Endpoint Protection

I am not sure what this thing is, but it is a true pain in the neck to get rid of. The ONLY way that I know how to remove it is to utilize system restore. After I have run the system restore, I can then again run and install programs. Before this time I can't. This thing is so annoying that it will not even let me bring up "task manager." It also changes the desktop wallparp, to a big "WARNING" sign. Back to my original point. Once system restore has been run, I can then add programs such as Spy-bot S & D or Malwarebytes. Once the programs are run they will find it and remove the threats. HOWEVER, by this time, this bug (which puts a little lock Icon near the clock) has screwed up SEP. The definitions become corrupt and pretty much make SEP useless. The ONLY way I have been able to fix this part of the issue is to reinstall SEP. Is there a way to fix the defs WITHOUT a reinstall? Also, does anyone know what I am referring to (The Spy/Malware??

Stop These System Tool 2011 Processes:
5648541024.exe
System Tool 2011.exe

Find and Delete These System Tool 2011 Files:
%AppData%\[random]\
%AppData%\5648541024
%AppData%\5648541024\5648541024.bat
%AppData%\5648541024\5648541024.cfg
%AppData%\5648541024\5648541024.exe
%UserProfile%\Desktop\System Tool 2011.lnk
%UserProfile%\Start Menu\Programs\System Tool 2011.lnk

Remove These System Tool 2011 Registry Values:
HKEY_CURRENT_USER\Software\System Tool 2011
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “5648541024?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “[random]”

Also submit the files to Symantec Security response

...is not easy to do with task manager disabled, and it will shut the registry command down too.

You need to go into safemode. I've just been playing around with this as we speak.

In safemode, navigate to:

C:\Documents and Settings\All Users\Application Data\[random characters] and delete the entire folder and all other oddly named folders as well as any executables. That will "remove"

I've just submitted samples to Symantec.

The only anti-spyware that caught it was Hitman Pro

Does it look like this:

I've also attached the before/after install log...it may help in removal. Many of the setting changes are left behind after this thing is removed so you will have some manual work to do.

Attachment(s)

fakeav.zip   3 KB 1 version

Once I did this, I added Spy-bot, for some reason Malwarebytes kept crashing halfway through. S & D cleared it. Then I re did SEP and it picked up .exe's in the recovery. I coudn't do ANYTHING unless it was done in SafeMode. The 2 I did it on, nothing worked except system restore. Will running these fixes help with the corrupt SEP/NAV defs???

Wipe this stuff out...

----------------------------------
Keys added:6
----------------------------------
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_RASMAN\0000\Control
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_TAPISRV\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RASMAN\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TAPISRV\0000\Control
HKU\S-1-5-21-2052111302-1957994488-842925246-1003\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKU\S-1-5-21-2052111302-1957994488-842925246-1003\Software\Sysinternals\TCPView

----------------------------------
Values added:10
----------------------------------
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_RASMAN\0000\Control\ActiveService: "RasMan"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_TAPISRV\0000\Control\ActiveService: "TapiSrv"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RASMAN\0000\Control\ActiveService: "RasMan"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TAPISRV\0000\Control\ActiveService: "TapiSrv"
HKU\S-1-5-21-2052111302-1957994488-842925246-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Oevna\Qrfxgbc\18npnq[1].rkr: 0A 00 00 00 06 00 00 00 00 92 16 20 BF 9B CB 01
HKU\S-1-5-21-2052111302-1957994488-842925246-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Oevna\Qrfxgbc\Flfvagreanyf\Gpcivrj.rkr: 0A 00 00 00 06 00 00 00 B0 E6 D4 3E BF 9B CB 01
HKU\S-1-5-21-2052111302-1957994488-842925246-1003\Software\Microsoft\Windows\CurrentVersion\RunOnce\lKoPa06301: "C:\Documents and Settings\All Users\Application Data\lKoPa06301\lKoPa06301.exe"
HKU\S-1-5-21-2052111302-1957994488-842925246-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\xxxxx\Desktop\18acad[1].exe: "Debug Tools for Windows"
HKU\S-1-5-21-2052111302-1957994488-842925246-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\xxxxx\Desktop\Sysinternals\Tcpview.exe: "TCP/UDP endpoint viewer"
HKU\S-1-5-21-2052111302-1957994488-842925246-1003\Software\Sysinternals\TCPView\EulaAccepted: 0x00000001

