cancel
Showing results for 
Search instead for 
Did you mean: 

Re: "System Tool" virus got installed despite McAfee running

Exbrit said:

Ex_Brit wrote:

stanrob, none of the antiviruses fair well with these because of the way they work.  Good luck finding one that does it all. There is, in fact, no such thing.

ExBrit, I'm interested in your statement. is it anecdotal or fact?

I have to say, I'm a domestic Computer Repair Person by trade, and this Fake AV scam is VERY common in my area. (SE England)

I would hazard a guess that in the last 2 months, I guess that almost 25% of all my calls (customer base of around 5k customers) are related to clearing this infection. Fortunately it's very easy using Malwarebytes and only costs the customer a half hour callout..

Most of the people catching it have paid for Mcaffee, or Free AVG (both amongst the most popular AV programs out there). As yet, I haven't been to any customers who are running Norton. I appreciate that this is purely anecdotal,and not at all scienticfic, but I have 2 conclusions to make from this:

  1. This infection is neither new, or rare.
  2. I believe that Norton, like Mcaffee is one of the top 3 or 4 AV companies out there, so it's safe to assume there's a reasonable swathe of my customers that are also runnning it, and that they appear to have been kept safe by it.

I've always maintained that any one of the big brand name paid for AV companies are what every customer should have, but the sheer number of failed detections that Mcaffee has meant that I can no-longer recommend it.

I've been fascinated by this recent Fake AV business, for a while, so you can imagine my excitement when I noticed yesterday a smal popup saying that my copy of NIS 2011 had stopped an attack by... wait for it.. Fake AV!! It was only there for a moment, and I don't normally read them, but the words Fake AV jumped out at me.

I'd be interested if there are any insights other people have on my experiences..

Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 32 of 115

Re: "System Tool" virus got installed despite McAfee running

Well I can't speak for NIS or even McAfee for that matter, as an unpaid volunteer here, but some fake a/v's are caught and other are not, because new variants seem to appear almost daily.    There is a submission avenue open so that a possible solution can be found.

The trouble is we all know that people will click anything in a panic and that is what starts these things in motion.

A Google search for these fake a/v names will show dozens of hits all over the www from people with any of the brands of security software and looking at the more reputable anti-malware forums like BleepingComputer for instance will bear me out when I say that most need specialist tools to be cleaned, if a timely use of System Restore doesn't help.

There is also a members only (anyone can join) sections of this board called GetSusp where the developers are interested in using tools to counter these pests.  The trouble with that is people aren't prepared to wait while these things are looked at which is understandable.


Message was edited by: Ex_Brit on 28/02/11 11:10:44 EST AM
stanrob
Level 7
Report Inappropriate Content
Message 33 of 115

Re: "System Tool" virus got installed despite McAfee running

Thank you for your prompt response to my post.  I should have stated that in addition to System Tools I was shortly afterwards invaded by Vista Total Security.  I realised it was a similar scam.  Do you think this was just a coincidence, or are both scams created by the same source?

I am more intested to know if these viruses/malware/trojans can be doing anything nasty (like stealing bank or credit card details) now that they have disappeared thanks to my doing a system restore.  It seems to be too easy a fix to be true!

My complaint with McAfee is the demand for a lot of money to fix this when I already pay an annual fee.  I accept that other AV providers may be no better at detecting the malware, but have no way of knowing if this is true or not.  However, Chrisbitz seems to think Norton is better in this regard.

Thanks again.  Stan

Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 34 of 115

Re: "System Tool" virus got installed despite McAfee running

stanrob wrote:

Thank you for your prompt response to my post.  I should have stated that in addition to System Tools I was shortly afterwards invaded by Vista Total Security.  I realised it was a similar scam.  Do you think this was just a coincidence, or are both scams created by the same source?

I am more intested to know if these viruses/malware/trojans can be doing anything nasty (like stealing bank or credit card details) now that they have disappeared thanks to my doing a system restore.  It seems to be too easy a fix to be true!

My complaint with McAfee is the demand for a lot of money to fix this when I already pay an annual fee.  I accept that other AV providers may be no better at detecting the malware, but have no way of knowing if this is true or not.  However, Chrisbitz seems to think Norton is better in this regard.

