System Protection Tools Removal Tool & Removal Guide

System Protection Tools Removal

How to remove System Protection Tools

How to get rid of System Protection Tools

What is System Protection Tools:

Threat Classification: Rogueware

System Protection Tools is a malicious rogueware from the Rogue.FakeVimes family that pretends to be a legitimate anti-malware scanner. It produces fake messages that your system has been infected. If you try to remove these infections, System Protection Tools will ask you to buy the full version. The System Protection Tools rogueware injects itself into the system and changes permission policies and modifies the registry. System Protection Tools is usually installed by the user itself not knowing that this is an actual virus. The threat masks itself as a legitimate program. The possible distribution of the System Protection Tools varies, but is not limited to – downloading fake Windows updates, installing software “supposedly” required to view an online video, clicking on ads or banners, downloading e-mail attachments or receiving files through a social media website or software.

Once installed, System Protection Tools will take over your system and will present fake messages explaining that your personal information is at risk or that your computer is severely infected by malware. System Protection Tools will try to kill any software you try to run on your computer. These actions are basically its own protection mechanism from legitimate antimalware programs. When this infection terminates a program it will display a message similar to the following:

“System Alert

System Protection Tools has detected pontentially harmful software in your system. It is strongly recommended that you register System Protection Tools to remove all found threats immediately.”

System Protection Tools will also display fake security alerts and warnings like the following or similar:

“System Alert

malicious applications, which may contain Trojans, were found on your computer and are to be removed immediately. Click here to remove these potentially harmful items using System Protection Tools.

“Warning! Virus detected

Threat Detected: Trojan-Spy.HTML.Bankfraud.IX”

Please note that these pop-up notifications are bogus and are used with the only purpose of making you believe that your PC is at risk and fooling you to purchase System Protection Tools. This would generate income for the creators of this infection. Purchasing System Protection Tools will expose your personal information to third-parties and you may also become a victim of a credit card or identity fraud.

This is a high-level, high-risk threat, and it should not be left unattended and this is the reason why you should take actions and remove it immediately, as it is a serious threat to your online identity and security.

!!! Please note that these infections could potentially bring up other malware to your computer and even cause a loss of data. Please do not underestimate such threats.

Removal Process:

There are two ways to remove this infection. It is totally up to you to decide which way you want to go:

1. Automatic Removal Method (recommended for regular or novice users), by using a Professional Malware Removal Software.

2. Manual Removal (recommended for PC Experts or Enthusiasts).

Automatic System Protection Tools Removal:

We recommend using SpyHunter Malware Security Suite.

You can download and install SpyHunter to detect System Protection Tools and remove it, by clicking the button below. Once installed, SpyHunter will automatically scan and detect all threats present on your system, but in order to use it as a removal tool, you need to purchase a subscription.

SpyHunter will automatically scan and detect all threats present on your system.

Learn more about SpyHunter (EULA). You can find Install Instructions here: (LINK) SpyHunter`s free diagnosis offers free scans and detection. You can remove the detected files, processes and registry entries manually, by yourself, or to purchase the full version to perform an automatic removal and also to receive free professional help for any malware related queries by their technical support department.

Manual System Protection Tools Removal:

!!! Please note: You can remove System Protection Tools manually. However, you should proceed at your own risk. Any of these interventions might render your system inoperable. Therefore this manual removal method is highly recommended for PC Experts or Enthusiasts. For regular users, MalwareKillers.com recommends using SpyHunter or any other reputable security application.

1. Remove System Protection Tools by restoring your system to a previous state.

1. Reboot your computer into Safe Mode with Command Prompt. To do this, turn your computer off and then back on and immediately when you see anything on the screen, start tapping the F8 key on your keyboard.

***For Windows 8:

If you are using Windows 8, you need to hold the Shift button and tap the F8 key repeatedly, this should boot you into the new advanced “recovery mode”, where you can choose the advanced repair options to show up. On the next screen, you will need to click on the Troubleshoot option, then select Advanced Options and select Windows Startup Settings. Click on the Restart button, and you should now be able to see the Advanced Boot Options screen.

2. Using the arrow keys on your keyboard, select the option “Safe Mode with Command Prompt” and press Enter on your keyboard.

3. When the command prompt loads up, type:

Windows XP: C:\windows\system32\restore\rstrui.exe and press Enter

Windows Vista/7/8: C:\windows\system32\rstrui.exe and press Enter

4. System Restore should initialize, and you will be displayed a list of restore points. Try using a restore point created just before the date and time before the Your-computer-has-been-locked virus has infected your computer.

When System Restore has completed its task, start your computer in Windows normal mode, you would need to perform a scan with anti-spyware software as the infection might still be on the system.

2. Remove System Protection Tools under Safe Mode or Offline using a Rescue Disc:

1. Reboot your computer by using the information above but select Safe Mode with networking. Alternatively, you can boot the computer from a Rescue CD that you need to prepare before the removal process.

