System Tool 2011 - Virus Warning (Related to Hotmail Adverts)

[Tunster]

Hello All!

I'm sure some of you maybe of seen it already, but take a look at the screenshots below...





This all down to the "System Tool 2011" Virus that's started to go around like wildfire! We've had 3 staff personal computers, a couple of student laptops and 2 on-site computers get hijacked with this virus in the last week. All of the on-site machines accessed hotmail before getting infected and from researching this, it's coming through an advert on the hotmail website. You don't even need to click the advert as the virus executes via a Java/Javascript vulnerability. There's also a PDF vulnerability this virus can take advantage as well. There are reports other sites are infected too through the same type of advert. I'm unsure of these though. It effects all Windows XP, Vista and 7.

The only way we've been able to remove the virus use the Malwarebytes' Tool. The instructions in the forum post below work 100%. The tool needs to be run in the user account it's hijacked. However, we've seen one computer corrupt itself as the virus had time to completely ruin the boot-up and then we had to rebuild it from scratch.

Removal instructions for System Tool - Malwarebytes Forum

We've blocked the hotmail website as a precaution so far to stop any further infections. It might be worth warning staff who have home computers that could be at risk. Unfortunately, it's bypassed Sophos Anti-Virus (due to the nature of how the virus renames itself everytime it excutes after a reboot) and it cannot be detected outside of the user account it's hijacked.

[AngryTechnician]

There's a long thread going about this one already: Compromised Websites - Anyone else affected yet?

It's not just Hotmail by a long shot, so a block there will not be effective.

[Tunster]

There's a long thread going about this one already: Compromised Websites - Anyone else affected yet?

It's not just Hotmail by a long shot, so a block there will not be effective.

Not noticed this but Hotmail has been mentioned everytime we've spoken to each user who's had there machine hijacked by this virus. Didn't notice the above thread. Will read and contribute there .

[this_is_gav]

It's adverts in general - even the London Stock Exchange was spreading it apparently.

[andrew_91090]

we unfortunally had a member of staff recently infected with this, i spent 2 days scanning for this rogue and nothing was found, i evan tried malwarebytes and it did not work, but i didn't try it this way, i'll try it this way next time, thanks

[marc2510]

ive had this on many private jobs - best solution i found was

SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

make sure you boot into safe mode - as usual!

make sure SAS has the latest version - has not failed me yet

[synaesthesia]

I've said it once and will continue to say it many times : SAS bulks out results with legitimate files, if you want to trust your network/systems to that level of deceit then you might as well open it up to proper infections.

[karldenton]

I've had it loads on private jobs too.
Boot into safe mode
The file is in Documents and Settings / user / app data
there is a folder with random letters and numbers
Delete that and run malwarebytes / alternative

[silver_uk]

Found it using the old rename OLD.xxx letters and numbers the normal stuff would not remove this one.
One happy head teacher :-) Cheers.

[AyatollahPies]

I've said it once and will continue to say it many times : SAS bulks out results with legitimate files, if you want to trust your network/systems to that level of deceit then you might as well open it up to proper infections.

We're all paying small fortunes for Anti-Virus software that is failing miserably to do it's job, so I'm more than happy to get false positives, as at least then I'll have an idea where a genuine issue might be.