System Check
System Check is a fraud program that originates from a large family of fake hard drive tools. This program is a clone of Windows Error recovery and Win 7 Fix. Rogue developer maintains the core of this rogue product and changes the skin to publish a new version. Name modification is also in the process to give victims a fresh new misleading application.
Malicious web sites distribute System Check virus in a way that visitors can acquire it without an effort. Running a script each time a web site sense a visit will automatically download and install the rogue application without user’s involvement.
Authors behind System Check also use spam email messages to spread the malware. Messages commonly disguise as a letter from courier services such as this one:
Subject: Error in the delivery address
Dear customer.
Your package has been sent to your address.
Please find a post label attached which contains a track number of your package.Thank you for your attention.
DHL Logistics Services.
The fake DHL message contains infected file (Post_Label_N5501US.zip) that may install System Check. Usually, it connects to a remote server to download the rogue program and simultaneously install a rootkit Trojan to avoid removal.
After penetrating the computer, System Check will disable system tools and hides files and folders. It also prevent access to Internet particularly security web sites. Using various techniques to prevent victims from removing System Check from the computer may end up in buying the rogue product.
Screen Shot Image:
Technical Details and Additional Information:
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7
Characteristics (Analysis)
Malware Behavior
When System Check is present on the computer, it will provide numerous annoyances to convince user that PC is in trouble. In fact, it will display various annoyances such as fake warnings and alerts coming from system tray. Some of the fake alerts will contain these messages:
Critical Error
Windows OS can’t detect a free hard drive space. Hard Drive error.
Critical Error
Hard drive critical error. Start a system diagnostics application to scan your hard disk for errors and performance problems.
RAM memory reliability is extremely low. This problem may cause system failure.
Hard drive clusters are partly damaged. Segment load failure.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "70F46vQugXkcPE.exe or any (random).exe" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "70F46vQugXkcPE or any (random) file" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = '1' HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'Yes' HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "CertificateRevocation" = '0' HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = '0' HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop "NoChangingWallPaper" = '1' HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '.zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;' HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1' HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDesktop" = '1' HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = '1' HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no' HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" = '0' HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" = '0'Associated Files and Folders:
%Desktop%\System Check.lnk %StartMenu%\Programs\System Check\ %StartMenu%\Programs\System Check\System Check.lnk %StartMenu%\Programs\System Check\Uninstall System Check.lnk %Temp%\smtmp\ %CommonAppData%\~70F46vQugXkcPE or any (random) file %CommonAppData%\~70F46vQugXkcPE or any (random) file %CommonAppData%\70F46vQugXkcPE or any (random) file %CommonAppData%\70F46vQugXkcPE.exe or any (random).exe %AppData%\Microsoft\Internet Explorer\Quick Launch\System Check.lnk %Temp%\smtmp\1
How to Remove System Check
1. On fake System Check console, click on Click here to activate full-functional version. Enter any email address and this code provided by S!Ri.
Activation Code: 1203978628012489708290478989147
4. Once download is complete, double-click on the file to install MBAM. Just load it with default settings. It may prompt for update after installation, please download all necessary updates.
5. MBAM will run right after the update has completed.
6. Click on Perform quick scan, the click on Scan. MBAM will scan the computer for presence of threats. This may take a while.
7. When scan has completed, NPE will display a list of all detected threats.
8. Click on Show Results to reveal all identified threats.
10. If it prompts you to restart the computer, just click No. We need to remove some more files that belong to System Check virus.
11. Press Ctrl + Alt + Del on your keyboard. Windows Task Manager will open. On Application, select System Check and click on End Task. This will end the running process of rogue program.
12. Next, we need to locate and delete the files manually (These steps can be automatically performed by MBAM after restarting the computer).
- For XP Users: Go to C:\Documents and Settings\All Users\Application Data\
- For Vista and Windows 7 Users: Go to C:\ProgramData\
- Delete all files with questionable random file name similar to the following:
~70F46vQugXkcPE
70F46vQugXkcPE
13. We need to remove Startup entry belonging to System Check.
- Go to Start > Run and type msconfig. This will open System Configuration Utility.
