How can I get rid of a System Tool 2011 infection?

Brian January 17, 2011
Pinterest Stumbleupon Whatsapp
Ads by Google

Is there a download available to rid me of this wretched curse? It has disabled my anti virus devices and my Orange dongle which I use to access the net.

I have access to another computer at work, so can download any suggestions made. I am aware of various step by step options, but my general lack of literacy and failing vision make this course a very difficult option.

Any assistance would be appreciated.

  1. Aibek
    January 25, 2011 at 8:57 am

    Hi Brian,

    So, did you managed to get rid of the System Tool 2011 malware using the recommendations above? Let us know.

    Aibek

  2. Mike
    January 18, 2011 at 7:36 pm

    On the Symantec forum I read that one of the following tools should be able to get rid of the "System Tool 2011" infection

    ftp://ftp.symantec.com/public/english_us_canada/products/symantec_endpoint_protection/SEPDIAG/Sep_SupportToolSPE.exe

    http://www.surfright.nl/en/hitmanpro

    However, I suggest to get yourself a bootable AntiVirus CD/DVD/USB-Stick for any and future cases of infection!

    Avira AntiVir Rescue System
    http://www.avira.com/en/support-download-avira-antivir-rescue-system

    G-DATA Boot CD 2011
    https://www.gdatasoftware.com/typo3conf/ext/dam_frontend/pushfile.php?docID=7793

    AVG Rescue CD
    http://www.avg.com/us-en/avg-rescue-cd

    BitDefender Rescue CD
    http://download.bitdefender.com/rescue_cd/

    F-Secure Rescue CD
    http://www.f-secure.com/en_EMEA-Labs/security-threats/tools/rescue-cd

    Sometimes one AntiVirus software detects malware which all others won't find therefor I suggest to get various Live-CD's or create a MultiBoot CD/USB.

    One tool to create both an ISO you can burn or a USB Stick is XBoot.
    I haven't tried it myself but the reviews are good
    http://reboot.pro/13555/

    I myself have used MultiBoot USB to create a USB-Stick with multiple bootable AntiVirus editions
    http://www.pendrivelinux.com/boot-multiple-iso-from-usb-multiboot-usb/

    • Mike
      January 18, 2011 at 7:39 pm

      Xboot Page only works by adding the last "slash" to the URL ~ unfortunately it was cut by auto-link creation

  3. FIDELIS
    January 18, 2011 at 9:22 am

    You will need several tools to get rid of this infection.

    Rkill stops the virus executable when it is trying to stop you from getting rid of it.

    Download Rkill: [url]http://www.technibble.com/rkill-repair-tool-of-the-week/[/url]

    Superantispyware and Malwarebytes are two of the best antimalware scanners. On this link there are four different downloads.
    Try getting the one with a .com extension. Sometimes viruses will not let you install antimalware scanners
    that have an .exe extension.

    Download Superantispyware portable: [url]http://www.superantispyware.com/portablescanner.html[/url]
    Download Malwarebytes: [url]http://www.malwarebytes.org/[/url]

    Kaspersky is rated very highly. If you have an a decent antivirus installed just updated and scan.

    Download Kaspersky antivirus rescue disk: [url]http://support.kaspersky.com/faq/?qid=208282173[/url]
    or
    Clamav: [url]http://www.clamav.net/lang/en/about/win32/[/url]. If you are running 64 bits, download the 64
    bits edition.

    Instructions:

    1.- Download and save the files in a flash drive.

    2.- Start up you computer and as soon as you get your desktop do the following:
    If running xp: windows key>>run>>msconfig>>BOOT.INI TAB>>check mark safe boot>>apply>>ok>>if asked to restart
    say no. Also you can keep pressing the F8 key when booting to access safemode.
    If running vista/windows 7: start>>type msconfig in search bar>>when you see msconfig appear, right click>>
    choose run as administrator>>boot tab>>safe boot>>appy>>ok>>if asked to restart say no.

    3.- Try to Run rkill from flash drive. To run the executable for rkill just double click on it and is asked any
    questions just answer them. Let the program run until finish. This should give you time to do other stuff to
    prepare your system without the fake antivirus pop up screens.

    4.- Make sure to clean cookies, temp files, etc. from your system. You can use crapcleaner for that with the default
    settings.

    5.- Turn system restore off. There are viruses that even if you cure them in safemode replicate when you start
    your system normally because there are traces in system restore points.
    If running xp: windows key+Pause/break at the same time>>system Restore>>highlight your drive (C:)>>check mark
    turn system restore off.
    If running vista/windows 7: windows key+pause/break>>Advance Settings>>System Restore

    6.- Update your installed antivirus and then restart your system. Your next boot should be in safemode. Black screen with only your basic drivers and on every
    corner it should say safemode.

    7.- Run superantispyware. There is no need to run an update if you downloaded the file recently. Also you can start
    in safe mode with networking so that you can update the definitions if you want. Pick full scan and wait for the
    scan to finish. See what it finds and click next. It is going to ask you if you want to delete files or quarentine
    them. Delete whatever it finds.

