Need some help identifying malware

[TheRealCJ]

Okay, so first of all, let me just say that while I have an expanded basic knowledge of computers and IT, I'm not an expert. Just enough to be the go-to guy for my idiotic family.

So when my father comes to me with "There's something on my computer", I get chills. Turns out to be a piece of very nasty Malware that had managed to get itself into just about every .dll in his computer (Windows 7, mind).

Disguising itself as an "Antivirus" called "System tool", it prevented us from opening his Antivirus, running a system restore, accessing his root files, or even shutting down the computer. Like I said, a real nasty little bastard.

I'm just wondering if anybody has come across it before, because I've never seen a belligerent program so quickly integrate itself and become impossible to remove (bar installation of the factory-build OS, which is what I was forced to resort to)

Here's some pictures that I snapped off before reinstalling windows:

Spoiler

The desktop wallpaper, forced by the program to be this image

Spoiler

This is a fake warning sent up the program after we tried to run system restore, actually disguised as a Windows warning flag

Spoiler

... and THIS is where clicking on that "message" took us

Spoiler

This is the message after I tried - and failed - to open AVG Antivirus

Spoiler

And, finally, the program itself

If anybody could give me some insight, I'd be very grateful, especially since my father computer is the one that's hardwired into our Router and NAS. I didn't want to do a google search for the program, for obvious reasons.

 

[TheRealCJ]

Oh yeah, and in before "learn2windows". My father is like, 50, and he's none to bright to begin with.

 

[Zachary Unkle]

Not this exact one,but yes I've had one like this.It was called AV AntiVirus.
I don't know the exact way to stop them,but I created a new user account,deleted the infected one,and it was gone.Again,I'm not sure if it's a sure-fire way,or if it will work all the time,or even work for this one,but it may be worth a try...

 

[TheRealCJ]

Not this exact one,but yes I've had one like this.It was called AV AntiVirus.
I don't know the exact way to stop them,but I created a new user account,deleted the infected one,and it was gone.Again,I'm not sure if it's a sure-fire way,or if it will work all the time,or even work for this one,but it may be worth a try...

I tried that. Essentially, this this pretty much stripped my father's account of Admin privileges. All he could do is log on, off, and use non-admin programs like web browsers or iTunes.

 

[gibboss28]

give this a look, it might help remove it:

http://www.howtogeek.com/howto/8693/how-to-remove-antivirus-live-and-other-roguefake-antivirus-malware/

 

[baconsarnie]

I had something similar on my old PC (running xp), after getting avast! anti-virus and spybot search and destroy i was able to get rid of it.
Try turning it off at the plug and starting in safe mode.

 

[Heart of Darkness]

I've had something similar, not this one, but they're pretty common. You usually need to start your computer in Safe Mode to fight them. If you want more information on this particular virus, though, here's Bleeping Computer's [http://www.bleepingcomputer.com/virus-removal/remove-system-tool] guide on how to remove it.

 

[kalt_13]

Dunno if this will help but trend micro have a free virus scan that works through your web browser, haven't used it for along time so no idea if its any good still. Heres a link if you want to try it.

http://housecall.trendmicro.com/au/

 

[Jack and Calumon]

Coincidence. I just fixed a friends laptop with a similar problem. Fake warnings, "Can't start program or do X because X is damaged" and every time you tried to access the internet, it would attempt to take you to a website mirroring viagra.com.

Don't know where it came from or what it was since it was a VERY annoying piece of crap. We ran the laptop in safe mode where all the fake warnings and fake "damaged" warnings stopped. We then ran STINGER and Windows Malicious Software Removal off a disc to track everything malicious. Surprisingly, nothing was found so I went into Control Panel, Add or Remove Programs and removed everything that looked dodgy. One program there stood out. A Java file called "aaaa" made by "bbbb" with the comments "cccc". Trying to remove that ended in failure, so I searched for "aaaa" on the taskbar and it instead came up with a differently named Java file. One with an actual name that I can't remember. I deleted it.

We then ran STINGER and WMSR again, and again came up with nothing. Ad Aware, AVG and Spybot were then run and Ad Aware found 40 strange objects. From keyloggers to tracking cookies, but instead of just saying "we found them, what next?" Ad Aware IMMEDIATELY threw them in Quarantine without even a word of input before asking "What next?" All of them were deleted.

We then ran the normal computer which then ran as normal. No warnings, no fake webpages and no "damaged files".

Hope that helps. I know it's not the same as what you had but it is VERY similar. Just remove the word "infected from the fake warnings and replace it with "damaged", add more warnings and don't change the background and it's the same thing. We told him he was lucky Windows wasn't damaged (Which was VERY lucky as he didn't have a Windows disc and needed to back Windows up on the recovery part of his Hard Drive, which he didn't).

Calumon: ...I don't know what people are talking about. :S

 

[TheRealCJ]

I had something similar on my old PC (running xp), after getting avast! anti-virus and spybot search and destroy i was able to get rid of it.
Try turning it off at the plug and starting in safe mode.

