Inactive [A] Dang System Check malware from Justin Bieber!

Status
Not open for further replies.
My work PC has been infected with the System Check malware. Our company IT guy tried to help, but I'm afraid that some of the steps he took may have made it worse.

It started when a TrendMicro warning detected 14 malicious URLs in a site I was visiting. <<Full disclosure, I was researching Justin Bieber fan club sites on the same day his latest single came out....I suppose that made me a duck in barrel.>> IE closed by itself and I ignored it. After about 5 or 10 minutes, all of my open programs shut down and a "Run System Check" screen popped up saying that my HD was failing with things like "rotation speed down 20%." Also, multiple warning messages that "Windows detected a hard disk problem" appeared across the screen with the option to scan, fix, or delay.

This is when our IT guy, Tom, stepped in. He chose 'delay' on about 20 of the warnings and then chose to run the System Check. I think the System Check ran for about 10 minutes and said my hard disk was in danger of failing. Tom then left, Googled 'System Check', and came back asking if I installed it myself. He cancelled the running System Check and then ran a System Restore.

The System Restore did nothing. All of my desktop icons and Start menu icons were 'gone' and nothing appeared in 'My Documents' folder, either.

Another computer savvy guy, Bill, had me install MalWarebytes. The first Quick Scan turned up 14 'trojan' and 'hijack' files. I clicked 'Remove', saved the log, and rebooted. All of my stuff was still missing. Tom then manually chose 'unhide' for most of my desktop icons, but not the Start menu items.

I then ran a Full Scan from Malwarebytes, 3.5 hours later, it flagged 5 trojan files. Again, I clicked 'remove', saved the log, and rebooted. But, I still have no Start menu and I can still see shortcuts to the 'System Check' software.

Tom and Bill threw their hands up! I then found this site and spent time reading many of the threads for this malware. I didn't want to follow the recommended steps exactly since I already performed all of these other 'remedies' but probably made it worse. What should I do now? Is there still hope for my machine? Any help would be greatly appreciated.
 
Dang System Check malware from Justin Bieber!

BTW, should I be using my programs at all right now? It's already been 1/2 workday yesterday and 1/2 workday today with no productivity by me. I've got to get something done!
 
Dang System Check malware from Justin Bieber!

Here's the first log from yesterday's Quick Scan on Malwarebytes:
_______________________________________________________

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.26.06

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
KurtW :: ENSLOW-***paranoia** [administrator]

Protection: Disabled

3/26/2012 2:54:13 PM
mbam-log-2012-03-26 (14-54-13).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 225567
Time elapsed: 4 minute(s), 21 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SOFTWARE\meedia (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Detected: 4
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|KvAvALPQoU.exe (Trojan.Agent) -> Data: C:\Documents and Settings\All Users\Application Data\KvAvALPQoU.exe -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings|bf (Trojan.Agent) -> Data: ]ê˜Gù¢PiTJ$2Úó”DS*…ß/ŠtøËBû -> Delete on reboot.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings|bk (Trojan.Agent) -> Data: ¥_‡û;öÒ+}*RV,ak‹*âA"÷ÀçmÓåêl¤4ÉkÑÍJf -> Delete on reboot.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings|iu (Trojan.Agent) -> Data: 2448 -> Delete on reboot.

Registry Data Items Detected: 9
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Documents and Settings\All Users\Application Data\KvAvALPQoU.exe (Trojan.Agent) -> Quarantined and deleted successfully.

(end)
 
Dang System Check malware from Justin Bieber!

Here's the second log from yesterday's Full Scan on malwarebytes:
------------------------------------------------------------------------------------------

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.26.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
KurtW :: ENSLOW-**paranoia** [administrator]

Protection: Enabled

3/26/2012 3:17:53 PM
mbam-log-2012-03-26 (15-17-53).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 401289
Time elapsed: 3 hour(s), 36 minute(s), 38 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 3
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings|bf (Trojan.Agent) -> Data: ]ê˜Gù¢PiTJ$2Úó”DS*…ß/ŠtøËBû -> Delete on reboot.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings|bk (Trojan.Agent) -> Data: ¥_‡û;öÒ+}*RV,ak‹*âA"÷ÀçmÓåêl¤4ÉkÑÍJf -> Delete on reboot.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings|iu (Trojan.Agent) -> Data: 2448 -> Delete on reboot.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\System Volume Information\_restore{0CE6C1BF-1F55-4214-ABDB-49F45AEA7470}\RP1387\A0252912.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\OldPC\WINDOWS\SYSTEM\HLINK.DLL (Trojan.FakeMS) -> Quarantined and deleted successfully.

(end)
 
Welcome aboard
yahooo.gif


Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running tools or applying updates other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
 
Status
Not open for further replies.
Back