Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Tool Virus..... again


  • Please log in to reply
5 replies to this topic

#1 ummsalma

ummsalma

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:39 AM

Posted 27 February 2011 - 05:24 AM

Hi there

I've been got by this System Tool virus. I googled for removal instructions and found yours. I ran through them but it didn't work. Running Malwarebytes revealed nothing. I found that even the first few instructions were failing me as in the LAN settings for I.E., the box re proxy servers was unchecked to begin with. I access the internet by a mobile USB dongle and have not been able to use it at all (it doesn't get recognised in the infected computer but does in another) since infection.

Any ideas? Should I simply try another internet connection?

BC AdBot (Login to Remove)

 


#2 ummsalma

ummsalma
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:39 AM

Posted 27 February 2011 - 05:57 AM

Wow - just fixed myself. Had to go through an incredible amount of different options, different instructions. This is what worked for me, and i found it on this blog: http://rogueantispyware.blogspot.com

"This can be removed in safe mode by running regedit.

The problem is it creates a random executable filename. You can find this name by gooing to Start - All Programs - System Tools. Right click on the actual shortcut and then Open File Location. That will give you the executable name. Write it down and then reboot to safe mode.

Remember when you run Regedit, you must be in safe mode as this rogue will try to protect itself by intercepting Regedit. It will tell you Regedit.exe is infected. Yeah, right. Just do it from safe mode and it will work.

safe mode click start - run. In the run box type regedit.exe. Then go to HKeyCurrentUser - Software - Microsoft - Windows - CurrentVersion - RunOnce and remove the entry."

I have windows 7 and had to slightly modify this. Firstly, i did not have a folder in "All Programs". So I missed out this step and went straight to regedit.exe. Then as suggested, HKeyCurrentUser - Software - Microsoft - Windows - CurrentVersion - RunOnce - and then I had seen in other forum posts that the file has a long name with numbers and letters, very approximately 10 digits long.... i simply right clicked on this and hit delete... restarted the computer and problem solved.

Everything seems fine so far - but will be running virus checks throughout the day like I have OCD, I imagine....

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,831 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:39 AM

Posted 27 February 2011 - 03:53 PM

Hi ummsalma,
First of all, glad to hear you got this fixed and thank you for sharing your solution. However, I want to add a word of warning; you describe manually editing the registry in order to remove a value created by the malware. This is quite risky to do, especially without first making a backup of your registry.
If you make a typo or delete the wrong value, you can end up with a non-booting system, which may be a lot harder to recover than an infected one.

I do not recommend anyone to edit their registry manually, but if you need to do that, make sure to back up the registry first with a tool like Erunt.

In case you need any additional help making sure your computer is clean, just let me know!

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 ummsalma

ummsalma
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:39 AM

Posted 28 February 2011 - 03:05 AM

Hi Elise,

Thanks for that comment as it hadn't occurred to me it was risky and so it's great that even though it seems to be a good quick fix people need to be aware of that. It's a shame - I can see so many people are getting hit by this virus. Hope that everyone gets it sorted!

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,831 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:39 AM

Posted 28 February 2011 - 05:47 AM

Rogues are indeed very annoying and unfortunately, very common these days. Another removal guide for System Tool can be found here

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 Vhulbert

Vhulbert

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 02 March 2011 - 05:17 PM

ummsalma, make sure you go into safe mode with network connection enabled. Then you can access the internet. It is very important for Malwarebytes to be able to update to the latest data files. Older versions will not detect and remove 'system tool'.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users