----------------------------------
Files added:13
----------------------------------
C:\Documents and Settings\All Users\Application Data\lKoPa06301\lKoPa06301
C:\Documents and Settings\All Users\Application Data\lKoPa06301\lKoPa06301.exe
C:\Documents and Settings\xxxxx\Local Settings\Temporary Internet Files\Content.IE5\D995ES45\desktop.ini
C:\Documents and Settings\xxxxx\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
C:\Documents and Settings\xxxxx\Local Settings\Temporary Internet Files\Content.IE5\KD5VPEO0\desktop.ini
C:\Documents and Settings\xxxxx\Local Settings\Temporary Internet Files\Content.IE5\KSM4XEMZ\desktop.ini
C:\Documents and Settings\xxxxx\Local Settings\Temporary Internet Files\Content.IE5\UWVVW4C2\desktop.ini
C:\Documents and Settings\xxxxx\Local Settings\Temporary Internet Files\desktop.ini
C:\WINDOWS\Debug\UserMode\userenv.log
C:\WINDOWS\Prefetch\18ACAD[1].EXE-2E4F54F6.pf
C:\WINDOWS\Prefetch\LKOPA06301.EXE-02C99980.pf
C:\WINDOWS\Prefetch\TCPVIEW.EXE-07F4E0DD.pf
C:\WINDOWS\system32\wbem\Logs\wbemess.log

----------------------------------
Files deleted:1
----------------------------------
C:\Documents and Settings\XXXX\Desktop\18acad[1].exe

----------------------------------
Files [attributes?] modified:7
----------------------------------
C:\Documents and Settings\xxxxx\Cookies\index.dat
C:\Documents and Settings\xxxxx\Local Settings\History\History.IE5\index.dat
C:\Documents and Settings\xxxxx\Local Settings\Temporary Internet Files\Content.IE5\index.dat
C:\Documents and Settings\xxxxx\NTUSER.DAT.LOG
C:\WINDOWS\system32\config\software.LOG
C:\WINDOWS\system32\config\system.LOG
C:\WINDOWS\system32\wbem\Logs\wbemcore.log

----------------------------------
Folders added:5
----------------------------------
C:\Documents and Settings\All Users\Application Data\lKoPa06301
C:\Documents and Settings\xxxxx\Local Settings\Temporary Internet Files\Content.IE5\D995ES45
C:\Documents and Settings\xxxxx\Local Settings\Temporary Internet Files\Content.IE5\KD5VPEO0
C:\Documents and Settings\xxxxx\Local Settings\Temporary Internet Files\Content.IE5\KSM4XEMZ
C:\Documents and Settings\xxxxx\Local Settings\Temporary Internet Files\Content.IE5\UWVVW4C2

----------------------------------
Total changes:50
----------------------------------

Where did you get this from? I would like to know, so I can block the originating sites. I would test, but too much work :-(

These are distributed and can be on many sites.

For Task Manager and Registry getting blocked try this tool

https://www-secure.symantec.com/connect/downloads/simple-utility-reset-folder-options-show-all-hidden-enable-registry-editing-enable-task-ma

For anything that is added by the malware, you can usually just delete.

You have to be careful as many times it tries to "Modify" keys/files/folders, etc. You usually can't just delete it without killing something legit.

It sounds like you had the same infection I just looked at so hopefully the log will closely match what you are seeing. System Tool 2011 is what I saw.

Yes, I have VMs setup where I can get the samples and play with them to find out what they do. It makes it much easier to create removal scripts/tools as well add to my application/device control policies.

The problem is it's so hard to block the sites because hundreds appear/disappear per day due to DNS fast flux techniques. Basically, compromised hosts act as proxies which makes malware networks much more resistant to discovery and takedown efforts.

Basically, Application and Device control is the way to go if you use SEP. I've always recommended it. Another good option against web based threats is to use a proxy. It's not the end all to malware but it definitly helps.

I've attached another log file from the same piece of malware (just a different executable) but as you can see they are virutally similar so removing the added files in question should get you started in the right direction. Ideally, you will just want to re-image but I know that's not always an option.

Here's another screenshot of what I was seeing:

Just make sure you disable 'system restore' temporarily and delete old 'system restore' files (If not already).

I found out the hard way as it was buried in one of the recently created restore points...

Your best bet is to disable system restore pemanently if you can.

Then Download the Microsoft Malicious Software removal tool from their website.

Maybe they have improved it recently, but when I used it before it was useless.

System restore was the ONLY thing that let me get back in action. Is this REALLY a wise move?

It only removes very well known types of malware, not FakeAV.

While system restore can usually be useful, in my experience, viruses and some malware/spyware have embedded themselves within these restore points.  They will take advantage of this technology.

While the virus is 'removed' from the PC, as is, the restore points are never really checked for 'content' in scanning.  You will think the 'intrusion' is gone, then it will show back up all the sudden, just as it was before.

I will usually turn system restore back on after a couple of weeks.

It depends on the situation.

We had a massive outbreak almost 2 years ago and got re-infected because it hid in system restore. We've since disabled system restore for good.

BUT...any time a machine is infected, our desktop guys simple press the button, machine gets re-imaged, and the user gets the machine back when complete.

It's just something they have to live with. They have full support from management so end of story.

But I realize this doesn't work for all companies, it's just something we are able to do.

...but, as long as I can get MB or Spybot S & D installed Via Safemode, that is a big help. Next time I see something like this I will post first as well as research it. I don't mind doing a 10-20 min regedit and file removal...

