Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

System Tool Removal and Analysis

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg | del.icio.us

System Tool is a fake anti-malware program. Once installed on the system, it uses various scare tactics to make the user to part with his money. System Tool scareware hijacks the desktop wallpaper and displays its own with a huge warning text. It pops up frequent yellow system alerts with fake security warnings. This rogue software closes all the running programs and actively blocks execution of most applications including system administrative tasks like Task manager, command prompt regedit etc. Thus making it difficult to install or run legitimate anti-malware software to get rid of it.

Scareware like System Tool are commonly installed when users are redirected to fake online scanner pages or fake ‘video codec required’ pages distributed throughout the Web by cyber criminals using blackhat SEO techniques, Spam and Malicious flash advertisements.

p1100130 System Tool Removal and Analysis

System Tool Removal (How to remove System Tool)

MalwareBytes’s Anti-Malware Free edition (mbam-setup.exe) was able to remove this infection.

  1. Boot in to Windows Safe Mode with networking
  2. Download MalwareBytes’s Anti-Malware Free edition (mbam-setup.exe) or from a clean computer download and copy to a removable drive like CD, DVD or USB flash drive.
  3. Double-click mbam-setup.exe to start the installation. Proceed with installation following the prompts. Make sure that the following option is checked when you finish the installation: Update Malwarebytes’ Anti-Malware.
  4. Once the update is completed, Launch Malwarebytes’ Anti-Malware and select Perform full scan in the Scanner tab. When the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
  5. Turn System Restore off and on.

You should now be clean of this rogue.

The full version of Malwarebytes’ Anti-Malware performs brilliantly against scareware such as Sysinternals Antivirus. The real-time component of the paid version includes dynamic blocking of malicious websites, servers and prevents execution of malware. It would caution you before most rogue security software could install itself. Please consider purchasing the Malwarebytes’ Anti-Malware Full version for additional protection.

System Tool Analysis

A rogue security software such as System Tool belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own. They need to be removed immediately from your system.

The rogue trojan file was about 317952 bytes in size. It was detected by 37 /43 (86.0%) of the anti-virus engines available at VirusTotal.

This scareware is identified as:

  • Win-Trojan/Fakeav.317952.M
  • Trojan/Win32.FakeAV
  • Win32:FakeAlert-AAZ
  • Trojan.Win32.FakeAV.asbq
  • W32/FakeAlert.KW.gen!Eldorado
  • Rogue:Win32/Winwebsec
  • Win32/Adware.SystemSecurity.AD
  • Trojan.Waledac.Gen!Pac.11

Typical System Tool Scare Messages

Warning! Your’re in danger! Your computer is infected with spyware!

All you do with computer is stored forever in your hard disk. When you sites, send emails… All your actions are logged. And it is impossible to remove them with standard tools. Your data is still available for forensics. and in some cases
For your boss, your friends, your wife, your children.

every site you or somebody or even something, like spyware, opened in your browsers,
with all the images, and all the downloaded and maybe later removed movies or mp3 songs – are still there and could break your life!

Secure yourself right now! Remove all spyware from your pc!

Warning: Your computer is infected! Windows has detected spyware infection! Click this message to install the last update of Windows security software…

System Tool Warning
Intercepting programs that may compromise your private and harm your system have been detected on your PC.
Click here to remove them immediately with System Tool.

Users should not fall for the false alerts of system infection and buy the scareware to ‘clean’ the system. If you purchased one by entering your credit card number at a rogue software website, it would be prudent to:

  • Immediately contact the bank that issued the card and dispute the charges.
  • Request them to not allow any further transaction and cancel the card. You may also request them to issue a new card with a different number.

System Tool Associated Files and Folders

  • C:Documents and SettingsAll UsersApplication DatafHbFgGm21700fHbFgGm21700
  • C:Documents and SettingsAll UsersApplication DatafHbFgGm21700fHbFgGm21700.exe

File names are randomly generated.

System Tool Associated Registry Values and Keys

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOncefHbFgGm21700=C:Documents and SettingsAll UsersApplication DatafHbFgGm21700fHbFgGm21700.exe

Manually editing the registry is NOT recommended.

If you are unable to get rid of this scareware, please visit one of the recommended forums for malware help and post about your problem.

System Tool Scareware — Screenshots

Note: The System Tool installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

You may also like to read



{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: