System Tool -- Phony ROGUE VIRUS

[HellFire]

Help People:
 
Managed to pick up this unpleasant, malicious virus posing as a helpful
info page, now I'm unable to GET RID of it!!   What it does is it SLOWS
the system down, sends IE advertisements (I use Firefox), interrupts as it inundates the system with wrong data & it's getting WORSE!! 

Took me four(4) tries to get to Aces High as I was taken to various
advertisements from Laundry to Gambling Ads!  I ran the following anti-virus pgms attempting to get rid of it:  Avira, Malware, MSE, Avast & today, ESET Nod 32 all done with deep scans to no avail!

Google searches helped but to a minor extent ... ALL PC experts pls
help me as situation is getting worse as I'm interrupted by so called
windows msgs every few minutes 

[Tac]

My father's laptop got a similar virus just last week.

Not sure if its the same one.. his virus was a non-stop fake antivirus program warning him the system was infected and asking him to buy the AV program... it would not let you go to any antivirus software website (screen would turn black) nor do allow you to run windows task manager or any other program ..it stopped it and popped a message saying that program was infected lol.

To fix:

You need to restart the computer in safe mode with networking. Download malwarebytes antimalware program (its free). Install it and run it.

It will find that bugger and kill it.

To be on the safe side, back up your files and format/reinstall everything. You dont want to be putting credit card info or other stuff in a machine that's been infected.

[Tyrannis]

i got the same thing. its malware.


wouldnt let me access any of the stuff on my computer, claiming my computer was infected with "spyware" and only system tool would be able to remove it.(of course, there asking for $$$ to use system tool).


for about a week i couldnt use my computer, until one day it just suddenly stoped and my computers back to being normal.

i have avg tho, run a virus scan and it picks up a trojan that it cant remove. im guessing its the system tool virus laying dormant in my computer. been trying to figure out how to remove it without having to reinstall windows.

[CAP1]

use a different computer. download malewarebytes, and superantispyware onto a thumb drive, and install em on the thumbdrive.

 plug the drive into the infected computer, and run them. it'll likely take several times running both.....and they should find the culprits.

[PFactorDave]

My mother-in-law had the same thing awhile back.  As others said, malwarebytes will fix it fairly simply.

[fbWldcat]

You need to restart the computer in safe mode with networking.

I never start it with networking. You don't have to use Malwarebytes, but it is one of the most reliable AVs out there. Networking shouldn't be necessary unless you are trying to install an AV from the web, right?

[gyrene81]

malwarebytes is a spyware killer, not an anti-virus.

you may be able to stop most of the active processes using anti-malware or anti-virus programs but you won't be getting rid of the problem...you will probably have to hack the registry to completely get rid of it...

instructions from malwarebytes forums:

http://forums.malwarebytes.org/index.php?showtopic=66064



known items to look for on the hard drive...should be gone after you make your scans

XP
-Random files in %temp%.
C:\Documents and Settings\All Users\Application Data\oHaKo00902 (Random folder)
C:\Documents and Settings\All Users\Application Data\oHaKo00902\oHaKo00902 (Random file without extension)
C:\Documents and Settings\All Users\Application Data\oHaKo00902\oHaKo00902.exe (Random file & dropper)


Vista and 7
-Random files in %temp%.
C:\Users\All Users\Application Data\oHaKo00902 (Random folder)
C:\Users\All Users\Application Data\oHaKo00902\oHaKo00902 (Random file without extension)
C:\Users\All Users\Application Data\oHaKo00902\oHaKo00902.exe (Random file & dropper)

Note: %temp% refers to the following locations, based on your version of Windows:

Windows XP: C:\Documents and Settings\{USER}\Local Settings\Temp

Vista/7: C:\Users\{USER}\AppData\Local\Temp



registry keys to look for after running the scans:

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RANDOM"="c:\Documents and Settings\All Users\Application Data\RANDOM.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"RANDOM"="c:\Documents and Settings\All Users\Application Data\RANDOM.exe"

[1Boner]

If you ever see a window that pops up and says you need to run a scan or download a tool of some sort, STOP, don't touch anything on the computer except the power off button.

Don't try to exit from the window, don't hit "cancel" , back away and hit the OFF switch on the computer.

I call it "Rogue be gone".

Its free.

No download required.

[guncrasher]

reinstall the os.

semp

[CAP1]

If you ever see a window that pops up and says you need to run a scan or download a tool of some sort, STOP, don't touch anything on the computer except the power off button.

Don't try to exit from the window, don't hit "cancel" , back away and hit the OFF switch on the computer.

I call it "Rogue be gone".

Its free.

No download required.

THAT doesn't work. i got hit with one of these about a year ago.......i pulled the cable, and powered down immediately. it was too late. when i rebooted, i was screwed already.

[gpwurzel]

I'd suggest going with Tac's advice. Start computer up in safe mode with networking (you need the networking bit to ensure malwarebytes is fully up to date, as it will attempt to update itself before first run). Starting in safe mode will ensure the very barest minimum of processes are up and running on your machine, and should not call any of the required processes for the malware.

Wurzel

(spent many hours this week removing this particular little bugger from peoples computers)

[Tac]

once the malware is removed you can run an antivirus on the entire machine.

Though personally i'd format and reinstall. 
 

[Wildcat1]

delete all but one of your antivirus programs.

they are programmed to compete with each other, and in the end aren't very efficient all together. i use Norton Anti-Virus

hope everything works out

[HellFire]

As an addendum & making sure that the rogue is truly deleted, once & for all, I followed gyrene81's recommendations per
his response& w/o a benefit of a doubt ALL traces  of
viruses are gone.

Once again TY to Tac & gyrene81