course of action. Personally speaking, checking with more than one scanner is a safer practice to follow, in case other forms of "junk" are present unknowingly.

Hopefully, when you deleted that file, that is the end of it :)

@Younghv.

Quote from EE ,
 "Be professional: Treat the asker and your colleagues as professionals. Check your ego and your attitude at the door; rudeness, derogatory comments, and sarcastic remarks are uncalled for and unnecessary."
http://www.experts-exchange.com/help.jsp#hs=30&hi=416

0
 
LVL 38

Expert Comment

by:younghv
ID: 34984653
optoma,
There is nothing 'professional' about offering improper advice.
Anyone can do Google Searches and find a wide variety of links to anti-malware products - then post them here.

The simple fact is that NO ONE should be recommending extraneous advice about running additional applications - when the actual solution has already been provided.

If - and only if - the symptoms do not go away should we recommend further actions.

Those of us who actual repair infected systems for a living understand that malware needs to be approached "one step at a time" and throwing multiple suggestions at a known and verified solution is not the kind of advice that should be posted.

I do not intend to be unprofessional, but I also will not stand by and allow improper advice to be posted.
0
 
LVL 22

Expert Comment

by:optoma
ID: 34984830
@ Younghv .
" different strokes for different folks " 

BTW, I deal with repairs  of all kinds on a working basis.
0
 

Author Closing Comment

by:zemarc
ID: 35030173
Thus far, deleting the file seemed to be the solution.
 
Just a final comment:  the issue resided on my win2k3 server on one particular profile.

Thanks for all feeback!
0

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most PC repair technicians (if not all) always start their cleanup process by emptying the temp folders before running any removal tools. It makes sense because temp folders are common places for malware installers to lurk and removing all the junk …
Sub-Titled: “My Way” (with apologies to Francis Albert Sinatra) Let me start by stating emphatically that I am one of those Experts who prefer doing things “My Way”. It’s kind of a no-brainer. “The following procedure works for me, so here is …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question