Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Saturday, October 23, 2010

How to remove System Tool (Uninstall Guide)

Tell your friends:
System Tool is a rogue security program that deliberately reports false system security threats on the computer. System Tool 2011 just pretends to scan your computer for malicious software. It claims that your PC infected with Trojans, computer worms, dialers and other malware. System Tool was created to make you think that your computer is infected with all sorts of malware. It is nothing more than a scam. The victim is then prompted to pay for a full version of the program to remove the threats or infections. So, obviously you shouldn't buy this bogus software. And, of course, you should remove System Tool from your computer as soon as possible. We've got the removal instructions to help you to remove System Tool from your computer for free using legitimate anti-malware software. Please follow the removal instructions below.

A screen shot of System Tool malware

(Thanks to rogueamp)

Usually, this fake program has to be manually installed. But it can be also installed through the use of Trojans without your knowledge and permission. That's why you should keep your anti-virus software up to date and make sure that Windows OS, web browsers, flash player, Java and other software is updated.
System Tool is from the same family as Security Tool scareware. This rogue uses aggressive tactics to trick victims into purchasing the full version of the program. First of all, it displays false system security threats. Furthermore, System Tool blocks any executables that you attempt to run and claims that they are infected. It displays the following error message when you attempt to run any program:
Application cannot be executed. The file notepad.exe is infected.
Please activate your antivirus software.

System Tool displays fake security warnings and notifications as well. It will even change your the background of your Windows desktop. Here's how it reads:
Your're in Danger!
Your Computer is infected with Spyware!

All you do with your computer is stored forever in your hard disk. When you visit sites, send emails... All your actions are logged. And it is impossible to remove them with standard tools. Your data is still available for forensics, and in some cases

For your boss, your friends, your wife, your children. Every site you or somebody or even something, like spyware, opened in your browsers, with all the images, and all the downloaded and maybe later removed movies or mp3 songs - ARE STILL THERE and could break your life!

Secure yourself right now!
Removal all spyware from your PC!

The rogue program will also claim your private information and PC safety is at risk or that Windows has detected spyware infection. The warning message that you will see is:
Warning: Your computer is infected
Windows has detected spyware infection!
Click this message to install the last update of Windows security software...
Security Monitor: WARNING!
Attention: System detected a potential hazard (TrojanSPM/LX) on your computer that may infect executable files. Your private information and PC safety is at risk. To get rid of unwanted spyware and keep your computer safe you need to update your current security software.
CLick Yes to download official intrusion detection system (IDS software).
The biggest problem is that System Tool terminates all the programs on your computer. You will have to restart your computer in Safe Mode with Networking and scan the system using anti-malware software listed below. Please follow the removal instructions below. It goes without saying that System Tool is nothing more but a scam. If you have already purchased it, the please contact your credit card company and dispute the charges. If you have any questions or additional information about this virus please leave a comment. Good luck and be safe online!

UPDATE: you can register System Tool 2011 by using these codes:
(This should make the removal procedure a lot easier)


Thanks to S!Ri for these codes!

System Tool removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here:

NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET NOD32 Antivirus.

Alternate System Tool removal instructions using HijackThis or Process Explorer (in Normal mode):

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for such entry in the scan results:
O4 - HKCU\..\RunOnce: [dfbLa00902] C:\Documents and Settings\All Users\Application Data\lGAlF00902\lGAlF00902.exe

The process name will be different in your case [SET OF RANDOM CHARACTERS].exe, located in:
C:\Documents and Settings\All Users\Application Data\ in Windows XP
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

OR you may download Process Explorer and end System Tool process:
  • [SET OF RANDOM CHARACTERS].exe, i.e. lGAlF00902.exe
3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET NOD32 Antivirus.

System Tool associated files and registry values:

  • C:\Documents and Settings\All Users\Application Data\[SET OF RANDOM CHARACTERS]
  • C:\Documents and Settings\All Users\Application Data\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS].exe
  • C:\ProgramData\[SET OF RANDOM CHARACTERS]\[SET OF RANDOM CHARACTERS].exe (Windows Vista, Windows 7)
Registry values:
  • KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "[SET OF RANDOM CHARACTERS]"
Share this information with other people:


Rachael said...

I have a gigantic problem, somehow I got both the system tool and thinkpoint virus and they are working against each other when I try either of the tutorials for removal. Do you have any suggestions?

Anonymous said...

How about just booting up in safe mode (f8) and then going to help and support and running system restore to a date before the computer was infected?

Admin said...

Just give it a try. It might help. After that scan your computer with Hitman Pro. Good luck!

Ashok said... worked!!! Actually the malware is resides in c:\documents and settings\all users\application Data\[Folder name with weired name]\foldername.exe.

I have deleted the folder using safemode...thats it..everything gone. Earlier I have tried Malwarebytes but it didnt helped...but the other way it done the magic.

Anonymous said...

Alternate System Tool removal instructions using HijackThis or Process Explorer (in Normal mode) ---- This one worked for me

Anonymous said...

Ashok's solution worked. It was very simple to kill. Its only one stupid #@$% exe. You can find the exe details by going to another users login...this is because that exe affects only one particular account mostly. Find the location of the exe from task manager (show all users processes) and the name will be a random list of letters. First kill the exe and then the folder (usually of the same name). That should do it!

Anonymous said...

I use Eset NOD32 4 x64, and this malware disabled it and somehow installed bypassing UAC.

Notice was sent to eset

Anonymous said...

Thank you so much for the tips! I used the first one (starting up in Safe mode)on my daughter's computer. I updated and ran the Malwarebytes that is currently on her computer and it found it within seconds. I did run a full system scan and not one other virus, malware or spyware was infecting it. Again, thank you!! I just knew there had to be a solution to this seemingly horrible problem. Luckily, I am an IT major and knew what it was when I had encountered it.

bestkidspa said...