Thanks again.  Stan

I hear you, but you should know that all the antivirus companies charge for virus removal, however there are free alternatives via this and their forums usually, as I mentioned previously.

That Vista one is in this family:  http://www.bleepingcomputer.com/virus-removal/remove-win-7-internet-security-2011 (Scroll down that page - the 1st links are ads) but they are all similar in the way they act.

I got hit a while back but realising what it was the second it popped up I got rid of it quickly by using Ctrl-Alt-Delete to bring up the Task Manager to end unfamiliar processes, but could have equally used System Restore to go back and/or gone into Safe Mode with Networking to look online for removal tools and download same.

It pays to Google the pests name as there usually is a quick means of defeating it.

I've just been reminded by one of McAfee's internal technicians that the GetSusp tool exists, mentioned earlier, and using that and McAfee Stinger can often get rid of these things.   The trouble with the argument as to why doesn't McAfee VirusScan do it, is that it would have to be set to such a high heuristic detection level that it would become over-aggressive and start making a lot of false detections.

So we are left with the fact that some a/v's will detect one thing and not another.

stanrob
Level 7
Report Inappropriate Content
Message 35 of 115

"System Tool" virus got installed despite McAfee running

I just want to say a sincere thank you to you, chrisbitz and other contributors who have both helped me to get rid of these fake AVs and added considerably to my knowledge of these matters.  An initial sense of panic at my computer being taken over has been replaced in 2 days by a sense of considerable satisfaction at having conquered "System Tools" and "Vista Total Security".

I decided today to run a full (not quick) Malwarebytes scan on my hard drive as I thought that my successful System Restore might have left the trojan lurking somwhere.  First I made sure that the Malwarebytes database was up-to-date before scanning, as my previous scan may not have been successful because the database was not first updated.  "Trojan.Fake Alert" was the only infected item discovered, after the 2 hour scan.  It was found in a Java folder.

I have learned from this experience that McAfee, and possibly Norton too, are not to be relied upon to combat fake AVs.  Malwarebytes, if up-to-date, does work.  So does System Restore, but that might not be a good option for everyone - depends on what you are prepared to lose.  Forget about AVG!  You get what you pay for with it !

My research has even led me to the probable source of the fakes.  It is nalmeron.cz.cc, a site know to distribute malware, based in Latvia and visited nearly 1 million times per day.  I found it by checking my wife's browsing history just before the fake AVs struck!  She had been there when looking at curtain material colours, would you believe!  She is horrified to know that her innocent eBay shop browsing has caused all this difficulty.

Many thanks again to everyone who has assisted me.  No thanks to McAfee though, I'm afraid!

Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 36 of 115

"System Tool" virus got installed despite McAfee running

Thanks for posting stanrob and all the best.

There is also GetSusp a tool under development by McAfee that has had some success at beating these pests.   See my antispyware tools page at the top:  https://community.mcafee.com/docs/DOC-2168

For those wondering why Malwarebytes and other tools have success where antivirus applications generally fail it's because those tools use extremely high levels of heuristic detection but do not deal with the millions of viruses, trojans and worms that antivirus applications handle.

If an antivirus had such high heuristic levels it would be detecting all sorts of normal things as threats and that would make people very unhappy, so a balance has to be struck.

Here's a quote from one of the developers of Malwarebytes (BruceHarrison):

As far as why MBAM is very good at dealing with this infection, that is simple. MBAM is designed to be very good at dealing with malware that the AVs seem to be having problems with. I do not spend my time making MBAM detect millions of infections that any decent AV already detects as MBAM is DESIGNED to work alongside antivirus software, not replace it.  A huge chunk of the research that goes into MBAM revolves around what we see making it into HJT threads as the vast majority of these threads involve antivirus software that was in some way bypassed.
...
Lets settle this now and avoid any further misinformation. MBAM is now a very good backup to any antivirus software and will only get better in the future.MBAM will NEVER add antivirus abilities to its core app and is always advised to be used WITH antivirus software. We actually get this question a lot in theforums and I assure you that we always say :


"No, MBAM can't replace your existing antivirus software and is not designed to."

rosead
Level 7
Report Inappropriate Content
Message 37 of 115

"System Tool" virus got installed despite McAfee running

We were attacked by SYSTEM TOOL last night and after almost two hours of experimenting we were able to remove it in less than five minutes.  Ultimately the solution was simply to find the files and delete them.  As I explain below, items in [ ] were the names and locations I discovered on my computer.  I don't know if these are always the same or may differ from user to user.

