Friday, November 5, 2010

System Tool 2011


System Tool 2011 is a rogue security product that pretends to find malicious code on a victim’s machine in order to frighten him or her into purchasing a useless application. It’s a clone of the 2008 Security Tool rogue.

System Tool 2011 warning screen.

 

(Click on graphic to enlarge)

System Tool 2011 graphic interface



(Click on graphic to enlarge)

System Tool 2011 payment screen.



(Click on graphic to enlarge)

How to remove System Tool 2011:

Like the old System Security rogue of 2008, this one also includes desktop hijacking. Once an infected computer is rebooted, the victim will no longer be able to run any applications. However, by switching to safe mode the rogue can be deleted.

System Tool 2011 is fully polymorphic and is bundled by third party malware groups.

It creates a randomly named folder in %COMMON_APPDATA%

If System Tool 2011 has infected your pc, you should remove it immediately. Click here to use VIPRE to remove System Tool 2011 from your computer now.

97 comments:

  1. Thanks for the info, your blog is a great resource. I was amused to find this very scare tactic desktop wallpaper on an infected client at work.

    ReplyDelete
  2. I urge everyone who has been victimized by this Rogue ware attack to contact the FBI and urge them to shut these scum down.

    ReplyDelete
  3. This is a form of cyber terrorism or piracy. I urge everyone who is attacked by this virus to contact the FBI's IC3 division to shut these people down.

    ReplyDelete
  4. Thank you so much for your blog. You're doing great work. Quick question (if you're taking them): I've been attacked with "System Tool 2011" and there doesn't seem to be any product that can find or remove it. Both Avira Primium and Malwarbytes miss the bug in their "full scans". I was able to download VIPRE but I cannot complete the installation. I get this error: "Windows Installer: The system administrator has set policies to prevent this installation". Is System Tool causing this? How can I change my settings to allow VIPRE to install?

    Thanks again

    ReplyDelete
  5. This can be removed in safe mode by running regedit.

    The problem is it creates a random executable filename. You can find this name by gooing to Start - All Programs - System Tools. Right click on the actual shortcut and then Open File Location. That will give you the executable name. Write it down and then reboot to safe mode.

    Remember when you run Regedit, you must be in safe mode as this rogue will try to protect itself by intercepting Regedit. It will tell you Regedit.exe is infected. Yeah, right. Just do it from safe mode and it will work.

    In safe mode click start - run. In the run box type regedit.exe. Then go to HKeyCurrentUser - Software - Microsoft - Windows - CurrentVersion - RunOnce and remove the entry. If there is no entry for it there, try Run. I'd also check the same path in LocalMachine.

    Hope this helps.

    ReplyDelete
  6. "You can find this name by gooing to Start - All Programs - System Tools. Right click on the actual shortcut and then Open File Location."

    When I do this the > folder for System Tool is empty. There is nothing to right click on.

    ReplyDelete
  7. I did System Restore in Safe Mode and it worked fine :)

    ReplyDelete
  8. My partner's machine got infected with this. I started it in safe mode and did a system restore. Then ran a spy/malware program to do a double check. This worked fine.

    ReplyDelete
  9. Please find instructions for running VIPRE PC Rescue in safe mode here: live.sunbeltsoftware.com

    ReplyDelete
  10. Thanks for the info Carl. It really works..

    ReplyDelete
  11. My PC has been infected with System Tool. I can't use VIPRE because I can't get into the PC even in Safe Mode. I can't get past the login screen because evidently ST has that screen disabled and I can't enter my password. Any suggestions to get past this? I have tried disabling the login, but it won't let me do that either.

    ReplyDelete
  12. I got this virus and restarting in safe mode, and doing a system restore does in fact seem to work. I am however running a virus scan currently via AVG to see if it comes up with any thing.

    ReplyDelete
  13. I really appreciate this... I am so glad i came across this blog

    ReplyDelete
  14. Carl....you are a GENIUS!!!! I followed your directions and it worked :) thanks everyone!

    ReplyDelete
  15. google windows safe mode, you will find out how to boot into safe mode.
    I just had the same infection.

    following Carl's advice on "regedit" you will see a strange entry in the "RunOnce." Just delete that entry, and its associated path.