For FakeAV, they are fairly easy to remove in safemode. I've yet to see one that completely kneecaps a PC. Since they tend to install in familar directories, they are usually easy to find/remove.

Another removal tool you may want to try is Hitman Pro. Very effective:

http://www.surfright.nl/en

You can install it fully or use it on a one-time basis with no install necessary.

Laptops...A user will bring home the laptops and "Their Kids" will be online and do whatever. When they are at home, there are no proxies. They are filtered here, but once out of the office all is a go.

Same issue here.

Not sure what proxy you use but see if they have a client install that can be configured to work as if it was on the corporate network, while on the outside.

For our problem users we install the client to lock them down while off the network.

We use is Websense.

Of course Symantec has their own FakeAV removal tool too, SEP Support Tool and within that, Power Eraser.  It's a free download!

I am apprehensive to use it.

Where is Symantec's FakeAV removal too and does it work on System Tools?

I believe he is referring to the SEP Power Eraser, which is an option to select in the Support Tool.

It does a pretty nice job against FakeAV.

Just be careful when using it. Don't delete sometinh innocet and useful.

ftp://ftp.symantec.com/public/english_us_canada/products/symantec_endpoint_protection/SEPDIAG/Sep_SupportToolSPE.exe

Hello,

I had (and maybe still have) this same System Tool 2011 Malware/Spyware. I followed the steps outlined at the top of this thread and was able to delete the files and registry entries very easily (there were no 5648541024.exe or System Tool 2011.exe processes running) on mine. I have two questions:

1) How can I be 100% sure that it has been successfully removed from my computer? It was very easy to remove (too easy) so I am suspicious there may be something more to it. I hate to think that I have spyware that is perhaps stealing my passwords as I type.

2) Why didn't my Symantec Software with antivirus, antispyware, sonar protection, and current definition files DETECT the spyware or REMOVE it once I was infected? What is the point of having Symantec running if it can not detect or remove KNOWN infections? It seems to me that if someone can write a few step-by-step instructions to remove this spyware then Symantec should have been able to stop it from infecting my computer and definitely should have been able to remove it.

Cheers,

Tommy
 

1. The only true way to tell if malware is removed is to re-image the machine. If you still feel unsafe, try using a second opinion malware such as Malwarebytes or Hitman Pro. FakeAV does not steal passwords. It is simply an annoyance to make you think you are infected and cough up $60 to to have it removed. You will only lose money and have your credit card number stolen if you actually try to "purchase" it

2. Plain and simply, definitions did not exist to identify the threat. FakeAV is re-coded hundreds of times a day to escape detection and it usually does. Not just with SEP but any of your top AVs. The malware authors specifically re-write their code to escape detection by your top AV vendors so the AV vendors are constantly trying to play catch up and it's a losing battle. Your very best bet agianst the stuff is to create an application control policy and prevent executables from starting where they should not.

Thanks Brian81. I will try to run another AV software. I ran Malwarebytes when the computer was displaying the effects of the 'virus' and it did not detect it. I will try Hitman Pro next.

Would you say that if I followed the steps at the top of this thread and removed the EXE and registry entries (like I did) the System Tool 2011 (FakeAV) should be gone? I'm hesitant to wipe the disk and reinstall Windows and all of the programs, etc. due to the tremendous amount of time involved.

Regarding the my second question, I guess my point is that I did a simple internet search and found numourous discussions dating back to October 2010 about this exact same threat. Many people did their own R&D and posted solutions to get rid of it. This virus left a pretty straight forward finger print ("System Tool 2011.lnk"). Plus, the SEP active detection should have detected the numerous static text strings and other unique signatures embedded in the EXE and detected it being downloaded to my computer. So, why is it 2+ months later and Symantec, with their massive resources and staff, still can not detect and remove this rather simple virus/spyware?
 

I would say that removal may be similar but since it has already been re-coded hundreds of times since I posted that last week, it probably changed since then.

Trust me, Symantec has defs for this piece of FakeAV. I know they do because the ones I've downloaded have been detected by SEP. But as I said, it is constantly re-coded, probably multiple times today alone so the siganture constantly changes and it's impossible to play catch up.

I got into same problem in one of my client computer, not sure about the source of infection.

malwarebytes solution worked out for us.

1. Disabled the network.

2. Couldnt install www.malwarebytes.org through infected user account, so we logged off and logged in with a different local administrator account.

3. To my surprise, System Tools 2011 malware were not poping up in this account. So we successfully installed malwarebytest and scanned the whole computer.

4. It ran completly and found below results.

Registry Keys Infected: 21
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 8
Files Infected: 9

Eventhough it showed the status as 'quarantined and deleted the infected files', when I navigated to specified registry keys and files, some of the files were still left behind. So I manually deleted them. So far no issues.

These malware apps are usually associated with only the user that originally contracted the 'infection'.  Luckily they are (usually) very easy to remove if you know what you are doing.

The authors are trying to affect in an environment assuming no users have admin rights.