Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"System Check" Malware


  • Please log in to reply
5 replies to this topic

#1 Romana

Romana

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 07 January 2012 - 09:05 AM

Okay, so, my mother's computer has come down with that _horrible_ "System Check" virus. I looked up your tutorial on how to remove it right away 'cos you guys have been able to help me with similar malware (that stupid name-changing antivirus thing--and for me, your instructions seem to have worked perfectly) in the past, but this time I can't even get past the very first step!

I tried rebooting in Safe Mode with Networking like you said...and I get a completely black screen. ALL the icons are hidden and clicking on Start reveals nothing but a (fakely) empty program list and "Turn Off Computer". And even THAT doesn't work--I have to turn it off from the button on the tower.

When I booted into "Safe Mode", I got all these messages scrolling down the screen. I suspect these were similar to the "OMG ALL YOUR SYTSTEM FILES ARE CORRUPTED AND YOUR HARD DRIVE IS ABOUT TO EXPLODE!" messages from the System Check malware, only in plain white text on black background, because that program booted _right_ up in "safe mode"...and absolutely nothing else.

Forget not being able to get onto the Internet and download RSS or TDSSkill or MBAM. I can't do ANYTHING! There is nothing. To click on. _Nada_. I can't even try to start getting a hold on step 1 because there are _no icons at all_. Even in Safe Mode.

My mother's computer is an older one, with Windows XP, with the firewall on, but I have no idea what kind of security software she may have. I think very little, if any. (Well, obviously it couldn't block _this_...) She was looking up to buy something earlier yesterday at a smaller, independent commercial site, which may be where she got the virus.
She also got the name-changing fake antivirus malware program two times before, and I tried to follow your guide to get rid of _that_, but both times along the way--although, strangely enough, I WAS allowed to both update and run MBAM--at least one of the earlier steps did not work at all the way it's shown to work, according to your guide. Which makes me think they were never actually gone. Just thought I'd mention that in case you thought it was relevant.

I know you guys want to see Hijack This! logs and such but...she doesn't have that program and obviously I can't run or download that on her computer _now_, what with a totally blank screen where even "My Computer" isn't showing up and the "Run" function won't come up under "Start". It isn't just hiding the antivirus or Firefox icons. It is hiding EVERYTHING. Even her frickin' wallpaper!

HELP! :(

...Notorious

Edited by Queen-Evie, 07 January 2012 - 09:15 AM.
moved from Windows XP Home and Professional to AII


BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:57 PM

Posted 07 January 2012 - 10:12 AM

Looks like your desktop is blank.You still have your taskbar.Can you launch task manager? Is that disabled?

Press Windows+R key and type

cmd and click ok

If your task manager is disabled,copy and run this command

Echo y | reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr

Press ENTER

If you're desktop is blank and unable to right click on it ,run this command

Echo y | reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop


Restart your PC in safemode with networking

Copy malwarebytes using a flash drive to the infected PC(ignore virus pop ups)

I guess your OS is xp

Right click on the installer-Select Run as

Uncheck Protect my computer and data against... option

You should be able to launch malwarebytes installer

Good luck

Edited by narenxp, 07 January 2012 - 10:13 AM.


#3 Romana

Romana
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 07 January 2012 - 08:27 PM

The computer is running XP. I have also been getting this long string of error windows about system files failing with the words "Delayed Write Fault" at the top whenever I turn the computer on, and am not sure if this is part of the virus's phony warnings or not. It probably is, but I thought I'd mention it, in case that's a sign that something is _actually_ corrupted.

Whether I have access to the Task Manager or not is...confusing. One time I tried it and got "Task Manager has been disabled by your administrator" which would seem to be fixable by the exact command you just gave me. This time, however, when I tried it, I got that string of "Delayed Write Fault" messages cascading down the screen instead.
Actually, the time I got the "disabled by the administrator" message might've been the time I booted into "safe mode with networking" to find out that it wasn't safe. Maybe that's what's changing the error response--safe mode vs. not.

I typed in your command exactly as it is written, although it didn't recognise "v" and I wasn't sure in a couple of places whether I should have a space or not (I blame that on the font, though) and both times I got a message saying "Do you want to permanently delete" (name of registry key) Y\N? And just as I was about to go "YES! SOMETHING'S WORKING!" and type Y...the command screen then said "Error: No such registry key detected" before I could click yes to delete it.

I can't delete the registry key because _the computer thinks it's not there_...yet the task manager is definitely not working and the desktop is definitely blank.

Thank you for your help so far but ARGH...(bangs head against desk)

...Notorious

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:57 PM

Posted 07 January 2012 - 11:23 PM

I have also been getting this long string of error windows about system files failing with the words "Delayed Write Fault" at the top whenever I turn the computer on, and am not sure if this is part of the virus's phony warnings or not.//


Its due to virus


Copy malwarebytes using a flash drive to the infected PC.Save it to C drive.You cannot save it on desktop(ignore virus pop ups)

I guess your OS is xp

Right click on the installer-Select Run as

Uncheck Protect my computer and data against unauthorized activity... option

You should be able to launch malwarebytes installer,update and run a scan

Good luck

Edited by narenxp, 07 January 2012 - 11:23 PM.


#5 Romana

Romana
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 08 January 2012 - 10:44 PM

So...the reason I kept trying to boot into SafeMode first was I was trying to do things in the order of the help tutorial you have here at the site--where you have to do lots of things _before_ you can even try to run MalWareBytes. I was kinda surprised you were telling me to do that first--I thought you had to run Rkill and such first, before you'd even have a chance at running MBAM.

And then I was wondering how the heck I was supposed to get _into_ any of my drive letters in order to get MBAM onto my computer at all, let alone then install or run it. Considering that the "My Computer" icon was MISSING--how was I supposed to get in there and do anything? But if you say so...So I tried it anyway.
But then, I realised that using Windows + R (a keyboard shortcut I really should've known earlier), I could use the "Browse" button to get into _any folder_! HAHAHA, GOTCHA, SUCKAS! From there I got into the D drive and installed, updated, and ran the copy of MBAM I already had saved to a disc from a clean computer earlier, it came up with 14 things (which is, unnervingly, the _exact same amount_ of problems the FAKE virus warning program kept coming up with), double-clicked on My Computer, now that it was visible, did the steps to show hidden files, went onto Firefox, got UnHide, ran that, put the theme back to standard Windows XP and then put my mom's wallpaper back up.

And then I ran the Kaspersky Labs' TDSS killer and DID find a nasty little rootkit, and then I ran MBAM _again_ just to make sure. Because these viruses need to be killed. With FIRE.

Oh, wait, did I say the _viruses_? I meant the people who make them.

Anyway, thank you VERY MUCH for your help, and yes, I am running XP. I _do_ know enough to say THAT much when asking for technical help...

...Notorious

#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:57 PM

Posted 09 January 2012 - 03:07 AM

You're welcome :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users