2. *If you are under Safe Mode or Normal Mode, check for the following process in memory and kill it:

%CommonAppData%\79b35\TAa76.exe” /s /d

3. Open Registry Editor (If using Rescue CD -> load the registry hive.)

4. Check the following registry keys for any entries related to the infection and remove them, if any found:

Shell:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell

*Default entry must be: Explorer.exe

UserInit:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

*Default entry must be: C:\WINDOWS\system32\userinit.exe,

Notify:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

AppInit_DLLs:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

*Default entry must be:

Windows XP: rundll32 shell32,Control_RunDLL “sysdm.cpl”

Windows Vista/7/8: SystemPropertiesPerformance.exe /pagefile

Run:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

SharedTaskScheduler:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

*Please be extremely careful of modifying the default entries of Shell; UserInit and AppInit as you can break your system.

5. Check and remove/modify the following entries/values:

HKEY_CURRENT_USER\Software\3

HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}

HKEY_CLASSES_ROOT\SPT.DocHostUIHandler

HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes “URL” = “http://findgala.com/?&uid=7&q={searchTerms}”

HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes “URL” = “http://findgala.com/?&uid=7&q={searchTerms}”

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer “IIL” = 0

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer “ltHI” = 0

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer “ltTST”

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer “PRS” = “http://127.0.0.1:27777/?inj=%ORIGINAL%”

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “RunInvalidSignatures” = 1

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer “DisallowRun” = 1

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “0” = “msseces.exe”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “1” = “MSASCui.exe”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “2” = “ekrn.exe”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “3” = “egui.exe”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “4” = “avgnt.exe”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “5” = “avcenter.exe”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “6” = “avscan.exe”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “7” = “avgfrw.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “8” = “avgui.exe”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “9” = “avgtray.exe”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “10” = “avgscanx.exe”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “11” = “avgcfgex.exe”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “12” = “avgemc.exe”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “13” = “avgchsvx.exe”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “14” = “avgcmgr.exe”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “15” = “avgwdsvc.exe”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “System Protection Tools”

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “CheckExeSignatures” = “no”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashDisp.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\b.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fih32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfweng3.02d30.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvc95.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qconsole.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\upgrad.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xp_antispyware.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonealarm.exe

6. Restoring Hosts File:

This infection will change your Windows HOSTS file. System Protection Tools will also change the permissions of the HOSTS file in order to protect itself and render the user not to be able to edit or delete it. To fix the registry permissions please download the following batch file (Credits go to BleepingComputer.com):

http://download.bleepingcomputer.com/bats/hosts-perm.bat

Once downloaded, double-click on the .bat file. If there are any pop-up confirmations, please allow. You will just see a small black window that flashes quickly and disappears after that. Do not be concerned, this is normal. You should now be able to edit your HOSTS file.

Please use the Microsoft tool in order to reset your HOSTS file to its default setting.

http://support.microsoft.com/kb/972034

7. Delete any files or folders related to System Protection Tools by checking the following locations:

Look for the following files or similar:

%AppData%\Microsoft\Internet Explorer\Quick Launch\System Protection Tools.lnk

%AppData%\System Protection Tools\cookies.sqlite

%AppData%\System Protection Tools\Instructions.ini

%AppData%\System Protection Tools\ScanDisk_.exe

%CommonAppData%\79b35\46.mof, SPT.ico, SPa76.exe, mozcrt19.dll, sqlite3.dll

%CommonAppData%\79b35\BackUp\Adobe Reader Speed Launch.lnk, Adobe Reader Synchronizer.lnk

%CommonAppData%\79b35\Quarantine Items\

%CommonAppData%\79b35\SPEOGYGUOT\

%CommonAppData%\79b35\SPEOGYGUOT\SPOUGJT.cfg

%CommonAppData%\79b35\TAMPSys\

%UserProfile%\Desktop\System Protection Tools.lnk

%UserProfile%\Recent\ANTIGEN.exe, cid.exe, ddv.tmp, eb.drv

%UserProfile%\Recent\eb.exe, exec.sys, fan.tmp, fix.sys, hymt.drv, hymt.sys, kernel32.drv, kernel32.exe, kernel32.tmp, PE.tmp, runddlkey.exe, SICKBOY.exe, SICKBOY.tmp, tempdoc.exe

%StartMenu%\System Protection Tools.lnk

%StartMenu%\Programs\System Protection Tools.lnk

%ALLUSERSPROFILE%

%APPDATA%

%USERPROFILE%

%PROGRAMFILES%

%PROGRAMFILES(x86)%

%COMMONPROGRAMFILES%

%COMMONPROGRAMFILES(x86)

%WINDIR%

Leave a Reply

BOT Check: * Time limit is exhausted. Please reload CAPTCHA.