I have a Toshiba laptop running Win7 Pro 64 bit. It has been infected with a malware and displays the message
Warning your computer is infected … The System Tool 2011 is displayed.
What steps do I need to follow to remove this malware.
I have done a Google Search on System Tool 2011 and have found numerous sites that indicate how to remove but I am skeptical about which web sites are valid or which ones will do more damage.
Thanks for your help
Bob
As you have a 64bit win 7 Malwarebytes should be able to clear it quite happily
http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Please download Malwarebytes’ Anti-Malware from Here.
Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
you can also use a boot cd here is one https://www.gdatasoftware.co.uk/support/main-subjects/upgrade-service/download.html gdata boot cd
Here is a full guide with the tool Essexboy suggested
Removal instructions for System Tool
http://forums.malwarebytes.org/index.php?showtopic=66064
http://www.bleepingcomputer.com/virus-removal/remove-system-tool
It resolved the problem without a problem.
Thanks everybody for all of your help.
Will this also work for WinXP? I just received this malware on my computer today and now trying to get rid of it. Just finished (as I’m writing this) running Avast Boot-time scan, but as I’m typing on this computer and my other one is restarting there’s the “WARNING” screen again - sigh.
Guess I’ll see if I can get around it long enough to try to install Malwarebytes?? Ugh - I hate viruses. 
Welcome to the forums, OregonJen 
Yes, give malwarebytes antimalware a try. Be sure to update it before the scan.
Thanks for the welcome.
Sadly, I can’t even install the mbam-setup.exe because of the malware running and interfering.
How can I make it stop? Any ideas?
:‘( :’(
Update:
Ok, while trying to run an Avast quick scan, I got a blue screen saying something about a physical memory dump, then computer restarted. As soon as I could, I got it to restart again and booted into Safe Mode. From there, I was able to install the mbam-setup.exe, although it couldn’t update it (gave me a PROGRAM_ERROR_UPDATING) so I guess the file is 14 days out of date. I started the full scan anyway and hope it is updated enough to capture this nasty virus. (So far, I see it shows 21 infected objects.)
Of course, this comes at the worst possible time - don’t they always? Any suggestions or feedback is appreciated, but for the moment I’m just forging ahead cautiously and hoping for a positive outcome.
Thanks!
Hi lets try this first, if it fails go to Plan B
Note: If using Firefox right-click on any download links and choose Save As
Please download OTH to your desktop
Please download OTL to your desktop
Please download the attached file Scan.txt to your desktop
Double click the OTH file to run it and click Kill All Processes, your desktop will go blank.
http://oldtimer.geekstogo.com/OTH/OTH_Main.gif
Then select Start OTL. OTL will now run
[*]Double-click on the Custom Scans box and a message box will popup asking if you want to load a custom scan from a file
Select Scan.txt that you downloaded
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Click the Internet Explorer button, post these logs in your Virus Removal topic.
Plan B
Download Rkill from here : there are several flavours to choose from, if one does not work then try the next
* rkill.com
* rkill.scr
* rkill.pif
Once it is downloaded, double-click on rkill in order to automatically attempt to stop any processes associated with Security Central and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by Security Central when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate Security Central . So, please try running Rkill until malware is no longer running. You will then be able to proceed with the rest of my instructions.
Do not reboot your computer after running rkill as the malware programs will start again.
Then run OTL as above
Another malware removal tool you may want to try is Hitman Pro 3. It removes rogue AV very effectively, besides it detects rootkis. MalwareBytes Antimalware fails at this point, though it’s a very good removal tool too.
http://www.surfright.nl/en/hitmanpro
You can install it fully or use it on a one-time basis with no install necessary.
Thanks, Essexboy, for the instructions. I finally had a chance to give them a try. I have attached the two files, OTL.txt and Extras.txt. I was unable to get IE to open on the infected computer from the OT Helper menu, so I copied the two files to a thumb drive and used a different computer to upload them.
I will look forward to any further info or suggestions you have to offer. Thanks for your help!
P.S. Should I restart the other computer now, or wait for further instructions?
if this happens again get a boot cd like gdata for ex
anybody mind telling this forum member to stop spamming the forums with his/her Gdata advices ?