As Ashok found, Malwarebytes was no good for me. But I did find the folder and file c:\documents and settings\all users\application Data\[Folder name with weired name]\foldername.exe. I deleted everything in the folder, then the folder.

Computer booted fine with no further indication of infection.

Annie said...

Hi! This post was just tweeted to me. I located the primary folder in Win7 by right-clicking the desktop shortcut in Safe Mode and deleted the folder. Guess I caught it fast enough cause so far I have not located any changed registry entries, only a few more shortcuts pointing to that folder. Good luck to any who get this infection!

Anonymous said...

Malwarebytes was no good for me either. Ashok's solution of deleting the file in safe mode worked for me too.

Anonymous said...

The malwarebytes software didn't help me this time and I can't find the folder referenced above (documents and settings). Does anyone have any other suggestions on where the malware might be or what else it could be called?

Anonymous said...

anyone know what you can do when by the time you know you have it youre already locked out of everything. booted in safemode ran malwarebytes, said it found one infection and deleted it but apparently it wasnt it since i still have it, it wont let me do anything

Anonymous said...

Malwarebytes deletes it for me and everything is clean ... until I turn my computer back on! Each time I clean it and turn it back on, it comes right back again. Will it get rid of it if I just flipping delete my user account on my PC because it is only in my own personal account. When I use my administrator account it is not there. WTF?

Do you guys know where you got this virus from? I don't go to a lot of websites so I am rather confused.

Anonymous said...

This was a tricky one.

I have a USB keyboard which made it tough to get into Safe Mode. I ended up having to yank power while the computer was booting Windows, which then allowed me to get into Safe Mode and run antivirus stuff.

The next problem was that none of my usual programs were able to deal with the problem. I eventually found this page, went into the folder described by bestkidspa above, and found the System Tool 2011 stuff lurking there. I deleted the weirdly-named folders and the problem seems to be gone...although I am running Malwarebytes again just to be sure.

Thanks, everyone.

Anonymous said...

Great tips, thanx a bunch!
Love this site, it is really helpful when one have to deal with malware and other idiotic "time-wasters".

rygittins said...

You are a saint! Thank you.

Kenneth J. Gruneisen said...

Wow! The rate of comments has picked up and this problem must be spreading fast. I had no luck removing with Spybot S&D and after a couple tries I came back to read up here again and noticed many more comments.

Following Ashok's remarks I was able to restart in safe mode and find the file after chosing "Run" and typing "explorer" and enter (to open Windows Explorer file manager program) and navigating to the directory. The funny file name began with an a and when I right clicked on the file and viewed its "properties" it had the date from a couple of days ago when the problem started. i deleted the suspicious file and directory and restarted normally and all seems fine.

I am concerned about HOW the computer got infected because I think I am careful enough about my surfing habits. Could it be possible to get this malware by simply visiting a friend's profile on ? That's when I got the first hint I had a problem... anyway, I'm also concerned the Spybot S&D even with updates didn't seem to be able to nail it. i'm further concerned there might be other issues undetected that my lead to further problems in the future with the computer that otherwise seems to be fine again. Appreciate comments!

Anonymous said...

I think my kids picked it up when visiting FaceBook - - they are careful about where they go but assume that FaceBook is a safe site. However, this is a second infection that we have received that seems to have occurred after FaceBook visits.

Anonymous said...

C:\Users\xxxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1\678a5481-5e69d85b: Trojan.Downloader.Java-18 FOUND

I believe that's where it comes from. Found it with clamwin on 2 computers that were infected with system tools virus. safe mode and hijack this seemed to do the trick. didnt need iexplore in safe mode, but ran it to double check. anyway, im going to try deleting the java cache. hopefully that rids it. let me know if anyone knows best way to get rid of the java trojan downloader18. i figure at worst i'll just remove java and reinstall it or something.

Anonymous said...

Got this virus today and its spreading fast, I can't find my appdata folder to even locate the file. im useing windows xp, malware wont boot, nor any other programs I tried, any suggestions? I'm not that computer savy to get rid of it, any step by step instructions would be appreciated.

Anonymous said...

my wife has had her new laptop for 2 days. She visited facebook and that is when system tools attached. Of cource she didn't turn on Mcaffe when she turned her computer on. i went into safe mode and deleted system tools file and then restarted computer but had hard time getting Mcafee to turn on but finally got it on and it is currently scanning and has already fixed 12 issues. I think this has fixed problem. If i need to do anything else please let me know. If Mcaffee is up and running should I now be SAFE??

Ineed a job said...

I couldn't use the the three finger solute to run task master when the program was running so I did it it all in safe mode. Found the character string under properties and removed the program by using the file location entry. Cut and pasted the file name character string into find box in regedit and deleted all entries found. Time less than ten minutes, rebooted and no problems.

Anonymous said...

SpybotSD didn't find it for me. So, I followed the advice of an above poster and used the Task Manager while logged in as another user. This let me identify the file and location (it was C:\ProgramData\(Random)\(Random).exe). I then input C:\ProgramData into my Windows Explorer address bar while in safemode, tracked down the file and deleted it. Problem gone.

Anonymous said...

Tried Ashok's method and it worked like a charm today

Anonymous said...

I'm the poster from the 4th post above this one, my computer wont let me startup in safe mode it just keeps restarting when i select the option, cant run anything but firefox and ie, i cant get into task manager or fing the application data folder(virus must have hid it), is my email if anyone wants to msg me and help me get rid of it.

Ishani said...

I can't seem to get rid of the damn thing. I have tried malawarebytes as well as spybot, in addition to my regular anti-virus (microsoft security essentials). I tried to find the folder as Ashok suggested (above), but I am running Vista and couldn't navigate to the location he suggested. Any suggestions on where the folder might be in Vista?

Admin said...

Ishani, in Vista it should be:
C:\ProgramData\[random characters]\[random characters].exe


C:Users\[username]\AppData\Roaming\[random characters]\[random characters].exe

Anonymous said...