    ReplyDelete
  16. Richard, if there is really no way for you to get in, just restore from backups (boot program of course) or boot/re-install fresh from CD. I was able to rid my niece's computer of this thing by booting into safe mode, deleting registry entries and running AVG + AdAware.

    ReplyDelete
  17. Thanks for the great advice on how to remove "system tool virus". Carls directions running Regedit.exe worked perfect and only took a few minutes. An awesome relief when I thought my computer and files were going to be very hard to get back. For those who don't know how to go to safe mode also just hit f10 when your computer starts to turn on.

    ReplyDelete
  18. System tool didnt make a folder in start up. any idea where else it could be?

    ReplyDelete
  19. Andrew - you don't need to know the folder name or location. Do what they say above: Boot into SAFE mode, run REGEDIT and delete the keys in RunOnce and Run. Check local machine Run and RunOnce keys as well, but I didn't do that. Once you've done that, get a good AntiVirus. If you don't want to pay, get AVG Free - I've been using it for years without a problem. Also get AdAware (free) or another ad malware detector and run daily.
    If you are not familiar with Regedit, find a geek friend who does and he/she can do it or walk you through it.

    ReplyDelete
  20. You don't need to know. Follow the instructions for booting into safe mode and run Regedit. If you don't know what this is or what it does, find someone who does.

    ReplyDelete
  21. I have vista and everytime I go to try and pull up safe mode it doesn't work, can anyone help me?

    ReplyDelete
  22. Thanks Carl! Regedit.exe worked PERFECTLY! Life saver indeed!

    ReplyDelete
  23. lt worked fine for me too, phew what a relief, to get into safe mode do a fresh bootup and whilst you have the initial black screen press f8 repeatedly.

    ReplyDelete
  24. ps To rid your pc of "System Tools" go into safe mode and do a restore l worked for me.

    ReplyDelete
  25. Yes, Thank you Carl! I have been struggling with this for two days. It disabled my AVAST,SPYBOT,Microsoft Security/firewall, & system restore. I installed Webroot in safe mode with no results. Your instructions saved the day!

    ReplyDelete
  26. What a weekend nightmare..thanks Carl you saved me!! OMG I was horrified, thinking the worse. I was even more horrified when I installed "viper" to remove it and it was just as bad!! The only saving grace I found was to remove the command line RunOnce from my startup in Safemode and then I was able to do a system restore...I've been computing for a long time and this one got ME!! Thankyou for this blog site it sure has been a lifesaver and also to my friend that found it for me!! Back to normal, let this be a big lesson!!!!

    ReplyDelete
  27. @missfixit4u - please tell us why running VIPRE was a nightmare for you? It is a good program that removes this rogue if used properly.

    ReplyDelete
  28. I couldn't find the file but sys restore did the trick for me.
    Thanks Much

    ReplyDelete
  29. After installing Vipre and my system rebooted to complete I had a blue screen come up "again" windows did not startup?? Just this blue screen I should have printed it at the time...at the bottom of the screen it was talking about dumping files?? I did not see any instructions what so ever, so again I panicked and ran in safe mode and unistalled this application. Is this what normally comes up?? or is it just my luck this weekend?? I think I am ok now I set my system restore back to the day before any of this happened. Thanks to everyone for all their help I would probably be still floundering!!

    ReplyDelete
  30. Thanks Missfisit4u.

    If you tried to run VIRPE with any other antivirus products already installed on my machine you may experience the blue screen. It's always good practice to only run one AV product at a time.

    Glad your PC is fixed!

    ReplyDelete
  31. That makes sense!! thanks for all your help and support!! Keep up the great work, I know now where to turn if I need help again :)

    ReplyDelete
  32. When I started the pc in safe mode I ran two spy wear programs. One of the programs was spy doctor which found the problem right away. The other program didn't see any thing wrong. So I supposedly fixed the problem. When I restarted the pc in normal mode the virus was still there. So I tried to follow carls instructions, I go into the start menu In safe mode and there is no run option!!! I don't know what to do..... Please help. Thanks

    ReplyDelete
  33. My laptop (runn Win7Home) was infected by System Tool and worked up upon a new booting. I turned off internet connection and rebooted the computer. MS Security Essential seemed taking over and asked to clear a threat, which I approved. After that I restored the system to an earlier date when I am sure the computer was clean.