(i.e. all his/her posts are sent randomly, anywhere on the forums, and referring systematically to Gdata, just have a look at that, it’s worth the fun)
Hey Logos, some of us actually did…
I meant admins 
I reported him to the mods, probably others did aswell… We are getting way off topic though, my apologies to the OP.
@OregonJen: Please focus on essexboy’s posts and do exactly what he tells you, the guy is a real expert on malware removal and will help you get rid of your infections.
Thank you for providing the logs. Wait for further instructions from Essexboy.
Let me ask you a question. How was your machine acting prior to shutting it down? What kinds of problems, if any were you experiencing?
OK start OTL again as you did before
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found. O4 - HKLM..\Run: [] File not found O4 - HKLM..\Run: [Vfagaveca] C:\WINDOWS\ekimaqawepe.DLL () O20 - AppInit_DLLs: (riloduge.dll) - File not found O33 - MountPoints2\{fdc56980-b596-11dd-92e8-0004234c08cd}\Shell\1\Command - "" = .\recycled\info.exe [2010/12/13 16:34:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\jCfGh06501 [2010/12/19 14:09:55 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Nbuxigejimi.bin [2010/12/19 14:09:53 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Cfuqocelo.dat [2010/12/17 15:16:54 | 000,000,266 | ---- | M] () -- C:\WINDOWS\tasks\blogger2lj.job [2010/12/17 12:00:02 | 000,000,296 | ---- | M] () -- C:\WINDOWS\tasks\hlwvtfdo.job [2010/12/14 00:41:01 | 001,228,854 | ---- | M] () -- C:\fsqwr.bmp [2099/01/01 12:00:00 | 000,006,456 | -H-- | C] () -- C:\WINDOWS\System32\liyovuza [2010/12/14 00:41:00 | 001,228,854 | ---- | C] () -- C:\fsqwr.bmp [2010/12/13 16:37:03 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Cfuqocelo.dat [2010/12/13 16:37:03 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Nbuxigejimi.bin [2010/01/29 02:40:07 | 000,000,001 | -HS- | C] () -- C:\WINDOWS\System32\bidareyu.dll [2010/12/14 07:10:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\jCfGh06501:Files
ipconfig /flushdns /c:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop
[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[*]Double click on ComboFix.exe & follow the prompts.
[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Hello again, Essexboy,
I trust you enjoyed the Christmas and New Year’s holidays. It has been some time since your last post of instructions for me, but this is the first chance I’ve had to try to follow them. Meanwhile, my poor little laptop has been limping along…kind of working, but not really running very well.
I am partway through your instructions - I ran the OTL custom scan, and then the Quick Scan. I’ve attached two logs that resulted.
After running the custom scan, I tried to reboot as instructed. The computer slowly got partway through the shutdown process but then hung up on the “Saving your settings” screen so I finally held down the power button to turn it off manually. (I left the screen alone for a long time - maybe 30 minutes even - but finally gave up and turned it off.) Then when I tried to restart, it hung up again - the blank desktop came up but no icons. Again, I left it like that for a long while hoping it might finally proceed, but it didn’t. So I again used the power button to shut it down manually, waited for a little while, then restarted and the desktop came up normally but opened a Notepad document (the attachment 01032011…) and there were two icons (which I unfortunately did not write down and which disappeared when I saved the log file as a text document).
I then opened OTL again and ran the Quick Scan as instructed. That file is attached as OTL2 (because I already had an OTL file from a previous scan). Now I will proceed with the next steps in your instructions and download and run ComboFix.exe. We’ll see what that produces. I’ll post that log file in my next reply.
Sorry for making this post so long, but thought perhaps you might want all the details? Thanks again for your efforts in helping me try to get my computer back to normal.
OregonJen
Quick update: Tried to install ComboFix.exe but it’s acting strange. Tried to run it but it says I have a “corrupt download.” will try again to download it. (By the way, Link 1 opened the d/l but also brought up another malware intro - something about bad registry files and use their cleaner. I backed out of it as quickly as I could but maybe that’s why the ComboFix isn’t working quite right??
More news later…