Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Check Virus, cannot run TDSSKiller


  • Please log in to reply
12 replies to this topic

#1 Gideonvd

Gideonvd

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 17 February 2012 - 06:09 AM

Hello,

Since a few days my computer has been affected with the System Check virus. I've read the uninstall guide, and I've come to the point where I have to run TDSSKiller.
I've already tried giving it different names, but this doesn't work. I've also tried running SUPER Anti Spyware, as suggested in another topic, but this hasn't produced results either.
I also think I have Malwarebytes Anti-Malware installed on my computer somewhere, but I can't find it since the file is hidden (I think). How can I solve my problem?

Edited by Gideonvd, 17 February 2012 - 06:10 AM.


BC AdBot (Login to Remove)

 


#2 Celena

Celena

  • Banned Spammer
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 17 February 2012 - 07:24 AM

The System Check virus which entered Might cause a big problem in your pc. so try to get rid off it by downloading some good antivirus programs like Comodo,Avast etc and run a full pc scan. And you said that you doubt whether you have Malwarebytes Anti-Malware installed in your pc or not, you can check it in your control panel whether its present or not. if its there you can do a scan with that itself or else uninstall it.

#3 balon

balon

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:I like turtles
  • Local time:03:45 PM

Posted 17 February 2012 - 08:02 AM

Hi There!
Welcome - I will assist you but a moderator/malware response team may take over this thread.

 
DO NOT DELETE ANYTHING IN YOUR TEMP FOLDER AT THIS TIME UNLESS IT IS CAUGHT BY ONE OF THESE TOOLS. DOING SO CAN CAUSE MAJOR ISSUES WITH YOUR COMPUTER WHERE ALL YOUR FILES ARE

Step 1 (Required)

Lets get started;
First lets start with Rkill
Download it there, let it run it may take awhile to end all of the malware processes on your computer.

 

Step 2 (Required)

Download: Malwarebytes' Anti-Malware (MBAM) to your desktop.

Setup the program, and then make sure you update the virus definitions.
Download and install the latest version and of course any updated, then click on Perform Full Scan, then click on Scan.

Once the scan is complete hit "OK" then Show Results

Make sure you select all the found viruses and hit Remove Selected.

RESTART NOW!

Post the log here.

 

Step 3 (Required)

Next..

Download: TDSSkiller

Launch it.

Click on Scan. Please post the LOG report(log will be located in C:\

You can cure all issues; but do NOT delete ANY of them without being advised to do so...

RESTART NOW!

 

Step 4 (Required/Advised)


Download aswMBR

Launch it, allow it to download latest Avast virus definitions

Click the Scan button to start the scan.
After scan finishes click on Save log

Do not fix any issues unless advised to do so...

RESTART NOW!

 

Step 5 (Required)

Now you are going to want to restart your computer at this point.

When you restart download and run

Unhide

Run this to show all of your hidden files. Including showing your start menu items....

If this does not work, refer to the step below...

RESTART NOW!

 

Step 6 (IF Step 5 DOES NOT, Show all your start files/folders again...)

For this step, you are going to choose one of the following programs depending on your OS;

Windows 2000 US English
Windows XP Pro x32 (May work with other versions of Windows XP)
Windows Vista x32
Windows Vista x64
Windows 7 x32
Windows 7 x64

After you run this program, the start menu and files should be visible and where they are designated to be.. If they are then of course you can once again proceed to deleting your TEMP folder, as that is where your files should be currently hidden at...

RESTART NOW!

 

Please separate your logs by using [h-r] the bbcode for a line; remove the - so it just says hr. OR Post these all in different posts.

**I will be waiting on your response back; if you have any questions please ask before you perform a action. Also if you wish for antivirus or system security advise, when everything is back to normal and working, ask me here and I can provide some information.

Edited by Balon, 17 February 2012 - 06:25 PM.


#4 Gideonvd

Gideonvd
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 17 February 2012 - 10:13 AM

I ran Rkill, and tried to download the Anti-Malware programme, but when I tried to save the installation to my desktop, Internet Explorer shut down. I also have another install for Anti-Malware on my desktop, but when I tried to install this, it quits somewhere halfway through and says: "Access Denied". I already have the programme itself on my computer, so is there no way I can run it another way?

#5 balon

balon

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:I like turtles
  • Local time:03:45 PM

Posted 17 February 2012 - 10:37 AM

Ok, Try to download everything i provided on an UNINFECTED computer then transfer it over via USB

#6 Gideonvd

Gideonvd
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 17 February 2012 - 01:01 PM

I downloaded these all on a USB, then copied them to the infected computer. It would still not execute the installation of Anti-Malware, nor did it executve the TDSSkiller.

#7 balon

balon

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:I like turtles
  • Local time:03:45 PM

Posted 17 February 2012 - 06:24 PM

Ok not a problem bud, try starting up with safemode in networking then try to preform steps 1 until the first 'RESTART NOW' (End of step 2)

Edited by Balon, 17 February 2012 - 06:25 PM.