    Could some expert tell me whether this gets rid of the spyware completely? Thanks for response.

    ReplyDelete
  34. ....so if you set your pc back to the day before it was installed will it get rid of the program? Please get back to me asap
    Thaks a lot

    ReplyDelete
  35. You guys are talking about restoring the sys. But I don't know how to do that. Casome one help?

    ReplyDelete
  36. OK, I usually don't post to these but I've got to chime in here! I didn't want to believe it because nothing else had worked and I was unable to get ANY AV or any thing loaded with this frikin' thing. I followed Carl's instructions a voila...it worked! Thanks man!

    ReplyDelete
  37. To cornellybelly: if your questions were directed at me, so far my laptop works normally and the spyware has not fired up again.

    To restore the system to an earlier date, click on "start" then "all programs" then "accessories" then "system tools" then double click on "system restore". Follow the lead and select an old date.

    Hope this helps.

    ReplyDelete
  38. Well, I was lucky that the infection was only in one of two accounts, so I could just go into the uninfected account and clear it out, a couple of things to note, makes me wonder if that is common so maybe even if you do not need one, create a second account so you do not have to use safe mode etc.
    1. In VISTA it was in the "Program Data" folder as there is no COMMON_APPDATA that I could find
    2. This is of course a hidden folder so you have to view those
    3. It's easy to spot, but suggest whenever you get infected to record teh date and time as that helps identify the file

    ReplyDelete
  39. I have tried F8,I click on systems tools and nothing happens. I can,t get online to get something to fight this virus. I have ME and nothing thus far has worked.From what I have found out this system tool shuts down programs to save itself.Any suggestions ?

    ReplyDelete
  40. I, with intentions to clean up my files, paid for this spyware, as I got the same virus. Any info on how to refund my credit card??

    ReplyDelete
  41. Ugh, I got this on my netbook tonight. Frustratingly, as I only have an 8gb solid state drive on it, there was zero space for virus guard, and I had to disable system restore (I am only realising now wt a mistake this is likely to have been). When I go to 'all progs', there is no 'system tool' folder at all. So there's nothing I can search for when I restart in safe mode. the only saving grace is that there are no files saved on the computer that aren't backed up somewhere, so it's not the end of the world to reinstall everything (except I don't know how). I also don't think I would have the memory to put vipre on there either, as only have 35mb spare (tiny tiny hard drive) and I can't find anything to delete to make space! Any tips for finding the file if it's not under 'all progs'?

    ReplyDelete
  42. It took me 4 hours of trying, but I think I've finally cleared it out - thanks for all the ideas above, I think a mixture of them worked in the end. I found the file by renaming taskmgr as iexplore and then looking through the process list to find the file name. Then logged into the other account on my laptop (thankfully only one account was infected it seems) and searching for the file and deleting it. So far so good. Now just need to find a way of installing a virus guard with my pitifully small solid state memory. Thanks to all for the above advice - I am not good with computers but it was all very straightforward to understand and fingers crossed, it's got rid of it.

    ReplyDelete
  43. At the moment I am downloading McAfee as I have just bought a one year subscription to it. My question is, if you're taking them, will McAfee detect ST and fix it?

    Or do I have to get VIPRE?

    ReplyDelete
  44. Where do I download Regedit.exe? Can't find anywhere!

    ReplyDelete
  45. I found the regedit already on my cpu-sorry! But there is no folder for "System Tool". Will the regedit find and remove it if I do not know the file name? Sorry for all the questions. I am thankful to find this website.