Thanks to all who posted information. You made my Christmas! Got infected last night with System Tools 2011 - all the horrors described above and on other sites. The general uninstall things didn't work, and several attempts to locate the files were unsuccessful. With time, I could have figured it out, but.. I finally got rid of it (at least, for the time being) by:
(OS is Windows XP Professional)
Logging on in safe mode with networking (see above posts for instructions)
Opening Mozilla browser
Downloaded free version of Malwarebytes (as per many suggestions - hopefully they're not behind the proliferation of this beast to drum up business)
Renamed the file in case the System Tools 2011 program could block it
Saved the file to a different folder than Programs (for the same reason)
Installed/ran the Malwarebytes program
Performed a full scan
Removed all the infected files (it looks like around 11 files are involved/infected)
Rebooted computer.
Malware seems to be gone. (Computer runs a little slower, usual when you have anti virus stuff installed)
Hope this helps someone.

Anonymous said...

Was infected myself today. Used suggestion above to manually find it and KILL. (OS = XP Media Edition)
* I restarted in SAFE MODE. Keep pressing F8 during restart until text window comes up to select SAFE MODE.
* Looked as suggested in c:\Documents&Setting\AllUsers\ApplicationData\ and found kAcDIO1831.exe - copied name then DELETED file.
* Running RegEdit (Run... Regedit). Looked for all instances of kAcDIO1831 using ctrl F, paste filename (no .exe). Got 4 results:
- HKEY-CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce - Delete reference to kAcDIO1831. Leave default REG_SZ
- HKEY-CURRENT_USER\Software\Microsoft\Windows\ShellsNoRoam\MUI_Cache\- Delete reference to kAcDIO1831.
- HKEY_LOCAL_MACHINE\Software\Microsoft\DirectDraw\MostRecentApplication\- Delete reference to kAcDIO1831.
- HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\kAcDIO1831\ - Delete all 5 entries to kAcDIO1831 AND folder itself.
* Restarted in normal mode and so far so good -running 1/2 hr.

Anonymous said...

Thank you to whoever posted these instructions. I was able to log into another profile on my computer which was not infected as others have pointed out. From there I was able to download malwarebytes and it scanned and removed the files. My computer now loads fine. Anyone know where this is coming from? I do not surf the web except to very few sites don't download things and I think I have everything updated.. I use Chrome as my browser. Any advice on holes that need to be patched to avoid a repeat infection?



Anonymous said...

trying to fix it now.... but i got it from either facebook or okcupid site. not sure which one

Anonymous said...

It worked by deleting the folder and emptying the trash can just to make sure. posted this site to my facebook page also... after warning everyone this morning.

Ronny said...

Had a system tool 2011 attack .......thanks 4 your help its gone.

My question :
This is my first major virus/malware/trojan attack on my pc.....i am using XP .
Should i need to change all the passwords of my e-mail addresses???? Plz answer guys as i am a little worried......

Note: Obviously i am tyro in these matters.....

Anonymous said...

can anyone help for vista please?

John said...

I used Annie's method. Fund the shortcut on the desktop and traced it back to the exe, which I deleted. Followed up with a Malwarebytes scan, which found a rogue file in the Java update folder. This seems to be where it came from. Also, MS Security Essentials, Spybot, and Sophos all missed it!

Anonymous said...

Thanks folks... neither malwarebytes nor spybot found it, but because of these posts was able to find and delete the related files... the info about checking the properties for file creation date was good.. got a little nervous about deleting files that I don't know what they do...pretty sure i got it on facebook..


Colin and Lynda said...

I spent Boxing Day morning struggling with this virus and stumbled on an amazingly simple cure, it worked magically for me so I do hope it works for you all.

I have an MSI wind net-book with no CD drive so I was really panicing that I would not even be able to wipe and reinstall Windows XP as an ultimate solution to kill it.

The virus was not letting me execute anything, I could not get any of my Malware or AGV software to run (or any other software for that matter)

Then I discovered that System Tools 2011 had conveniently put a short-cut desktop icon on my desktop.

When I right clicked on it and clicked on properties, it showed me where the target location was and also the file name. I had never explored this menu before but there was also a FIND TARGET button which took me right to the file.

For some reason, Windows Explorer was not disabled by the virus.

While the virus would not let me delete the file, I was able to rename it (dead.duc was the name I chose)and presto, when I rebooted I was back to normal, ran Malwarebytes and it found some other files related to the virus and quarantined them.

So, I do wish you all well, this one was a bear, almost as convoluted as using trumpet winsock to access the internet.. those were the days.....

Anonymous said...

Thanks for the tips. Using Vista, the Malwarebytes scan found it. It was in:

C:\ProgramData\[random characters]\[random characters].exe

pmunney said...

hey just defeated this thing a couple minutes ago, so far so good. I used Malwarebytes which got rid of some things as well as the finding the file and deleting it plus deleting it with RegEdit. that combo seemed to work but wow. Spybot, Superantispyware, avast, trendmicro, rkill didnt do anything for me. hell of a fight.

Anonymous said...

Running Vista (unfortunately)and I had to search for my C:\programdata folder from the start menu as it would not show up in my c drive normally. Found a unknown folder in there named oDeNa8200 opened it and found a .exe folder with the icon for system tools. Deleted it then had to manually go through the locations listed above in the regedit to find one more instance of it. Seems to have worked.

Anonymous said...

I've been battling this virus for days and finally found that C:\ProgramData\oBiAa06300 was the the culprit.

Anonymous said...

Thanks Ashok, worked for me too.

Suggestions to all to find filename: filename and path is in the properties window of the shortcut on the desktop!

Anonymous said...

My wife's laptop got infected wioth System Tool and I found you folks and glad I did. I'm not that computer savvy but I typed in one of the codes listed above and it got rid of all that System Tool garbage but I still had tyhe icon on my taskbar. I didn't know how to do that Safe Mode stuff (I have Vista) so I tried Malwarebytes and it said I had 164 infected files. I removed them all and the icon went away after rebooting. I scanned using Microsoft Essentials before I used Malwarebytes and it didn't indicate that I had ny infected files. So much for that program. Anyway, everything appears to be workimng fine and I thank you all for your input. I was all set to go to the Geek Squad but did I did a search on my PC and found you guys. Thanks for saving me mucho bucks.