#8 Gideonvd

Gideonvd
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 18 February 2012 - 04:27 AM

Ok, so I started up my computer in safe mode with networking and then performed Rkill that was already on my computer. I noticed in the log it actually did not terminate any malware. I then downloaded Rkill again through the link, and ran that one. In that log it also said it removed no malware.

#9 Gideonvd

Gideonvd
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 18 February 2012 - 08:24 AM

Ok so I managed to download Anti-Malware again and removed some things.
Here's the log (it's in Dutch though, forgot to install the programme in English)

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Databaseversie: v2012.02.18.03

Windows Vista Service Pack 1 x86 NTFS (Veilige modus/netwerkmogelijkheden)
Internet Explorer 7.0.6001.18000
Gebruiker :: PC_VAN_GEBRUIKE [standaardgebruiker]

18-2-2012 13:49:36
mbam-log-2012-02-18 (13-49-36).txt

Scantype: Snelle scan
Ingeschakelde scanopties: Geheugen | Opstartitems | Register | Bestanden en mappen | Heuristiek/Extra | Heuristiek/Shuriken | PUP | PUM
Uitgeschakelde scanopties: P2P
Objecten gescand: 211694
Verstreken tijd: 9 minuut/minuten, 47 seconde(n)

Geheugenprocessen gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Geheugenmodulen gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Registersleutels gedetecteerd: 1
HKLM\SYSTEM\CurrentControlSet\Services\zproty (Trojan.Dropper) -> Succesvol in quarantaine geplaatst en verwijderd.

Registerwaarden gedetecteerd: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|{D933111A-CC90-71F8-3C20-A56FE0F2DC18} (Trojan.ZbotR.Gen) -> Data: C:\Users\Gebruiker\AppData\Roaming\Woixab\fizelih.exe -> Succesvol in quarantaine geplaatst en verwijderd.

Registerdata gedetecteerd: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Slecht: (0) Goed: (1) -> Succesvol in quarantaine geplaatst en gerepareerd.

Mappen gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Bestanden gedetecteerd: 1
C:\Windows\System32\zproty.exe (Trojan.Dropper) -> Succesvol in quarantaine geplaatst en verwijderd.

(einde)

#10 balon

balon

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:I like turtles
  • Local time:03:45 PM

Posted 18 February 2012 - 01:11 PM

Translated***

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database Version: v2012.02.18.03

Windows Vista x86 Service Pack 1 NTFS (safe mode / networking)
Internet Explorer 7.0.6001.18000
User :: PC_VAN_GEBRUIKE [Standard User]

18-2-2012 13:49:36
mbam-log-2012-02-18 (13-49-36). txt

Scan type: Quick Scan
Enabled scanning options: Memory | Startup Items | Register | Files and Folders | Heuristics / Tools | Heuristics / Shuriken | PUP | PUM
Disabled scanning options: P2P
Objects scanned: 211694
Elapsed time: 9 minutes / minutes, 47 second (s)

Memory Processes detected: 0
(No malicious items detected)

Memory Modules detected: 0
(No malicious items detected)

Registry keys detected: 1
HKLM \ SYSTEM \ CurrentControlSet \ Services \ zproty (Trojan.Dropper) -> Successfully quarantined and removed.

Registry Values ​​detected: 1
HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run | {D933111A-CC90-71F8-3C20-A56FE0F2DC18} (Trojan.ZbotR.Gen) -> Data: C: \ Users \ User \ AppData \ Roaming \ Woixab \ fizelih.exe -> successfully quarantined and removed.

Registry Data detected: 1
HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced | Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Successfully quarantined and repaired.

Files detected: 0
(No malicious items detected)

Files detected: 1
C: \ Windows \ System32 \ zproty.exe (Trojan.Dropper) -> Successfully quarantined and removed.

Edited by Balon, 18 February 2012 - 01:22 PM.


#11 balon

balon

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:I like turtles
  • Local time:03:45 PM

Posted 18 February 2012 - 01:17 PM

Ok; lets try and restore some permissions with your system; can you open up any .exe's or task manager?

 


Step 7 (Restoring Use of your .exes)

FixNCR

I have used this before for whenever I had issues opening .exe's and task manager.

Please tell me how this worked; If you cannot use it on your main side, go back into safe-mode with networking to repair this...

From there then preform Step 3

 
If this works; post a lot.. Thank you.

Edited by Balon, 18 February 2012 - 01:17 PM.


#12 balon

balon

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:I like turtles
  • Local time:03:45 PM

Posted 22 February 2012 - 01:04 PM

Are you still there? I will be unwatching this topic in 3 more days..

#13 balon

balon

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:I like turtles
  • Local time:03:45 PM

Posted 28 February 2012 - 02:57 PM

Unwatching this topic, if you need further assistance PM me.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users