TechSpot

[A] Dang System Check malware from Justin Bieber!

Inactive
By trukrebew
Mar 27, 2012
  1. My work PC has been infected with the System Check malware. Our company IT guy tried to help, but I'm afraid that some of the steps he took may have made it worse.

    It started when a TrendMicro warning detected 14 malicious URLs in a site I was visiting. <<Full disclosure, I was researching Justin Bieber fan club sites on the same day his latest single came out....I suppose that made me a duck in barrel.>> IE closed by itself and I ignored it. After about 5 or 10 minutes, all of my open programs shut down and a "Run System Check" screen popped up saying that my HD was failing with things like "rotation speed down 20%." Also, multiple warning messages that "Windows detected a hard disk problem" appeared across the screen with the option to scan, fix, or delay.

    This is when our IT guy, Tom, stepped in. He chose 'delay' on about 20 of the warnings and then chose to run the System Check. I think the System Check ran for about 10 minutes and said my hard disk was in danger of failing. Tom then left, Googled 'System Check', and came back asking if I installed it myself. He cancelled the running System Check and then ran a System Restore.

    The System Restore did nothing. All of my desktop icons and Start menu icons were 'gone' and nothing appeared in 'My Documents' folder, either.

    Another computer savvy guy, Bill, had me install MalWarebytes. The first Quick Scan turned up 14 'trojan' and 'hijack' files. I clicked 'Remove', saved the log, and rebooted. All of my stuff was still missing. Tom then manually chose 'unhide' for most of my desktop icons, but not the Start menu items.

    I then ran a Full Scan from Malwarebytes, 3.5 hours later, it flagged 5 trojan files. Again, I clicked 'remove', saved the log, and rebooted. But, I still have no Start menu and I can still see shortcuts to the 'System Check' software.

    Tom and Bill threw their hands up! I then found this site and spent time reading many of the threads for this malware. I didn't want to follow the recommended steps exactly since I already performed all of these other 'remedies' but probably made it worse. What should I do now? Is there still hope for my machine? Any help would be greatly appreciated.
     
  2. trukrebew

    trukrebew TS Rookie Topic Starter

    Dang System Check malware from Justin Bieber!

    BTW, should I be using my programs at all right now? It's already been 1/2 workday yesterday and 1/2 workday today with no productivity by me. I've got to get something done!
     
  3. trukrebew

    trukrebew TS Rookie Topic Starter

    Dang System Check malware from Justin Bieber!

    Here's the first log from yesterday's Quick Scan on Malwarebytes:
    _______________________________________________________

    Malwarebytes Anti-Malware (Trial) 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.03.26.06

    Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
    Internet Explorer 8.0.6001.18702
    KurtW :: ENSLOW-***paranoia** [administrator]

    Protection: Disabled

    3/26/2012 2:54:13 PM
    mbam-log-2012-03-26 (14-54-13).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 225567
    Time elapsed: 4 minute(s), 21 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 1
    HKLM\SOFTWARE\meedia (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Registry Values Detected: 4
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|KvAvALPQoU.exe (Trojan.Agent) -> Data: C:\Documents and Settings\All Users\Application Data\KvAvALPQoU.exe -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings|bf (Trojan.Agent) -> Data: ]ê˜Gù¢PiTJ$2Úó”DS*…ß/ŠtøËBû -> Delete on reboot.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings|bk (Trojan.Agent) -> Data: ¥_‡û;öÒ+}*RV,ak‹*âA"÷ÀçmÓåêl¤4ÉkÑÍJf -> Delete on reboot.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings|iu (Trojan.Agent) -> Data: 2448 -> Delete on reboot.

    Registry Data Items Detected: 9
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 1
    C:\Documents and Settings\All Users\Application Data\KvAvALPQoU.exe (Trojan.Agent) -> Quarantined and deleted successfully.

    (end)
     
  4. trukrebew

    trukrebew TS Rookie Topic Starter

    Dang System Check malware from Justin Bieber!

    Here's the second log from yesterday's Full Scan on malwarebytes:
    ------------------------------------------------------------------------------------------

    Malwarebytes Anti-Malware (Trial) 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.03.26.06

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    KurtW :: ENSLOW-**paranoia** [administrator]

    Protection: Enabled

    3/26/2012 3:17:53 PM
    mbam-log-2012-03-26 (15-17-53).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 401289
    Time elapsed: 3 hour(s), 36 minute(s), 38 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 3
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings|bf (Trojan.Agent) -> Data: ]ê˜Gù¢PiTJ$2Úó”DS*…ß/ŠtøËBû -> Delete on reboot.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings|bk (Trojan.Agent) -> Data: ¥_‡û;öÒ+}*RV,ak‹*âA"÷ÀçmÓåêl¤4ÉkÑÍJf -> Delete on reboot.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings|iu (Trojan.Agent) -> Data: 2448 -> Delete on reboot.

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 2
    C:\System Volume Information\_restore{0CE6C1BF-1F55-4214-ABDB-49F45AEA7470}\RP1387\A0252912.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\OldPC\WINDOWS\SYSTEM\HLINK.DLL (Trojan.FakeMS) -> Quarantined and deleted successfully.

    (end)
     
  5. Broni

    Broni Malware Annihilator Posts: 47,156   +264

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.