Don said...

Got the virus today. All spyware utilities, including Spybot S&D, which I swear by, were useless. As stated above, just go to windows explorer, find the nasty creature listed under a random set of characters, mine has today's date, a give away, then listed itself as a Windows Microsoft thing, but the little dial up lock icon was there. I deleted two files, one large, the other tiny, then the folder, and it is dead! It had disabled my Windows Security Protection in the process, and stymied my Internet Explorer browser. All are functioning perfectly now! Thanks for the directions and help!

Anonymous said...

Hey, I just got hit W/ this on Sunday. Thanks to the advice above I was able to remove it. Running Vista, I booted to safe mode & ran Malwarebytes. It found something, but not the same name. I also manually deleted the folder. (C:\ProgramData\pCIBI06300)
Found no entries in the registry. Rebooted unit, seems to be running fine now. Thanks.

Anonymous said...

You guys are awesome you saved me a great deal of trouble thanks everyone

Anonymous said...

i used SUPERAntiSpyware...currently scanning, 956 files threatened at the moment. facebook yet again has screwed something up.
im worried that i may have personal data abused.

Anonymous said...

I just got mine today! can someone please help me with step by step directions to kill this monster!
by using safe mode please!

Cheechie said...

Actually the malware is resides in c:\documents and settings\all users\application Data\[Folder name with weired name]\foldername.exe.

Anonymous said...

UGH! got it this evening - great New Years Eve. Followed AShkok (one of the first posts) and seems to be okay.

Anonymous said...

I have removed "SYSTEM TOOL 2011" from two different computers (so far). The fast way is to check 'Control Panel / Add or Remove Programs' find out when "SYSTEM TOOL 2011" was installed (this will tell you how far you must go back in time to restore your machine. Next boot in to "safe mode" (press F8 on boot and choose safe mode). Once in "safe mode" go to 'Start / Programs / Accessories / System Tools / System Restore' pick a date before "SYSTEM TOOL 2011" infected your machine and let System Restore do its thing.

Anonymous said...

Malware bytes didn't work for me. (XP Professional) But it did find a couple other things to get rid of. I ended up searching the registry with regedit, and deleting the files manually as ashok said. It works fine, now, but all the fake viruses planted on the computer are still there somewhere, I am sure. Not that they matter, but knowing they are somewhere irks me.

The only thing I can add to the comments is that there IS a file hidden with Java (found mine in regedit, deleted entry), and you can delete the .exe to get rid of the actual thing screwing with you, if you don't mind the other harmless junk staying on your computer.

tonycdrive said...

Ashok is the mannnnn!!!! c:\documents and settings\all users\application Data\[Folder name with weired name]\foldername.exe. But here is an extra may not see the "application Data" folder. So go to tools\folder options\view\show hidden files and folders and hit apply then ok. And you should now see the Application Data folder.

tonycdrive said... a sytem restore and go back 3 weeks. (to be safe)And it wouldn't hurt to download Avast anti virus software.

Anonymous said...

My Avast picked it up but it didn't do anything about least it didn't seem to do anything about it.

Anonymous said...

Hey, when I run safe mode (vista) I see no program data folder. How can I find this and kill it?

Admin said...

Program data folder may be hidden, please follow these removal instructions to view hidden files and folders in Windows:

Anonymous said...

Got this from Facebook a little after new years hit.

In Safemode, I used malwarebytes and it found a couple files, deleted them and computer worked alright. Restarted to make sure and virus popped up again.

Rebooted in safemode again and ran malware bytes. Detected more malware. Deleted it and ran a system restore to a week prior. Turned it back on and no system tool but kept getting odd error messages.

Ran malwarebytes again, looked in the log of what it found the first couple times and went to RegEdit and deleted everything associated with these trojans. ~3-5 items.

Strange thing is is that "WinProtector" tried installing itself on my computer while I was doing these things. It was easy to delete and prevent it from doing anything malicious (that I could see) but it makes me thing these programs are somehow related.

Restarted again and everything seems to be working fine.

I completely suck with computers, but I'm not totally illiterate but I think if I could do it you guys can to. Just a combination of malwarebytes, regedit, inspection your appdata in safemode and thorough inspection and you should be fine. Just make sure you know when you first got it (which you will because your computer is inoperable after you get it)

This was for Vista. I'll check back if it pops up again.

Anonymous said...

Hi, this was my solution to this problem. i booted the computer into Safe Mode (without networking) and i went to the properties of "System Tools 2011" and saw the location where the .exe file was. I opened Command Prompt and put the following code "Del [location of the file]" this erased the problem completely. After having done that, i was able to run my anti-virus and the computer was clean again.

Libraman said...

Thanks a lot! now i fixed my net book to that viruses attack. Thanks to the codes given..

Anonymous said...

I think different computers need different solutions. I had a hard time to locate the spyware. When I did, I couldn't just delete it right there. I downloaded a couple of antivirus software but they either charge or can't fix it. Not until I reached the bottom of the list and found the "alternate" method (Trend Micro), and used a further disguised file name AND PUT IT ON DESKTOP (shorcut), then the problem was gone. What is ironic is that I am a long time subscriber of Trend Micro and my PC still got hijacked.Trend Micro should just update their product now. I don't want to go thru all these again.

sarymclary said...

I tried to get rid of this virus by various methods mentioned, but each time I'd get so far, and the laptop would shut down, never being able to get to the end of the process I was trying.