Yeah, tried that too. Ran Spybot and AVG. No dice.

 

[imnot]

I had something similar a few months ago, a system restore worked, but this looks a lot worse.

 

[TheRealCJ]

give this a look, it might help remove it:

http://www.howtogeek.com/howto/8693/how-to-remove-antivirus-live-and-other-roguefake-antivirus-malware/

Thanks a whole heap, that's really what I was after.

 

[TheRealCJ]

Coincidence. I just fixed a friends laptop with a similar problem. Fake warnings, "Can't start program or do X because X is damaged" and every time you tried to access the internet, it would attempt to take you to a website mirroring viagra.com.

Don't know where it came from or what it was since it was a VERY annoying piece of crap. We ran the laptop in safe mode where all the fake warnings and fake "damaged" warnings stopped. We then ran STINGER and Windows Malicious Software Removal off a disc to track everything malicious. Surprisingly, nothing was found so I went into Control Panel, Add or Remove Programs and removed everything that looked dodgy. One program there stood out. A Java file called "aaaa" made by "bbbb" with the comments "cccc". Trying to remove that ended in failure, so I searched for "aaaa" on the taskbar and it instead came up with a differently named Java file. One with an actual name that I can't remember. I deleted it.

We then ran STINGER and WMSR again, and again came up with nothing. Ad Aware, AVG and Spybot were then run and Ad Aware found 40 strange objects. From keyloggers to tracking cookies, but instead of just saying "we found them, what next?" Ad Aware IMMEDIATELY threw them in Quarantine without even a word of input before asking "What next?" All of them were deleted.

We then ran the normal computer which then ran as normal. No warnings, no fake webpages and no "damaged files".

Hope that helps. I know it's not the same as what you had but it is VERY similar. Just remove the word "infected from the fake warnings and replace it with "damaged", add more warnings and don't change the background and it's the same thing. We told him he was lucky Windows wasn't damaged (Which was VERY lucky as he didn't have a Windows disc and needed to back Windows up on the recovery part of his Hard Drive, which he didn't).

Calumon: ...I don't know what people are talking about. :S

Well, I tried running AVG and Spybot in safe mode, and I got several files that were "Locked" from the point of view of the two programs. but they were buried pretty deep in the registry, and I'd rather just slash-n-burn windows and start over.

 

[baconsarnie]

I had something similar on my old PC (running xp), after getting avast! anti-virus and spybot search and destroy i was able to get rid of it.
Try turning it off at the plug and starting in safe mode.

Yeah, tried that too. Ran Spybot and AVG. No dice.

New plan, get hold of the biggest hammer you can find ...

But seriously i hope you can get rid of it, i always crap myself when something like this happens.

 

[TheRealCJ]

I had something similar on my old PC (running xp), after getting avast! anti-virus and spybot search and destroy i was able to get rid of it.
Try turning it off at the plug and starting in safe mode.

Yeah, tried that too. Ran Spybot and AVG. No dice.

New plan, get hold of the biggest hammer you can find ...

But seriously i hope you can get rid of it, i always crap myself when something like this happens.

Well, like I said, wiping the HDD and reinstalling factory windows worked a treat. But I really wanted to know how to sort of identify and get rid of the sods. Because I'm pretty sure it's going to happen again (Go on, guess what my tech-illiterate father was doing on the internet just before he got the virus.)

 

[imnot]

I had something similar on my old PC (running xp), after getting avast! anti-virus and spybot search and destroy i was able to get rid of it.
Try turning it off at the plug and starting in safe mode.

Yeah, tried that too. Ran Spybot and AVG. No dice.

New plan, get hold of the biggest hammer you can find ...

But seriously i hope you can get rid of it, i always crap myself when something like this happens.

Well, like I said, wiping the HDD and reinstalling factory windows worked a treat. But I really wanted to know how to sort of identify and get rid of the sods. Because I'm pretty sure it's going to happen again (Go on, guess what my tech-illiterate father was doing on the internet just before he got the virus.)

Playing e-scrabble?

 

[TheRealCJ]

I had something similar on my old PC (running xp), after getting avast! anti-virus and spybot search and destroy i was able to get rid of it.
Try turning it off at the plug and starting in safe mode.

Yeah, tried that too. Ran Spybot and AVG. No dice.

New plan, get hold of the biggest hammer you can find ...

But seriously i hope you can get rid of it, i always crap myself when something like this happens.

Well, like I said, wiping the HDD and reinstalling factory windows worked a treat. But I really wanted to know how to sort of identify and get rid of the sods. Because I'm pretty sure it's going to happen again (Go on, guess what my tech-illiterate father was doing on the internet just before he got the virus.)

Playing e-scrabble?

... Sure, let's go with that.

 

[Corpse XxX]

My advice is to kill it with fire!! Gasoline helps!