Spyware, Viruses, & Security forum

General discussion

difficulty in removing "System Tool Virus" , how

by auto78900 / February 25, 2011 12:13 PM PST

Looks like this one is now in season. When I ran "Rkill", it said that it can not run because the file is being used by another process. Processes terminated by Rkill or while it was running:

So what is happening and what do I need to do so that "Rkill" can do its job ??

Also Here are the specs of the Virus.
1. -it disables task manager
2. - Puts a background picture "System Infected with Viruses 10001110100011100, etc."
3. - Slows down the pc
4. - disables running some programs
5. - Overwrites System Restore

Here is what I tried already-
1. AVG
2. Avira
3. Malwarebytes with the connection to the net turned off( intentionally )

and nothing worked.

Discussion is locked
You are posting a reply to: difficulty in removing "System Tool Virus" , how
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: difficulty in removing "System Tool Virus" , how
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
How To
by BigVtheMan / February 25, 2011 10:23 PM PST

1. In system tool, click registration and enter this: WNDS-S0DF5-GS5E0-FG14S-2DF8G
2. Click OK, then OK again when prompted to "clean your PC right now"
3. Reboot when prompted
4. Run a FULL scan with malwareytes'
5. Reboot

Collapse -
This advice sounds shaky to me. Could
by roddy32 / February 26, 2011 12:57 AM PST
In reply to: How To

you please explain where you got it from? If I google it, there are other websites that say the same thing but most are not reputable websites.

Collapse -
Why register a rogue/fraudulent program you wish to remove?
by John.Wilkinson / February 26, 2011 6:55 AM PST
In reply to: How To

Moreover, why would you then wish to run a scan with a program that is designed to detect false positives? It seems like an unnecessary and counterproductive action when your ultimate goal is to remove the infection from your computer.

auto78900: Did you reboot your computer into Safe Mode before performing those removal attempts? You can follow the instructions found here to successfully remove System Tool. My only note is that I generally recommend downloading the latest tools/security software and then using Safe Mode (without networking) so that you do not connect to the internet while all of your security software is disabled, which can put yourself at further risk.

Hope this helps,

Collapse -
The scan is fake
by BigVtheMan / February 26, 2011 6:57 AM PST

the scan is fake and does nothing, activating it will just stop it from nagging you

Collapse -
by BigVtheMan / February 26, 2011 7:12 AM PST
In reply to: The scan is fake

I got if from youtube user rogueamp.
he seems legit, as the system tool removal is one of his most popular videos.
It worked when my family was infected

Collapse -
by BigVtheMan / February 26, 2011 7:13 AM PST
In reply to: info
Collapse -
by BigVtheMan / February 26, 2011 7:20 AM PST
In reply to: More

The bleeping computer guide that John posted will also work, but is more complicated and longer for the same effect. Either way will work to equal effectiveness

Collapse -
by BigVtheMan / February 26, 2011 10:24 AM PST
In reply to: ..

I understand the uncertainty you have though, and hope I am not acting demanding

Collapse -
I disagree...
by John.Wilkinson / February 27, 2011 1:35 AM PST
In reply to: ..

My recommendation is to remove the malicious application; yours is to essentially ignore it by quieting the alerts.

An analogy would be discovering you have rats in your attic, chewing the wood, insulation, et cetera. You could feed the rats, which would minimize the negative effects, but that doesn't actually resolve the problem; you would still have rats. The true solution would be to call an exterminator to eliminate the infestation.

The same applies here; you could feed the rats by entering a pirated product key (ironic, since you're stealing from thieves), but the rogue software would still be present, with absolutely no guarantees that harmful effects would not still be encountered. Anything recommendation short of proper malware removal continues to place the user at risk, and is in no way to be considered equally effective.

In short, you can choose to take your approach with your own computers, but please do not make that recommendation to others here as it is considered potentially dangerous advice.


Collapse -
I understand
by BigVtheMan / February 28, 2011 5:51 AM PST
In reply to: I disagree...

You make a very good point though, after entering the key I did advise running Malwarebytes' Anti-Malware in my original post. Malwarebytes Will remove any traces that the Rogue left, and will prevent it from returning. In fact, Malwarebytes is the same product recommended in the Bleeping Computer guide you linked to. Using Malwarebytes is the same in both methods, the only difference is how you disable the program blocker. In yours, you used rkill and safe mode, in mine, I used an activation code. I may have not made myself entirely clear that you should run a full scan with Malwarebytes to delete the rogue, and I am sorry for the confusion. I am trying to remove the rogue as well, not just silence it.

Collapse -
by BigVtheMan / February 26, 2011 9:31 PM PST
In reply to: The scan is fake

Also, after putting in the key, all the programs it blocks will be relinquished

Collapse -
by BigVtheMan / February 26, 2011 9:45 PM PST

Did you try the other versions of rKill?

Collapse -
Something To Try..
by Carol~ Moderator / February 27, 2011 8:40 AM PST


I'm going to copy a recent response to a post, where a member was having issues with RKill and Security Shield. Security Shield is from the same family as Security Tool.

"Did you try ALL versions of RKill? If not, go to the RKill Download Page and (continue to) try a different file name.

See RKill - What it does and What it Doesn't - A brief introduction to the program.

Scroll down to where you see "Depending on the malware that is installed on the computer, when you run RKill you may see a message from the malware stating that the program could not be run because it is a virus or is infected". See this screenshot. ⇐ The fact that it's for Security Tool (instead of Security Shield) shouldn't matter.

It's noted the warnings are fake alerts by the malware that has hijacked your computer trying to protect itself. Two methods you can try to get past this and allow RKill to run are:

• When you receive the warning message, leave the message on the screen and try running RKill again.
&bull: If that doesn't work, keep launching RKill until it catches and stays up long enough to kill the malware.

Were you following all the steps in the below uninstall guide? To include step #2 which states:

It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive."


Give the two above methods a try. If you continue to have problems with RKill, try exeHelper. It's based on the same premise:


Read the instructions (John provided) carefully. Especially about running Malwarebytes's Anti-Malware immediately after sucessfully running RKill.. And NOT rebooting in between.

Uninstall either AVG or Avira. Temporarily disable whichever you keep, prior to running the tools.

I noticed you posted at a few forums. Instead of picking and choosing which advice to follow, you might best be served by posting at a HijackThis forum. The helpers utilize tools, which will enable them to SEE what's going on.

In case you decide to take that route, you can find a list of forums on the left-hand side of this page.

Best of luck..

Collapse -
I realized you havn't responded to this
by BigVtheMan / March 8, 2011 5:33 AM PST

Any luck with either method??

Popular Forums
Computer Newbies 10,686 discussions
Computer Help 54,365 discussions
Laptops 21,181 discussions
Networking & Wireless 16,313 discussions
Phones 17,137 discussions
Security 31,287 discussions
TVs & Home Theaters 22,101 discussions
Windows 7 8,164 discussions
Windows 10 2,657 discussions

Does BMW or Volvo do it best?

Pint-size luxury and funky style

Shopping for a new car this weekend? See how the BMW X2 stacks up against the Volvo XC40 in our side-by-side comparison.