However, I started up in normal mode, and ran, which identified the malware, giving me a location on the disk. In our case, it was C:\ProgramData\aPmBh06511\aPmBh06511.exe
I ran MBAM hoping to quarantine the virus, but it didn't find it, and neither did AVG, so I searched for it manually in the ProgramData files, and deleted it, then I searched for it in WindowsExplorer, and deleted it there, and also deleted the start-up menu file.
This was a bit of a long-shot, and I'm not particularly PC savvy, however, upon rebooting, the warning screens and messages from System Tool, as well as all the files associated with it in there previously were not found.
Incidentally, we were not able to find it in Task Manager at all in Safe Mode, and all the malware software tried also couldn't find it. Thanks to we were able to find it, stop it, and eliminate it (so far)!
Thanks for all the hints & tips logged here, it certainly gives you a fighting chance of getting rid of this annoying kind of pest.

Anonymous said...

Using Windows Vista and this is what I did when infected with System Tool (Up to the point where I couldn't open Control Panel, taskbar was exploding with warning pop up bubbles and my desktop background was changed to 'warn' me of the 'viruses' on my laptop):-

1) Used one of the codes shown above to register System Tool
2) tried going through Control Panel to uninstall the program but to no avail
3) Right clicked shortcut icon for the program on desktop to 'open file location'
4) remembered file name and location (was not named System Tool)
5) Deleted shortcut icon
6) Restarted laptop whilst pressing on F8 key
7) Chose to start up laptop with 'Safe mode with networking'
8) Opened up file location and deleted program as well as uninstalled program through control panel
9) Restarted laptop and started up with normal mode
10) Installed anti-software program and ran full scan- found a few infections but nothing else and cleaned it

Hopefully my laptop is cleared?!

Hope this helps anyone anyway.

Anonymous said...

I think I managed to get rid of it by using one of the activation codes. After I put the code in I was able to access all files and search the internet via my pc. What I then did was deleted the file Ashok mentioned, taking note of the file name. I then did a search of my computers files including the hidden files and removed all files with that file name and with the system tool 2011 file name.

I rebooted my computer and it looks like its all clear. I then did a scan with Norton and it came back clear too so hopefully, with just a little bit of luck, my computer is cleared.

Anonymous said...

Ahhh Admin saved my life
at least for 7, it was under
C:Users\[username]\AppData\Roaming\[random characters]\[random characters].exe

thanks! :D

jstiffeyssn648 said...

I don't know how it got past my Nod32 first virus to do that in 4 years even though to computer gets taken lots of places on the net it shouldn't
I used control panel to uninstall program didn't work
used next to last key code and that remove all the hidden virus files then started in safe mode and restored to 1 week before
then ran Advanced system optimizer for good measure
It took several reboots for XP to come back but removed it very nicely

vladyaro said...

Thanks for the keys guys. I tried the first one and it worked perfectly. I ma removing it right now.

Anonymous said...

I got this virus on my dads laptop and really started to freak. I tried deleting the files using safe mode , but the files were still present in normal mode , and would not let me open the system registry. The best and easiest solution I found was while in safe mode , chose to restore you system to a date previous to when you got the virus. You will be able to keep your documents , just not harmful material.

Anonymous said...

I got this last night. I rebooted in safe mode, then did a system restore. Luckily my system restore point was 24 hours earlier and it worked.

MammaDucky said...

Thanks so much!!

Anonymous said...

Thanks for the information. As many of you have commented, Ashok's solution worked. I also use regedit and removed all the references to the "random letter" file.
The MalwareByte program did not detect System tools 2011, but found some others.
Thank you for the instructions!

Anonymous said...

Hi Ashok...thanks a ton!!! it worked for me too!!!

Anonymous said...

search: C:\ProgramData\glbKINd13400

delete then empty recycle bin

eubie137 said...

Killed this program with MalwareBytes from safe mode with networking. Worked fast and found the Trojan in 6 different palaces on my hard drive. I know others who have gotten this scareware and could not remove it. I was soooo worried. Thanks MalwareBytes!

Robert said...

I used the Ashok method and it seemed to work for me. Couldn't find it at first but went to desktop in safemode and right clicked on the shortcut icon that System Tool placed on my computer and opened file location and zapped it.. For good measure, while still in safemode, I downloaded the MalwareBytes program and it worked like a charm.. Found a few other viruses on my computer too.. Thank you all.

Anonymous said...

Thank you Ashok and Tonycdrive. The folder was hidden, so I took Tonycdrive's advice, which enabled me to see the folder. Then followed Ashok's advice and successfully deleted it.

CVATC said...

THANK YOU SO MUCH for this information!! I followed your instructions and initially used Spybot, a program I've previously used. It removed some stuff, but not System Tool. I then repeated it using MalwareBytes. That one worked like a champ!!

Anonymous said...

Thanks a lot guys. I got it this morning at 3:00 AM... not all. I have Malwarebyts, but forgot to update it before running it the first time. When it didn't work, i updated and ran the second time in safe mode and TA DA!! It found the file where everyone has said. c:\programdata\[random letters]\[random letters].
I was already fixing a computer with think point or something like that and so seeing this pop up was not fun, but thanks to the post on here, I might..(probably not)..but might get to bed a little earlier. BIG THANKS. again.

Anonymous said...

koodos to anonymous who posted c:\programdata\(wierdname). I am using windows 7 32-bit. Just delete that folder like the others said and make sure you make hidden files/folder visibe. Thanks guys.

Dean said...

Hey Thanks alot for that information. Found it in C:\ProgramData\Random letters & Numbers\Werid name.exe for example: Folder name: JiBNs0456522, if you open the folder should have a file, Icon is a blue circle with a yellow X on it, just delete the file and restart your computer. Use this method if using Vista


MY GOD YOU ARE HEAVEN SENT! I USED ONE OF THE CODES THEN UPDATED MY OWN ANTI VIRUS THEN FOLLOWED THE FF STEPS 1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for such entry in the scan results:
O4 - HKCU\..\RunOnce: [dfbLa00902] C:\Documents and Settings\All Users\Application Data\lGAlF00902\lGAlF00902.exe

The process name will be different in your case [SET OF RANDOM CHARACTERS].exe, located in:
C:\Documents and Settings\All Users\Application Data\ in Windows XP
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.