    ReplyDelete
  46. ^^ what I did to find the file name, was go to search, search taskmgr, rename it as iexplore (without an r on the end). This enables you to open taskmanager. Look on the process list for a weird name that usually has alternate capital and lower case letters (mine was something like AgGmUmA08200) you should also there be able to see where the file is saved. From there, you can stop the process, but until you remove it off the computer completely, it will keep popping up at each start up. To actually remove it, try one of the above - some people find restarting in safe mode and regedit.exe works, some have run virus guards, others have used system restore points. I managed to log into the other 'guest account' on my laptop that wasn't infected and delte it from there. but that is how I found the filename when I had no 'system tool' folder.

    ReplyDelete
  47. These are all wonderful suggestion, BUT the creators of this monster must have updated it. Hitting F8 of course gets into Safe Mode, but the machine (Dell WIN XP SP3) does NOT go into Safe Mode. Cannot use the CMD line. cannot use REGEDIT in the RUN Box. So if there any more suggestions, they would be appreciated.

    ReplyDelete
  48. Hi sorry to trouble all but am bit technologically challenged! I have this System Tool hell on my Dell laptop with Vista and whilst I can get into safe mode I can't see the Start - All Programs - System Tools as mentioned by Carl, nor any ability to "run" this regedit - do I just type it in? Any help to a learner would be much appreciated! thanks

    ReplyDelete
  49. Thanks Carl, great tutorial.

    @Lucy- in the Windows START menu, you should see an option called "RUN". Click RUN then in the new box type in regedit and click OK. Then simply follow Carl's earlier instructions to delete the entry. This worked for me!

    ReplyDelete
  50. .. if you can run from windows Start > Run then just type regedit in there, the system path will find the app

    I just removed mine w/out editing the registry (because I had read a different thread first)
    Started up the netbook, then held F8 as it started, selected Safe Boot -> Cmd Prompt

    then from command box moved to c:\users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories and it was in a sub-dir below that
    I found it easier from cmd prompt as some of the folders are hidden to file manager
    deleted everything there, and then in c:\ProgramData (also hidden) deleted the oddly names folder there ...

    i've since checked the registry, and nothing there now, and all working fine again

    ReplyDelete
  51. Hi,

    I'm having a similar problem to Greg. I can't run or open anything, even in safe mode. Every time I try to run or open a file by double-clicking, I get the "Open with" box pop up. So, if I try to download "malaware" or "HiJackThis" etc., I get the same result. The only reason I can use the internet to write this post is by clicking on the link in the "Open with" box to "look for the appropriate program on the Web". Any help you can provide would be much appreciated.

    Nick

    ReplyDelete
  52. thank you so much, you saved me from a 130+$ repair!! I started in safe mode and did a system restore and it works now. I live you forever

    ReplyDelete
  53. Hello, for anybody struggling with the virus if you have a another account on that computer simply go on it and do a system restore. this will restore the entire computer for ALL accounts getting rid of the rogue virus. Hope this helped

    Josh and Sara

    ReplyDelete
  54. My husband had this virus on a laptop after clicking a link on a website about the film 'Hot Fuzz'. It took me hours to sort it out, nothing would open and none of the security software worked, it was a nightmare.
    I had to open windows xp in safe mode and then download something called rkill from bleepingcomputer.com Then without rebooting I restored settigs to a date before virus and clicked 'no' when asked if I wanted to stay in safe mode to get back into usual windows xp. The settings having been restored, I then updated the microsoft security software and finally, warned Hubby to be more careful when clicking on links and to update his security software more often!

    ReplyDelete
  55. Thank you Carl the genius - worked for me too :-)

    ReplyDelete
  56. Can you tell me what file I look for in the system registry? Thanks

    ReplyDelete
  57. I have the System Tool 2011 virus and am trying to follow the instruction for removal but when I hit the Start button (Win 7) All Programs there is no System Tools listed. Help please.

    Bob

    ReplyDelete
  58. THANK YOU THANK YOU THANK YOU!!! Truly I feel so fortunate to have found this blog and all of the very helpful comments here!!!!!

    If you can get to safe mode in your administrator account, try creating another user profile from there--that's what I had to do--and then switch over to it and you can access internet and download programs much easier.

    This virus is a whopper, whoever created it must really have a cold, rotten heart.

    But thanks to folks helping each in places like this one, the problem can be solved!!