- Click on Startup tab.
- Look for startup item consisting of random character.
- Remove the check mark and click OK.
14. Please restart the computer to complete the removal process.
15. After restarting the computer, you need to unhide all files set hidden by System Check. However, if you have activated System Check ealier, you may skip this step. Activating System Check using the given activation code automatically unhides all files and folders.
- Open My Computer. Go to Drive C: and select all files.
- Right-click on highlighted files then select Properties.
- On Attributes area, remove the mark on Hidden. Please confirm that you will apply the changes to Selected items, subfolders and files.
What To Do If Files and Folders Are Missing?
a. Open Windows Explorer/My Computer.
b. On Top Menu, click on Organize > Folder and Search Options (Windows Vista/7).
On Top Menu, click on Tools > Folder Options (Windows XP).
c. Click on View tab.
d. Mark "Show hidden files and folders"
e. Click on Apply, then OK.
That will show all hidden files and folders on your computer.
16. Lastly, all shortcut link files must be removed. They are all visible on your task bar, desktop and Programs menu. Simply delete any .LNK files that correspond to System Check virus. You may also refer to 'Associated Files' section for individual location.
Removing Rootkit Trojan
On some instances, Rootkit Trojan is the one responsible for dropping System Check inside the computer. Rootkit Trojan is capable of concealing itself from anti-virus application and hides its presence. This is the reason why we need to neutralize the complicated malware using a special tool designed for this type of infection.
1. Download Norton Power Eraser here. Save it to your desktop.
2. Once download is complete, double click on NPE.Exe.
3. Norton Power Eraser will run. If it prompts for End User License Agreement, please click on Accept.
4. On NPE main window, click on Scan.
5. On next window, select Include Rootkit Scan and click on Restart.
6. NPE will restart the computer and performs rootkit scanning. This may take a while.
7. When scan has completed, NPE will display a list of all detected threats.
Important! If there are any detected threats under Suspicious, remove the check mark. Only threats in Detected category are necessary to remove at this point.Make sure that you mark the Create System Restore Point before proceeding with the fix.
8. Now, click on Fix to start removing any threats associated to System Check.
9. Norton Power Eraser will restart the computer. Then after a reboot, it will initialize and display the eliminated threats.
10. You may now close NPE. That completely removes System Check rootkit Trojan.
p
Feb 14, 2012 @ 04:57:24
This malicious software made itself at home while I was at the ‘project free tv’ site.
Immediately it bummed out the bell anti virus suite and pretty well took over with false alarms and cascading error messages that prompted to get an activation key and purchase form using visa as payment.
Managed to use the explore option in the start button (xp) where just about everything i had was made unavailable like as having vanished, no way to start any program.
Managed to somehow (with the few options available under the start button) right click and firefox’s resume page came up.
With that I was able to get online and download MALWAREBYTES and installed it even with the bum steer that this malicious code kept throwing at us.
Ran the program after a few tries it took to the job.
Found some 14 problems and ran it a second time to find another 4
Restarted but still shaky and still no programs or utilities available as everything seemed to just disappear.
Some 6hrs into it managed to find the restore panel and reverted to a few days back check point.
That helped.
Machine looks normal but now bell security suite is still coughing wont do anything or launch either.
Running spybot now to see what it fetches.
Wonder if the monies sent through the pay for key solution page could be traced to the dirt-bags and have them executed iranian style….
Malwarebytes was a fluke to try I had no idea what to do first, now i see that your site has that and a norton product to fully eliminate this menace.
The frustration and productivity loss not to mention the grief this has caused is actionable in my opinion.
HOW DOES THE FRAUD SQUAD OF POLICE DEPT’S DEAL WITH THIS AND OTHER SCAMERS? I don’t know, but I would like to think that a spiked bat could be part of the answer.