The “System-Check” Virus

The past two days have been absolutely ridiculous. I touched on what happened a little in my last post, but today I figured I’d delve into the details of what happened. It’s been an interesting couple days.

It all started two nights ago. I downloaded a handful of Photoshop brushes and a few fonts that day. So I brought em over to my writing/art laptop and started unzipping. Unbeknownst to be, one of them was gonna turn my computer into a virus playground. My old hard drive broke. I had the laptop for years, and then it just started freezing for no apparent reason. No viruses, no nothing, just freezing. So after a mess of time-consuming hardware checks, I learned the hard drive was basically just kaput. I got a hold of an uncle of mine who’s a wiz when it comes to computers, bought and sent him a new hard drive, had him load it up with programs through the company he works for, and bam. The replacement hard drive saved me.

Problem is, the computer was never online. I never bothered to update the antivirus or anything, so when I unzipped this “brush” that I got from a third party site (that looked completely legitimate and had no red flags), all hell broke loose. Everything froze, including my heart. I probably swore; I don’t remember. The icons on my screen disappeared, a Windows “System Check” box popped up and started scanning My Computer, the HDD, the RAM, and the registry. Wait, scanning My Computer and the HDD? Aren’t those the same thing? And why is the system check still running with my custom color barf theme I created? Why is there a little “System Check” shortcut next to the start menu? Why is it is discolored and odd looking?



Who cares! My computer’s exploding! I ignored all the fishy signs and paid full attention to this scan. It only took about five minutes. Wait, what? Five minutes to scan the HDD? I’ve done that before. It took two hours. Four errors in My Computer, four in the HDD, three in the RAM, four in the registry. “The C: drive is unreadable.” No! I pressed the “Repair” button and sat patiently unpatiently. Hey!—it’s fixing the problems now! Oh wait, it can’t fix the C: drive. Awesome. I try not to cry.

The entire encounter was lots of fun. By the time I got to the end of it, the window tells me that if I want to fix all the errors, I have to pay for the full version. Pardon my Caprican, but what the frak? I have to pay to fix my computer? That ain’t right. I shut everything down and got extremely depressed, but that doesn’t mean I gave up. I’m not a computer expert, but I know my stuff. I started the boot diagnosis and… waited. The entire process takes almost two hours, so I laid down and tried to sleep, unsuccessfully. When I trudged back into the living room, expecting the worst, a pleasant sight met my eyes.

Nothing’s wrong with your computer, bro.

Okay, the screen didn’t say that, but it should have. You have no idea what a relief seeing that message was. All was not lost! Still, my computer was crawling with viruses. Things were bleak, but my hard drive was safe. Turning the computer back on (and wading through this dang “System Check” nonsense) I was able to find my files. They weren’t gone. The virus hijacked the start menu, as well as the desktop. My Computer and My Documents got moved to the “All Programs” tab. Tricky, but only to someone freaking out and blinded by thoughts of “MY COMPUTER IS BROKEN“. Everything was still there, to my incredible relief.

I went to bed at around 4am, finding solace in the fact that the virus was more a trick than a destructive force. Here I was thinking I got hit by some horrible virus that blew my hard drive to hell, like Magistr or CIH. The next morning I set out to find out what I was up against. It only took a single Google search to find my problem. The “System-Check Virus”, I found it was generally called. It’s not your typical virus, it’s called a “rogue“, or “rogueware”, and it’s a part of virus family called FakeHDD. Basically it’s a big illusion to trick you into giving out your credit card number. Remember the entire “buy the full version” prompt? You get it. Mostly people get hit by it when they get conned into those “free virus check” sites, but that certainly wasn’t how I got hit. I quickly found a step by step guide on getting rid of it and got to work. (Go!)

The process was pretty complicated. The first step was to turn on the computer in safe mode; easy enough. I downloaded all the necessary programs and threw them on a thumbdrive, like a warrior with his armor and weaponry coming toe to toe with the mighty dragon. The first step was to run a program called RKill, which basically kills all the processes that the virus runs to stop you from doing… anything really. Realize that it crippled my actions on the computer so badly that I couldn’t right click, move things, or even press crtl-alt-delete! It took multiple tries to run RKill, and I was forced to change the name of the program to “iExplore.exe” for the virus to let it through. That’s right, this virus protected itself in a big way. Try to run a program to fight the virus? The virus shuts it down. This was only the beginning of my battle.