    Thank you Carl--the Regedit worked like a charm. Found "RunOnce" under "Run" and erased it. Too bad I already dropped $$ on STOPzilla which TOTALLY did not fix the problem. I even called their customer support line and was told that they could help me for another $200. RIDICULOUS!!!

    Thank you so much. I am so grateful and relieved. I was so afraid that I would be out a chunk of cash on repair fees.

    Good luck everyone!!!!!

    ReplyDelete
  59. Well Folks,
    Struggled through this problem, tried a few suggestions. Finally I opened a new ADMIN account during Safe boot. The darn trojan didn't jump over so from there I deleted Microsoft Security Essentials, loaded Comcast's Free Norton Security Suite and ran a scan. POOFFFF all gone! It found 2 new trojans. I'll review the registry tomorrow when I am awake to see if there are any items mentioned above.

    BASTARDS!!!

    ReplyDelete
  60. I've read through your blog and comments but nothing seems to help. I've tried to download numerous anti-virus programs but system tool will not let any of them run. As soon as I try to run the programs a pop-up is displayed which says 'windows cannot access the specified device, path or file. You may not have the appropriate permissions to access this item. I have also tried to run system restore and this message is once again displayed.
    I have had problems when trying to access safe mode. I've read about on the internet that you can do this by repeatedly pressing F8 as soon as you turn your computer on, however nothing is ever displayed and the netbook just runs as normal.
    I would be very grateful if anyone has any ideas of what I could do next. I should also add that it is my netbook which is infected which does not have a CD drive.

    ReplyDelete
  61. I want to say thank you so much to Carl - without his advice on using 'safe mode' to get rid of this nightmare virus, I would have given up and bought a new computer. Thanks Carl.

    ReplyDelete
  62. I Know you guys might have already answered this question, but I'm gonna ask anyways =D

    I am helping a coworker. We work in a law office and he has all his clients paperwork on his computer. Well he got this virus. I'm pretty good with computers so I've been trying all morning to remove it. This is my main issue. When trying to start it up in safe mode, I press F8 about every other second. It WONT load up. It just sits there and runs, but never fully turns on. When I force it to power down and don't try to open it in Safemode, it loads up fine. But I can't do anything fast enough before the virus pops up. (I had this on my personal computer once and I realized if i worked fast enough i could destroy the virus before it loaded, then run a program to fix it)

    Do any of you know why the computer might not be loading in safemode? Is there an alternative to load it in safemode? Please help, because we can't afford to have to do a system restore.

    ReplyDelete
  63. I have windows Vista and everytime I go into safemode it starts loading windows files and then says please wait...15 mins later and still nothing. What do I do?!?

    ReplyDelete
  64. It looks like System Restore in W7 works. You have to request it in Safe Mode and then reboot. Then I updated Microsoft Security Essentials and ran a quick scan. I'm now running a full scan but everything looks good so far.

    ReplyDelete
  65. btw, my son claims he got infected by YouTube, but I'm inclined to think it might have been a site his mother would disapprove of.:)

    ReplyDelete
  66. What a horror! I have just managed to get rid of this f*cking thing from a WinVista PC. It's almost as if the creators of it are reading this blog and plugging every fix as it's published! I had to F8/Repair/Restore as the regedit route didn't shift it, and every attempt at installing a Malware fix failed with something like "not executable" or "invalid file format". Has anyone reported these people to the FBI or Interpol?

    ReplyDelete
  67. Thank you, Carl. Spent all day on this stupid thing until I found your blog. Here is my question...How did this thing get around my anti virus in the first place??

    Vince in Maryland

    ReplyDelete
  68. This blog was extremely helpfull I got this virus did a system restore in safe mode and seems to be okay now.
    Lucky I got it and not my BF he would have paniced and put in his card details, but as I know Im up to date with my virus protection there was no way i was going to pay more so knew it had to be a complete scam.
    Ive run a Pareto Logic Scan but its not picking anything up. and Ive also ran a ccleaner nothing is showing.
    Can I safely assume the System restore solved the problem and the virus has gone, or is it hiding and ready to pop up and scare me again.

    Thanks again for the advice here and so glad you poped up on my google search of the problem.

