Removing System Check from company's desktop computer

By The Penguin ยท 6 replies
Jan 18, 2012
  1. Hello - I have System Check on my work PC.

    Our "IT" consultant assisted with removal yesterday, I'll try to summarize the procedure:

    1. System Check apeared.
    2. Called IT
    3. they attempted to clean remotely in "Normal Mode" by using a remote program called "log me in"
    4. they ran MalwareBytes and "cleaned" the computer, but I don't think they cleaned the root kit.
    5. I downloaded, installed and ran Ad Aware - it was still running at the end of the day, so I left it open. I know it found 2 things - but I don't know what they are.
    6. when I came in this morning - the computer had rebooted. I don't think our IT consultant cleaned the rootkit and System Check is back.

    rather than calling them again, I'm attempting to clean on my own and found this website. I read "Broni's" signature line and followed that link to Bleeping Computer and attempted to follow those instructions. I was unsuccsessful in my attempt to clean following those I am back here to ask for help.

    Thank you
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Well, I will take pity on you and perhaps you can share this with the IT. System Check didn't come back- it was never removed!

    If you are infected with System Check it is important that you do not delete any files from your Temp folder or use any temp file cleaners
    • System Check is a fake (Rogue) computer analysis and optimization program.
    • The 'alerts' tell you the problems have lead to corrupt and missing data
    • It will display false error messages and security warnings.
    • It "hides" Icons, desktop, programs and files so that they appear to be missing and some programs can't be run
    • This can be installed through hacked sites that exploit vulnerabilities on the system or through fake online scanner pages
    • The malware is configured to automatically start when you logon to Windows.
    • It can also be started if you click on any of these alerts.
    Note: You may not experience all of the above, but it is important to tell me what problems you do have.
    See below. Do this if needed: Press Windows+R key> type cmd> OK

    1. If your task manager is disabled,copy and run this command
    Echo y | reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr
    Press Enter

    2. If you're desktop is blank and unable to right click on it ,run this command
    Echo y | reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop[/b]
    Press Enter
    Please print out the following instructions. It is important that the order of the scan below be followed exactly. Please read through all of the instructions before you begin.
    The following can be run first to allow you to 'see' the programs, files,etc. But it is important that you understand that this does not remove the malware, only the attribute to hide these features. So it is important that you continue with the cleaning:
    1. Download Unhide.exe and save to the desktop.
    • Double-click on Unhide.exe icon to run the program.
    • This program will remove the +H, or hidden, attribute from all the files on your hard drives.
    Note: This does not remove the malware- only the attribute that hides icons and programs. It is important that you continue.
    2. Boot into Safe Mode with Networking
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode with Networking option when the Windows Advanced Options menu appears, using your up/down arrows to reach it and then press ENTER.
    3. To end the processes that belong to the rogue program:
    Please click on RKill
    • At the download page, click on Download now button for iExplore.exe download link and save to the desktop
    • Double click on the iExplore.exe icon
    • Please be patient- it may take a bit.
    • The black Window will close when through and you can continue.
    Note: If you get a message that RKilll is malware, ignore it> it's from the malware.
    Do not reboot your computer after runningRKilll as the malware programs will start again.
    4. This malware frequently comes with the TDSSrootkit, so do the following:
    • Download the file and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43 Save log and post in next reply.
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
    If TDSSKiller requires you to reboot, please allow it to do so. After you reboot, reboot back into Safe Mode with Networking again
    5. Update and scan with Malwarebytes: > HERE
    Note on the Malwarebytes download link: They have put a box on the download site offering a trial instead of just this free scan. Please click on Decline when you see that and go on with the scan when the box closes.
    • Select Perform Full Scan on the Scanner tab
    • Click on the Scan button.
    • When scan has finished, you will see this image:
    • Click on OK to close box and continue.
    • Click on the Show Results button.
    • Click on the Remove Selected button to remove all the listed malware.
    • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format>Uncheck Word Wrap before copying the log to paste in your next reply.
    6. Correct Display Changes if needed:
    If the desktop background is black or if the theme has been removed:
    For Windows XP: Click on Start> Control Panel> Display> change theme and/or background if needed.
    For Windows Vista or Windows 7: Click on Start> Control Panel> Appearance & Personalization> Select Change Theme or Change Desktop Background
    7. Some items may not show on the Start menu. To add them back:
    • Right click on Start> Properties
    • Taskbar and Start Menu Properties screen appears
    • choose Start Menu tab> Click on Customize
    • For Windows XP> Choose Advanced tab
    • Check the items you want back on the Start Menu
    • When finished> click on OK> Apply and close.
    You can now reboot back into Normal Mode.
    You may not need Steps #1, 6 and 7 above. But you do need to follow instructions for ll others.
    Let's see how this goes.
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
  3. The Penguin

    The Penguin TS Rookie Topic Starter

    yes Bobbye - you are correct, I used the wrong terminology when I said "it was back"

    So - following your steps I am now at the point of download/install/run the TDSSKiller. I followed the steps, and double-clicket the TDSS icon...I don't know if it's running or not.

    is there a way to know?

  4. The Penguin

    The Penguin TS Rookie Topic Starter

    it's been at least an hour since I tried to run the TDSS Killer - with no evidence that it is running, and no results screen from it either.

    what should I do?

  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Uninstall the TDSSKiller you now have.

    With grateful appreciation to Bleeping Computer for images:
    Download TDSKiller

    Double click icon on desktop [​IMG]

    Scan Screen:

    Scan results:> Continue
    To remove the infection simply click on the Continue button and TDSSKiller will attempt to clean the infection. If it does not say Cure, leave it at the default action of Skip and press the Continue button. Do not change it to Delete or Quarantine as it may delete infected files that are required for Windows to operate properly.
    Scan Completed> Save report> Reboot
  6. The Penguin

    The Penguin TS Rookie Topic Starter

    good morning - back at the office and tackling this problem again.

    per your instructions - I have removed the original TDSS killer, redownloaded and installed it.

    and still have the same problem. I try to start it - and it does not start. I have yet to see a scan screen for TDSS killer.
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Okay, but right now I don't have much to work with.

    Can you follow the steps here:
    Preliminary Virus and Malware Removal.

    That will give me logs for Malwarebytes, GMER and 2 for DDS.
    It is possible that something is blocking the TDSS program. And if that is the case, you may have a problem with Mbam and DDS. IF you do, go back to Reply #2 and follow my steps #2 (Boot into Safe Mode with Networking) and 3 (RKill). Skip #4 (TDSS), then go on with #5, (Mbam Full Scan).
    Then try to go on with Combofix: try Normal Mode, tell me if there is problem:
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Expect these- they are normal:
    1. If asked to install or or update the Recovery Console, allow. (you will need internet connection for this)
    2. Before you run the Combofix scan, please disable any security software you have running.
    3. Combofix may need to reboot your computer more than once to do its job this is normal.

    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe [​IMG]& follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      • The Recovery Console was successfully installed.[/b]
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • .Close/disable all anti virus and anti malware programs
      (If you need help with this, please see HERE)
    • .Close any open browsers.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...