Anonymous said...

ANY of the MALWARE SOFTWARES WORKED, but was ablt to find out where it was located; in programdata, the name mDnMgHk08505.exe so went baqck to SAFE MODE, FOUND IT AND DELETED IT, after two days of suffering, thank you ALL FOR YOUR HELP!!!!



Anonymous said...

Thanks for the help I was able to get rid of that pest THANKS A LOT!!!!!!

Anonymous said...

IMHO System Restore is the only surefire way to eradicate this hoax. I tried Malware Bytes and McAfee in Safe Mode and no go. While not the worst virus to have it does scare the crap out of unsuspecting victims. Good luck!

Anonymous said...

Running windows 7. Found it in my Program Files directory and deleted it but it keeps coming back. I run SpyBot and Avast regularly but they're not fixing it.

Anonymous said...

You have my thanks, malware bytes is now runing to clear any dregs of the software still floating around

Anonymous said...

Thanks for all the posts. I have vista and ran Malewarebytes which seemed to fix the problem. Also did a search from the start menu for "programdata" which found the file name with weird numbers. Deleted it and then permanently deleted it from the recycle bin. Hope it works.

Anonymous said...

Nice work. Saved me some time investigating myself.

Anonymous said...

thannnnnnnnnnnnnnnnnnnnx a loooot

i was so frightened about this

may god bless uuuuuuuu as u provided this solution

Anonymous said...

I used Ashok's method in safemode under the admin, restarted my machine and everything was back to normal.

Anonymous said...

Finally cornered and killed it after various failures by finding 2 files in programme data with a giveaway date.( safe mode ) Had to rename them both as .jpg before I could delete them.

Anonymous said...

thnx for this help,

i started up (with-out network, cause it was blocked by this mall ware) in safe modus.
I already installed HijackThis in the past en used another computer and usb to install Malwarebytes.. Removed the entries and deleted the files and it's working!!

Anonymous said...

I don't understand the Ashok method. I am not savvy enough. However, I was able to start the computer in safe mode and download the Malwarebytes program. IT IS NOT FREE!!!! The effing program runs a scan, tells me that it found some rogue virus but to remove it will cost me the price of buying the program. I thought free meant FREE! Same thing with Spyware Doctor. Takes you through the scan and then makes you pay to remove.

How do I get into c:\documents and settings\all users\application Data\[Folder name with weired name]\foldername.exe. to remove this thing?

Anonymous said...

I just removed this from a friends computer in about 15 mins on a system running windows vista. On power up press F8 untill you get a list of start up options, select repair your computer to go into system restore, select a restore date prior to the infection, wait for it to complete and hey presto system tool is gone.

Anonymous said...

Just succeeded! in 30 sec!
the way:
type ctrl+alt+del before that the launch of the prgm system tool when widows is starting. If you do fast you can open it and stop the ipkk0565xxx prgm wich is system tool 2011

Anonymous said...

I thank the author a lot for providing the cracked Keys. I gave one of them to this nonsense malware and then I was able to run my other executables. First thing I did was formatting via inbuilt "Recovery tool" which gets rid of this malware in C:

Anonymous said...

I had a hard time finding the file, but I went into safe mode and opened up crap cleaner (which I could not do when not in safe mode) and went to tools, then "startup" and all the files that run on startup were listed. It was the first or second file listed. I highlighted it and deleted it. Never, ever would have done that without the help of this group! Thanks alot! By the way, it took me several hours to figure out how to get to the file the back way ... I'm not a tech person really. Not afraid of the computer, but certainly don't know much about how it all works. Don't give up, you will find the bugger and kill it! Good luck and thanks to everyone who posted before me.

Anonymous said...

Thank You, thank You so much!!!! I got infected twice in as many days - blastingly insidious thing that System Tool is too. First time I stupidly reformatted and re-installed Windows - should've looked for your instructions first!!! Second time I could not enter Safe mode at all, reg edit was disabled, ditto Task Manager, even though I tried to hit it well before anything else started. Everything seemed to malfunction, background picture hijacked and so on - you know the story. The computer restarted in regular Windows, no matter F8, Safe Mode with or without network just wasn't happening. Could not use anything, start anything etc. But with your normal mode instructions I am finally free!!!! Thank You once again.

Anonymous said...

Ok, if you have a laptop, bul out the battery, and restart it, and get the safe mode with networking option. Open Ccleaner in safe mode. If you don't have it, download it for free. Open CClear and go to "tools." From there go to startup.

In my case the third or fourth program down was titled runonce, followed by nonsense letters programdata. I deleted it, used Ccleaner to clean in the safe mode and then reboooted the computer. Malware was then permanently gone.

Thanks guys for above comments.


Anonymous said...

I'm not very knowledgeable with computers but by following the instructions and suggestions posted here, I was able to get rid of the System Tool malware. It took me over 2 hours to disinfect my laptop yesterday. I followed the Ashok method (found the infected files through RegEdit, installed MalwareBytes and ran a full scan. Everything's working normally again. Thank you!

Anonymous said...

Great post. I got this malware and I don't know from where!! I was just surfing financial sites. I was using Firefox and had NAV running! Anyway, I used the manual technique and removed the files and register trees associated to it. Checked using spy doc and lavasoft and all seems clean. Now I will reboot into normal. Thanks all and a great write up to the author.

Anonymous said...

You's are the shiznay! Got System tool somehow typed in one of the codes you provided, ran malwarebaytes, removed malware. Thanks!

Anonymous said...

thanks so much for that! saved my saturday night...

Gareth said...

Again, just to further help those that have become infected... I am on windows Vista, and in order to get to Program data, you need to goto Start; then type C:\Programdata in the 'start search' box. Click on the folder that it shows in the result pane; this will then open up this folder. By clicking on the 'date modified', you can filter the results to show the most recent entries at the top. You will then find a folder with a random name, in my case it was 'iEpHhOf06300'. Make a note of this.