    8. Scan your drive with your installed antivirus and let it do its thing. Depending on your antivirus configuration
    it is either going to delete whatever it finds or quarentine it. If you downloaded kaspersky antivirus rescue disc
    and followed the instructions to burn it to a cd, you will have to exit safemode and when booting the computer go into
    BIOS and change boot order to start from cd/dvd. If you download clamav you can run it from the flash drive.

    9.- If you accessed safe mode through msconfig, go back to msconfig following the procedure you used before and uncheck
    safe boot. Restart your computer and it should start in normal mode. If the software used got rid of your virus you
    should be able to access your system without any problems.

    10. Do a full scan with superantispyware and your installed antivirus or you can run clamav again. Hopefully your scan will
    be clean. To make sure you can go to this link to double check. It is an online scan:

    [url]http://www.eset.com/online-scanner[/url]

    11. Run Malwarebytes on normal mode. Make sure to update it. You can run malwarebytes from your flashdrive or intall it.

    12. To double check go to the All Users folder, unhide system files and see if you can find the executable for the fake antivirus.
    It usually has a weird name with numbers and letters and it should have an .exe extension. The sure way to find it out is
    by comparing the icon for the fake antivirus. It should look the same as the icon on your desktop.

    13. Once the online scanner gives you a clean result you can turn the system restore on and create a restore point. Hope it helps.

  4. Anonymous
    January 18, 2011 at 8:02 am

    Hi
    I suggest to boot to safe mode and scan with clamwin and malwarebytes antimalware Also you need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s).

    so download OTL
    http://oldtimer.geekstogo.com/OTL.exe

    Run OTL

    Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [CLEARALLRESTOREPOINTS]
    [Reboot]

    Then click the Run Fix button at the top
    Let the program run unhindered, reboot the PC when it is done

    this infection also changes your Windows HOSTS file, we want to replace this file with the default version for your operating system. You can follow this metho for removal of the infection. It uses RKIL to kill the malware.

    http://www.bleepingcomputer.com/virus-removal/remove-system-tool

    here ia another guide and also there are some reg keys that you can use the register system tool 2011 so the removal will be easier
    http://www.bleepingcomputer.com/virus-removal/remove-system-tool
    This virus stores the bulk of its files in these folders:

    %AppData%48541024
    %UserProfile%Start MenuPrograms

    1) Start the computer in safe mode with networking

    • How to log into safe mode with networking Click Here
    • Log into the User Account where you have the Infection

    Navigate to the following location:

    • C:Documents and Settings All UsersApplication Data[RANDOM FOLDER NAME][RANDOM FILE NAME].exe (In Windows XP)

    • C:Programdata\[RANDOM FOLDER NAME][RANDOM FILE NAME].exe (In Vista & Windows 7)

    And delete the infected file. Restart the computer into normal mode. The infection will not pop-up anymore.

    2) If the infection is preventing you going online then perform the following steps
    • Go to Control Panel --> Internet Options --> Connections --> LAN Settings
    • Uncheck the Proxy Server

    3) Make sure the product is up to date else update the product

    4) Make sure that the windows is up to date

    Remove System Tool 2011 manually
    Another method to remove System Tool 2011 is to manually delete System Tool 2011 files in your system. Detect and remove the following System Tool 2011 files:

    Processes

    %AppData%56485410245648541024.exe
    %systemdrive%Documents and SettingsAll UsersApplication DataoHaKo00902oHaKo00902.exe
    %SystemDrive%Documents and SettingsAll UsersApplication Data[FIVE RANDOM LETTERS][FIVE RANDOM NUMBERS][FIVE RANDOM LETTERS][FIVE RANDOM NUMBERS].exe
    Other Files

    %AppData%[random]
    %AppData%5648541024
    %AppData%56485410245648541024.bat
    %AppData%56485410245648541024.cfg
    %UserProfile%DesktopSystem Tool 2011.lnk
    %UserProfile%Start MenuProgramsSystem Tool 2011.lnk
    %UserProfile%Start MenuProgramsSystem ToolSystemTool2011.lnk
    %UserProfile%Start MenuProgramsSystem ToolSystem Tool 2011.lnk
    %SystemDrive%Documents and SettingsAll UsersApplication Data[FIVE RANDOM LETTERS][FIVE RANDOM NUMBERS][FIVE RANDOM LETTERS][FIVE RANDOM NUMBERS]
    Registry Keys

    HKEY_CURRENT_USERSoftwareSystem Tool 2011
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun "5648541024"
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun "[random]"
    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce"[FIVE RANDOM LETTERS][FIVE RANDOM NUMBERS]" = "%SystemDrive%Documents and SettingsAll UsersApplication Data[FIVE RANDOM LETTERS][FIVE RANDOM NUMBERS][FIVE RANDOM LETTERS][FIVE RANDOM NUMBERS].exe"