    ReplyDelete
  69. Irene, the machine I fixed with Safe Mode/Restore has been running fine for 3 days now.

    Amanda, try the regedit fix above.

    Anyone who wants me to help them remotely, go to
    www.bestgotoassist.com and send me an email. Mention you're coming from this blog and I'll waive the $8.95 fee. Of course if you can't get to the internet from the infected machine, we may have a problem:).

    ReplyDelete
  70. Carl is a lifesaver. followed your directions and so far so good. saved the wifes computer.

    ReplyDelete
  71. I spent a couple of hours trying all kinds of things to get rid of this virus - and it was blocking EVERYTHING! I couldn't even access the internet in safe mode. Finally, I tried a system restore in safe mode...and it *worked* yipee! :) :)

    ReplyDelete
  72. I am glad you got it I am having nothing but trouble with this mess

    ReplyDelete
  73. im glad you got it i Am having a heck of a time getting this off here!

    ReplyDelete
  74. For those of you who cannot find the "run" command, simply go to Start > All Programs > Accessories and click on "cmd". this will take you to the DOS prompt. Then type in "regedit" (without the quote marks) and hit enter. Regedit will start and you can clean the registry.

    ReplyDelete
  75. @ carl.. you are truly genius man....I owe you for this definitely...I was so terrified by this spyware...and I din't want to format my computer and lose all my documents and files....I tried myself a lot but couldn't figure out but dude what you told worked fantastic...and for the one who created this spyware F*** you man!!(pardon my language)but he deserves it. Thanks a lot carl again!!

    ReplyDelete
  76. You have no idea how much trouble you've saved me. i spent about 5 hours trying to resolve this issue before i stumbled on your blog.i followed the instruction and it worked.

    ReplyDelete
  77. I've never posted anything but this time I feel obligated, listen to Carl DEFINITELY! Safe mode, run, regedit.exe, etc, etc. it worked just fine for me, thanks Carl!

    ReplyDelete
  78. My daughter's Dell Inspiron came down with the System Tool blight last night. Googled it and came upon this thread. She has Vista. Followed Carl's advice from 12/21/10 and it worked to the "T". Started it up pressing down on F8. Got to the DOS screen and hit F8 again and chose Safe with Command Line. Put in regedit.exe next to the exisitng command line and followed Carl's instructions:Went to HKeyCurrentUser - Software - Microsoft - Windows - CurrentVersion - RunOnce and deleted the alpha numeric entry (left the default entry in). Said a quick rosary as I rebooted the machine and voila! Carl, you're a good man!

    ReplyDelete
  79. Anyone find it odd that this thing just seemed to pop up out of nowhere here recently?

    What, new owners of this 'System Tools' virus?

    Yeah, a Safe Mode with a System Restore works fine. And, you don't have to scan afterwards, but if you want to that's good, too.

    It's gone with a System Restore.

    ReplyDelete
  80. Thank you so much!!! I run Windows on Parallels and was at a complete loss as to what to do because I am a Mac person. Doing a system restore in safe mode did the trick. Thank you so much for taking the time to help us poor unfortunate souls who were attacked by this virus!

    ReplyDelete
  81. Thanks Carl, removing the reg key did the trick beautifully.

    ReplyDelete
  82. Frustrated, I booted in safe mode but the system restore has all been deleted or I can't see it. It tells me there is no date to revert to. I can get into Regedit but can not find any line that has runonce in it. Any other suggestions?

    ReplyDelete
  83. thank you so much carl, i run regedit and it worked first time....whoever makes these virus,s up are sick...they must have plenty of spare time on their hands.....from karol, derry city ireland

    ReplyDelete
  84. How do i get my money back for this non existant software? I've tried with my cardholder but can find no support to get this taken care of. Should i delete this before i8 can re3solve the money issues?

    ReplyDelete
  85. I am trying to get into safe mode on Windows 7. Pressing F8 trying F10 still not working. I tried opening 'msconfig' in search to set 'boot' tab for safe but this ST will not allow anything to open so I can follow instructions above.....anybody PLEASE....lol...