Go to start, and type 'regedit' into 'start search'; this will open the registry editing tool. From the top, click on edit, and scroll to 'find' Type in the file name you noted earlier, and click find next. This should bring a result; right click on the entry, and delete it. Press F3 to carry on the search, deleting each time, however, IIRC there are only one or two entries. Do this until it has finished searching the registry, and then close down the editor.

Go back to the programdata folder, and right-click the random name folder, in order to delete it.

This has so far worked for me, I hope it is of use to anybody else that is attacked!!!

daddy said...

Thanks for the licence keys.
Could solve (at least I hope) the blocked situation.
In the meanwhile, why did the permanently updated Mac Affee not prevent the attack?

daddy said...

Thanks for the "licence keys" !
In the meanwhile why did the (always updated) Mac Affee not stop the attack?


Anonymous said...

Yay System Tool is DEAD! I had tried all the methods (Ashok's, malwarebytes, etc.) but what worked for me was finding and deleting the weird file in the program data folder. Thanks to all the wonderful people on this blog!

Anonymous said...

Very good tool. Thank you very much. Found and followed all instructions, very easy to use. The malweare is free and easy to follow.

Anonymous said...

Thank you very much indeed to the OP.
You must have saved hundreds if not thousands of people pulling their hair out!

Malwarebytes worked for me. Note to those on Norton, please remove it instantly! AVG is much better, and free to home users.

Anonymous said...

Sorry, forgot to mention, McAffee is rubbish also!
Very CPU hungry.

Richard said...


Now been at this a day and a half and think I've got rid of it but still don't feel safe. All my desktop icons and files (except shortcuts) have a white exclamation mark in a red circle on them. Anyone got any idea why and if I can get rid of them?

Thanks for all the advice on the site.


Anonymous said...

i pulled the ethernet cable out then used a code from up the page to activate it then this gave me functanality back to pc located file where ashok said it was, gmc654231.exe or somthing like that i deleted ran ccleanerv pick up 2 rmnants of it n deleted that too pc works fine no antivirus used

Anonymous said...


thanks so much - all problems solved!

Anonymous said...

Thank you Thank you Thank you!

Tried the file removal, Anti spyware, malwarebytes and microsoft thingy and computer now functioning correctly ;)

Thank you to all the Geeks who have contributed here - Very helpful advice

Anonymous said...

I've got a notebook that got infected. Now when starting up i can't even access safe mode and no startup script loads what so ever, just a black screen with a bleeping cursor in the top left. I can enter set-up options by pressing F2 or F12 but cant access safe mode through that - I can change the 'boot' options to LAN or HDD/SDD but still no script loads.

Any ideas!? Really stuck

Anonymous said...

Alternate System Tool removal instructions using HijackThis or Process Explorer (in Normal mode) ---- This one worked for me
thanks for the tip :)

Anonymous said...

I have Vista but when I do the Start Search for c:\programdata or c:\appdata, it comes up as nothing found in search. how the heck can I find this thing?

Anonymous said...

First option worked great - Thanks!!!! Malwarebytes found 6 infected objects, took them off, problem gone. This site is great and malwarebytes is a wonderful service! You've really helped us out.

Anonymous said...

used a registry key but did not fix the problem, so i did the "alternate system tool removal" and found it easily. Program removed and laptop working normal! Thanks for the helpful advice!

Anonymous said...

This turned up on my PC and sent alarm bells ringing, especially the line "...and could break your life." Who speaks like that? Certainly no English speaking person, probably someone from Nigeria or China or some equally corrupt country.
Anyway, I copied the first code on the list above with the intention of pasting it into the registration form, but when I brought up the page, it registered automatically without me having to paste it. Wierd! But it's gone permanently now thanks to Ashok's comment.

Gareth said...

@ anonymous who cannot see the programdata file:

You may have to select 'view hidden files' To do this, click start> documents. Click on 'Organise', and scroll down to 'Folder and Search Options'. Click on the 'View' tab, and look in the 'Advcamced options:' From here, select the radio button next to 'Show hidden files, folders and drives'. Click apply, and then ok, and then ok to close these boxes. Go back to the original instructions for accessing C:\programdata.

If this doesn't work, you can use Regedit to use the registry editor to try and remove it. ***Please use regedit with CAUTION!***
Use the folowing path to get to the malware entry: HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache - this was the registry path to the file that I had previously found in C:\programdata. The registry entry will be a random mix of letters and numbers. Make a note of this entry, then right-click and delete it. Goto edit, scroll down and select 'Find'. Enter the name you earlier recorded, and click find next. There may be one or two more entries. Once you have finished searching through the registry, close Regedit.

Go to start, and in the Search programs and files, again enter the name earlier recorded. This should now display the file with that name. Double-click to select it, this will open it up in another window. Right-click and delete.

Finally, it may well be worthwhile running a scan of Malwarebytes, just to pick up anything that may be left. Once finished, re-start your computer, and hopefully all should be well.

I hope this helps.

Anonymous said...

my daughter got this virus on her computer today and I have run Malwarebytes and the virus is still there, I have tried all he above to remove but nothing is working. Please help.

Linda said...

Thanks, everybody! We got it on the desktop computer; I used my laptop to search "system tool removal" and found this site.

I did System Restore (Vista) and set the date to Friday, before the incident. That took care of the problem. Then, I reinstalled my anti-virus software and ran a complete scan (I read somewhere else that System Tool will affect your anti-virus software, so I just reinstalled the whole thing).

Problem solved! Thanks.

Anonymous said...

I got infected with this spyware today. The spyware was blocking the task manager and all antivirus software. So it seemed the situtation was hopeless.
But I followed the instructions in your blog and it seemed to have worked. Thanks a lot. Really appreciate guys like you that help out not so pc savy people like me.

Anonymous said...