The "find" step was carried out using Windows Explorer and working my way down through directory levels until I found the specific malware files.  I started at the hard drive level and sorted the contents by date modified.  I was looking for a file or folder which had a modification date and time (in our case the same day, early evening) which coincided with SYSTEM TOOL taking over our computer and posting it's message on the desktop.  There happened to be only one such location listed [Program Data]. I then went into that directory/folder and again sorted on date modified and found one such folder [dPcMhIk08520].  When I opened that folder it contained only two files -- the application [dPcMhIk08520.exe] and a data file.

The next step was to delete the files.  The data file could be deleted immediately.  The application file could not be deleted immediately because it was currently running.  To counter this I opened Windows Task Manager from the Control Panel, selected the "processes" tab, highlighted the specific program and clicked "End Task".  Once this was accomplished I returned to Windows Explorer, went to the appropriate folder and deleted the file.

These two steps solved the problem but for safety sake I then rebooted the computer. No malware today, and hopefully never again.

Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 38 of 115

"System Tool" virus got installed despite McAfee running

Good post, thanks rosead.

lauraeva
Level 7
Report Inappropriate Content
Message 39 of 115

"System Tool" virus got installed despite McAfee running

BBC News

Britons caught out by booby-trapped web ads

Tens of thousands of people could have been caught out by cyber criminals who put booby-trapped adverts on popular webpages.

The criminals racked up the victims by compromising the computers used by ad firm Unanimis to display adverts to popular websites.

The ads appeared on the websites of the London Stock Exchange, Autotrader, the Vue cinema chain and six other sites.

Unanimis said it moved quickly to pull the adverts once they were discovered.

Victim count

It said it was now investigating how the criminals managed to inject their booby-trapped ads into its feed.

David Nelson, operations and IT director at Unanimis, told the BBC that security alerts revealed the existence of the booby-trapped adverts at 1800 GMT on 27 February.

Clearing out the adverts took about three hours, said Mr Nelson.

A preliminary investigation revealed that "unauthorised access" to the ad servers allowed the criminals to inject their malicious code.

Mr Nelson said Unanimis was still investigating how the criminals got access as the firm has security systems in place that check adverts are safe before they are distributed.

"The [adverts] they chose to modify were not being widely distributed," said Mr Nelson. This, coupled with the attack taking place on a Sunday evening, limited how many people fell victim.

"We have to count ourselves lucky in some respects," he said.

The bad ads exploited vulnerabilities in software used on Windows PCs to make it look like a machine had been hit by a virus.

Then it displayed a bogus diagnostic screen telling users that their PC was infected. It asked for payment to remove the "infection".

Mr Nelson said it was still trying to work out how many people had seen the booby-trapped ads.

He speculated that a "few percent" of Unanimis audience would have been hit. He declined to identify all the sites that had shown the adverts but said all those affected had been informed.

Patrik Runald, senior research manager at Websense, said its analysis suggested a lot of people had been caught out.

"We believe that quite a large number of sites were showing these adverts," he said, adding that the number of victims could be in the "tens of thousands".

The criminals behind the bad ads typically loaded their attack tools with code that exploited many different vulnerabilities in Windows programs.  Java and software from Adobe was becoming a favourite among hi-tech criminals, he said.

Mr Runald said cyber criminals liked to subvert advertising systems because it was a good way to get their malicious code put on popular sites with only a little effort on their part.

"Such malvertising is reasonably common," said Mr Runald. "It does not happen every day but it does happen every month or so."

http://www.bbc.co.uk/news/technology-12608651

Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 40 of 115

"System Tool" virus got installed despite McAfee running

Couldn't you get into Safe Mode at all during that reboot cycle?    You could have possibly started System Restore in that mode.  McAfee like most antivirus makers aren't doing too well in that regard but they do at least have a tool that ismeeting with some success, it's called getSusp and you have to join here in order to try it out.  This could be useful in the future.

GetSusp