    ReplyDelete
  86. Not only I had to remove all entries of runOnce
    I also had to remove a randomly created folder under %COMMON_APPDATA% which was created by 'system tool" virus. Generally Malwarebytes program had removed all my infections, but sytem tool escaped this.
    Thank you rogueantispyware.blogspot for saving my PC

    ReplyDelete
  87. Thanks a bunch. it worked by removing specified items in regedit.

    ReplyDelete
  88. got infected with system tool today, pain in the rear, amused at the desktop warning though, system restore through safe mode sorted it, also got free avast protection,,,nice when its free. realised it was a scam it took me straight to the payment screen,,,yeah right,,,gotta get up earlier than that to catch me out.

    ReplyDelete
  89. I got the "System Tool" virus/malware yesterday. Tried the normal methods; complete scan with MS Security Essentials, Sytem Restore but could not get to that application in the Mormal Mode. Tried loading StopZilla but it wouldn't load. Called StopZilla, they recommended I take my PC to Best Buy and Geek Squad could probably fix it in a week or ... he could connect me to a tech for $129.95 and they could fix it in about 3 hours. Decided to try Safe Mode (striking F8 repeatedly on reboot) got to Safe Mode and was able to restore system to a point 6 days earlier. It has been about an hour and all seems OK.

    ReplyDelete
  90. So in order for this to work do I have to always be in safe mode? I am in safe mode now and it works fine, but if I were to restart my computer System tools will still be there? How do I get rid of it permanently, or will I forever have to be in Safe Mode?

    ReplyDelete
  91. I just want to join those people thanking Carl for his advice. This thing took hold of the most important pc in my wifes business, but following Carls directions, I managed to remove it using RegEdit.

    It's good to know that there are genuine people like Carl who offer there advice for free and don't try to sell you another anti-virus or software removal tool. Thanks Buddy!!

    Toni.... follow Carl's instructions carefully. RunOnce is the final folder you click on (after clicking on CurrentVersion)that will show you the entry/file that holds the infection. Remove/delete this file and reboot your pc.

    ReplyDelete
  92. Thanks Carl.

    Viper ran for ages then the problem was not resolved. Use Carl method but you still need to clean the program somehow

    ReplyDelete
  93. Well let me tell you the depths of how bad this virus is. First off I needed this repaired ASAP so I fell for the scam and purchased the program. I was alerted by Chase Bank security within three hours where I found out I fu-ked up! I closed my personal bank account ASAP and took the computer to a pro who fixed it...but there was still a good five day period I was using computer with virus. I then learned last week that hackers broke into my business account and attempted to steal thousands!!! I know it all happened from the wonderfuk country of Azerbaijan near Afghanistan. IF YOU GET THIS VIRUS YOU MUST UNPLUG YOUR INTERNET CONNECTION IMMEDIATELY UNTIL IT'S GONE! There is possibly a keylogger attached. SERIOUS RISK VIRUS!!!

    ReplyDelete
  94. Carl you are probably tired of hearing this but you are a genius. i thought the worst when i started reading up on this virus. how it can take your personal information and could lead to a lot of bad stuff. i have so much on this computer from pictures to music and to think i almost had to do an entire system restore. thank you again for your help.

    ReplyDelete
  95. My husband was on Facebook this AM, and his computer was infected with System Tool 2011.
    I have Zone Alarm firewall installed, and it alerted us that an executable was trying to access the internet. I denied access, and noted the exe name (bDdGkOp06300.exe)

    The PC had the blue screen of death, before I could do anything, so on boot up I selected CNTRL-ALT-Delete, and when task manager started, I removed the application (bDdGkOp06300.exe)

    I then performed a file search and found this file name in the C:\Windows\Prefetch directory, where I deleted the file.
    I also deleted the file directory and executable in C:\Document and Settings\All Users\Application Data\bDdGkOp06300\bDdGkOp06300.exe

    I also deleted all entries with this filename in the Registry using Regedit.

    I downloaded Ad Aware latest free version and installed it, since it has a program that runs in the system tray which hopefully will alert us to any new attempted infections.

    Thanks for the blog and the info on this devious plot to outwit PC users - Glad I own a Mac!

    ReplyDelete