Running XP I got infected last night and struggled for hours to clear it out.I noted that it was "squeezing" the time it allowed me on the Internet searching for answers/ideas down from 30 mins to ,in the end ,around 15.As a last chance I switched into safe mode and restored to a save point two days earlier on the basis that logically to a computer,this would be a date when I did not have the infection
This worked in getting rid of all the screen interferance via the rubbish it spews out onto your screen.I then downloaded Malwarebyte in normal mode,ran that which cleared out three Trojans then loaded and ran Super anti- spyware which cleared out loads of cookies and what it described as "Traces of Malware".These were all free applications I would add
So far so good ,as I seem to be clean now
.As to how you get it,all I can say from my very limited experience of this beast,is that it hit as I was just starting up my machine and as it connected to the Internet. I had not had the time to do anything,vist any site etc.This tends to make me believe it is truly random and just goes for any connected user OR it creeps in by first laying an innoucous "marker" then when that does not get picked up,comes back the next day and drops its load of poo.
In any event by the time you see any evidence via the "warnings",you have it.This slipped in despite having such as AVG,various styles of spyware etc all switched on updated and functioning
Anyway try what I did -it might work for you?

Anonymous said...

please help me. i'm 15, &me &my mama have done the rebooting &then clicked the safe mode &whatever an now the virius thing is on here ! it won't let me click any of my prgrams, &it won't let me on the interent, what do i do now

Admin said...

Activate the rogue program using the activation codes listed above. Then you should be able to run antimalware program.

Anonymous said...

As a 60 year old 'tech-tard' (as my son calls me) I got the virus last night. First tried the 'safe mode' option but it wouldn't even let me do that. Logged onto my laptop as a different user (the virus seems to attach just the user logged on at the time)and did a system restore back to five days ago. All gone! Amazing! Thank goodness I had another user set up for emergencies.

Anonymous said...

Had the same problem 2 days ago, really annoying stuff! It just kept on popping up every 2 minutes or so and wouldn't allow me to do anything at all. I thought then that it was a scam cos i had Avira antivirus installed at the time. Anyway, the first option worked for me, i used the second code and it cleared up the crap. Thanks guys! Ned, Stoke-on-trent.

Anonymous said...

I deleted a folder called icjbinlo6510 and it took care of the virus

jake said...

i cant find the folder.. im using Xp.. what should i do????please do help me

Anonymous said...

Thank you very much- the first registration key worked perfectly, quick and easy. Needless to say, I was very glad to be rid of this disease. You all made my day
Thanks Again,
Norm K.

Anonymous said...

Many thanks to Gareth for instructions to the person who couldn't see the programdata files on Vista. I eventually found the folder and was able to delete the stupid System Tools thing and it appears to have worked. For those on Vista who might be having the same problem (not finding the programdata folder) I discovered I needed to go back to the Classic view (pre-Vista) for the Start menu. Once I did that the programdata folder was viewable. Again, thanks to everyone who has been trying to help every one else. Greatly appreciated!

Anonymous said...

hi.just deleted it.but my pc has been running slow ever since.please help

Anonymous said...

Where is the file located on Windows 7?

ghillie said...

Thanks a bunch. Have been trying for ages The option below seemed so simple but I gave it a try and success. I did it in safe mode

1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for such entry in the scan results:
O4 - HKCU\..\RunOnce: [dfbLa00902] C:\Documents and Settings\All Users\Application Data\lGAlF00902\lGAlF00902.exe

The process name will be different in your case [SET OF RANDOM CHARACTERS].exe, located in:
C:\Documents and Settings\All Users\Application Data\ in Windows XP
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

Admin said...

In Windows 7 the file is in C:\ProgramData folder.

For example: C:\ProgramData\GdspweH48ef\GdspweH48ef.exe

Anonymous said...

To remove System Tool from my computer, here's what worked for me using Windows 7, 64 bit:

I restarted my computer in Safe Mode (press F8 when starting your computer, then select start in Safe Mode), and then did a System Restore to the day before getting infected with System Tools.

After I did the System Restore, my PC seems to be working normally.

Anonymous said...

OMG thankss sooo much it removed it... i would advise everyone.. when you finally remove it off your computer.. download anti virus software. and you should already have the spyware and malware.. dooo ittt.. EXTRA PROTECTION! :)

Anonymous said...

Thank you.
The Ctrl, Alt, Del trick worked for me a treat.
Was having trouble booting into safe mode and this saved me from doing a reinstall.
Thank you :)

Joe said...

System tool infected my Dell XP even though I had virus software and malware software installed. The malware is SUPERAntiSpyware free edition. When I tried to run the pre-installed virus software or the malware software,.... System Tool prevented it from running. After reading the posts of others on here, this is how I got rid of System Tool: I simply resarted my computer in safe mode. (by tapping F8 as the computer was booting up). THEN I ran the SUPERAntiSpyware free edition sotware that was alreasdy installed on the computer. In safe mode, System Tool didn't prevent it from running. It quarantined System Tool. BEFORE I left Safe Mode.....I also deleted the desktop shortcut to System Tool and sent it to the recycle bin. THEN, before leaving safe mode, I also emptied the recycle bin. Now there is absolutely no trace of System Tool.
My advice to everyone: always install malware and antivirus would have been much harder to rid myself of System tool without it.

Anonymous said...

Hello. I am understanding some of this, but not all. What does it mean use a code to register if this is a virus you don't want? What/where do you put the code and why?
The going into safe mode and running the programs I understand, but not the code part.

Oh, and people signing in under different names. I don't really know how you do that if you are one person and one computer.

Thanks. Am going to try to get it off my Dad's computer tomorrow. Over the phone we tried going into safe mode and doing system restore but it didn't work.

Anonymous said...

The bastard is in c:\documents and settings\all users\application Data\...

Don't forget to delete the registry key it created found in HKEY_CURRENT_USER->Software->Microsoft->Windows->CurrentVersion->Run, or RunOnce