System Tool 2011 removal

Note: We disclaim any affiliation with the creators of System Tool 2011 rogue antivirus.

Welcome to the removal guide for System Tool 2011. This is to be considered a self-help guide, and the Security Team at this site does not assume responsibility for direct, indirect, or consequential damage to your computer as a result of doing the step-by-step guide below.

System Tool 2011 is a new rogue antivirus program. This program is installed on your computer, usually by Trojans.

Once the program is installed, it will begin displaying fake security alerts, including advice about removing viruses. Upon execution, it will scan your computer and find fake threats, and then it urges you to purchase its software in order to protect your computer and/or remove the threats.

Upon further infection, the program will display a Desktop wallpaper, a blue screened message warning you about your computer being infected and your information being at risk (shown below).

Normal uninstall is usually not possible with rogue antivirus software, which is why these instructions must be particularly followed.


System Tool 2011 screenshot


:::FAKE ALERT:::




:::Wallpaper:::




List of files associated with this rogue:

XP
-Random files in %temp%.
-%systemdrive%\Documents and Settings\All Users\Application Data\oHaKo00902 (Random folder)
-%systemdrive%\Documents and Settings\All Users\Application Data\oHaKo00902\oHaKo00902 (Random file without extension)
-%systemdrive%\Documents and Settings\All Users\Application Data\oHaKo00902\oHaKo00902.exe (Random file & dropper)


Vista and 7
-Random files in %temp%.
-%systemdrive%\Users\All Users\Application Data\oHaKo00902 (Random folder)
-%systemdrive%\Users\All Users\Application Data\oHaKo00902\oHaKo00902 (Random file without extension)
-%systemdrive%\Users\All Users\Application Data\oHaKo00902\oHaKo00902.exe (Random file & dropper)

Note: %temp% refers to the following locations, based on your version of Windows:

Windows XP: C:\Documents and Settings\{USER}\Local Settings\Temp

Vista/7: C:\Users\{USER}\AppData\Local\Temp

%systemdrive% refers to the drive your infected system is on...for example, C:\.


To be able to see some of the folders, you need to enable windows to Show all Files and Folders
Instructions for your Operating System here

Shows up as installed program: SystemTool2011

List of Registry entries associated with this rogue:

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RANDOM"="c:\Documents and Settings\All Users\Application Data\RANDOM.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"RANDOM"="c:\Documents and Settings\All Users\Application Data\RANDOM.exe"


List of HijackThis entries associated with this rogue:

O4 - HKCU..\Run: [RANDOM] C:\Users\All Users\Application Data\RANDOM\RANDOM.exe ()
O4 - HKCU..\RunOnce: [RANDOM] C:\Users\All Users\Application Data\RANDOM\RANDOM.exe ()


How to remove this rogue


STEP 1 - First tasks

• Restart your computer. On log on, immediately do the following before the alerts popup:
  
• Press CTRL+ALT+DELETE or CTRL+SHIFT+ESC. Windows Task Manager should launch.
  
• Find the 10 character random process oHaKo00902.exe, select it, and press End Process.
  
• Exit Task Manager.

STEP 2 - Clean rogue files

Download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista or 7, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start
  button to begin the process. Depending on how often you clean temp
  files, execution time should be anywhere from a few seconds to a minute
  or two. Let it run uninterrupted to completion.
  
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.
  

STEP 3 - Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware from Download.CNET.com.
Alternate link: BleepingComputer.com.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
  

STEP 4 - Infection gone?

Check to see if the infection is gone.

If the infection is not gone, then please do the following:

• Read and follow the steps in this topic.
  
• Then, post a new topic containing those logs in this section.

If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

Hi Guys

I just got rid of System Tool 2011 thanks to your help

Keep up the good work....

Cheers
Wayne

is there another way to remove system tool 2011 if your way does not work. i can not open task manager

Please reboot to Safe Mode with Networking (tap the F8 key just before Windows starts to load and select the Safe Mode with Networking option from the menu).

Then, try again and see if that helps.

DragonMaster Jay wrote:Please reboot to Safe Mode with Networking (tap the F8 key just before Windows starts to load and select the Safe Mode with Networking option from the menu).

Then, try again and see if that helps.

You can open task manager in safe mode, but the process doesn't run in safe mode, so you can't do anything with it there.

There is only like three seconds to bring up task manager and end the process before the System Tool blocks everything. I haven't been able to get to it fast enough. Is there any way to get more time? Or just another way in general?

It took me a couple of tries to find the process and shut it off before it activated. However, the random process name you described was not the one I found. I am assuming that the random process name has or can change. Mine was something like "pkni06301.exe" (I might be missing a digit in there). It was the one process that didn't seem familiar to me. Once I end that process, the rougue software did not activate and I was able to do the TFC scan and then run Malware-Bytes. So, thanks. And for anyone that is having trouble, from my experience, the random process name could change.

I was able to remove the active content of the rougue antivirus (as I just posted). However, I just noticed that the system tool 2011 is still in my start menu, which would lead me to beleive that I could have this problem start all over. How do I remove it off of my machine from here?

I'm having the same problem as Rubix. My pc appears to be ok but the system tool 2011 is still listed under programs on the start menu.

Did get rid of this nasty. Same as Rubix, the file changed but was different than listed, so it must be changing. To take it off the start menu, just right click and then click delete. Rebooted twice and soooo far so good. Thanks for ALL the help. Phewwww, I am soooooo happy now.

Thank you very much for all your help! I followed your directions for removing system tool 2011 virus from my pc and it is totally GONE! WoW- Thank you. That was a malicious virus-totally had control of my computer! Thanks again!

System Tool 2011 just completely took over my computer and won't allow me to do anything.

I followed your advice, but this thing is so fast. I tried to be faster than it, then the Task Manager Bar area is empty. In just a split second, this nasty thing popped up again and prevented me from accessing Task Manager.

I tried 6 or 7 times, and nothing worked. The computer is a one month old laptop with Window 7.

Hi Iris Iris and welcome to UltimateGeekTaskForce forum.

Please read this topic and post your problem in Malware Threat Removal forum.

I tried running Malwarebytes in safe mode and it is not finding any threats. I have tried this twice and still nothing.

krazed79 wrote:I tried running Malwarebytes in safe mode and it is not finding any threats. I have tried this twice and still nothing.

Are you sure that you're infected ?

yes it's popping up like crazy I can't run any one of the internet systems and also task manager