Finally, after countless tries, RKill ran. It shut down a slew of processes and my desktop icons came flooding back. So far so good. The next step was to run a program called TDSSKiller. The aim of this program was to find and destroy a piece of the virus called a “rootkit“. Not only was this rootkit the culprit for killing my anti-virus and blocking out my virus killer programs, it also royally screws over your internet. If your computer is infected by a rootkit, your Google searches will give you crazy results, and you’ll often be redirected to ads and all sorts of nasty stuff. I think it’s commonly called the Google redirect virus, but either way, I had more problems than just that.

The rootkit proved to be a very difficult foe. Like diamond-hard dragon’s scales, no matter what I tried, my blows were deflected. TDSSKiller—no matter what I renamed it—was immediately shut down by this nasty bug. Why? The dolts over at Kaspersky Labs decided to put a nice big “Kaspersky Labs made this!” inside the properties of the program. So when I tried to open it, the rootkit saw the inner workings and source of the program and shut it down cold. I was screwed.

The solution was to download another program called Verpatch that I could use to change those inner properties of the TDSSKiller. Problem is, Mr. Rootkit stopped that program in its tracks too. Formidable opponent, right? I found a link to a version of TDSSKiller without Kaspersky Labs’ idiot name all over it, but to my great anger and frustration, the link was dead. I set down my sword and decided to move on to the next step.

It was time to ditch the sword and pull out the bazooka.

Malwarebytes is an awesome program. Not only did it break right through the virus’s defenses and run the setup and updates without a hitch, it also found eleven different viruses in the system. Yeah, eleven. I was back in business, and stomping out the bugs left and right. Problem was, the rootkit was still in business, protecting itself from the program that could root it out and kill it: the TDSSKiller.

I redoubled my search for the version of the program that would slip through its defenses, and I found what I was looking for. Kaspersky redeemed themselves, they had made an alternate version without their brand name all over it. If you’re screwed like I was, go HERE for the right version of TDSSKiller (you do have to register to the forums to download it). You can thank me later. I didn’t even have to rename the program from “TDSSKiller” and it started up like a charm. There are many breeds of this virus that I had; it looks like the one I had was nasty indeed, smarter than most versions. It wasn’t even looking at the name of the program—only its inner workings. Sneaky, huh?

The TDSSKiller fired up and found it. Buh-bye rootkit. I was glowing. I bested the beast. I ran Malwarebytes again and it found another handful of viruses. The rootkit was hiding them? I don’t know, but I was glad that thing was toast. I decided to turn the computer on without safe mode before running Malwarebytes two more times (yes, I was paranoid). You can only imagine my joy when the results came up with a big fat zero both scans. I was virus free. The final step was to run a little program called “Unhide.exe“, since the virus goes into your system files and checks “hidden” on all of them. A weak trick, but still.

And that’s my tale. Probably not very exciting, but I thought I would share, and hopefully help out anybody who’s run into similar problems. If you’re going through a FakeHDD virus hit and are stuck, feel free to get a hold of me. I might not be able to help, because each situation is different, but who knows?

Dealt with a rogue before? Comment about it! Viruses today are worse and worse. I’m just glad I came out on top this time.


About HT Sundance

I'm 20 years old and I'm a writing student living in Hawaii. Writing is my passion, and I'm striving to break into the market doing something I really love.

Posted on January 10, 2012, in Flimflam, Tips & Tricks and tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , . Bookmark the permalink. 23 Comments.

  1. I’m battling System Check right now, found your blog even though the rootkit kep misdirecting most of my Google search results! I’ve done everything here, but the Rkill didn’t do anything for me. Neither did TDSSKiller. Malware detected a bunch of bugs and removed them, and Unhide.exe got me most of my files back from the darkness, but it was only after that that I could manually just right-click and delete System Check.

    It’s been a long night, I’ll try to look my laptop over again before work later and maybe even do it all again (I’d love to just do a system restore, but that’s where it seems the bug is still at work, because the computer isn’t recognizing my user profile there, and won’t let me log in.).

    • Hm, I’m glad I could help to an extent, but TDSSKiller is the one you really need to get working. RKill can be very slow to opening. It was for me. If it doesn’t work one way, rename it. Keep opening it. It will open up a lot just quickly—as in you see the DOS window pop up, then close down. I thought it wouldn’t work, but eventually it did.

      Once RKill has run, the processes that keep stopping TDSSKiller should go away. The key is to download the version of TDSSKiller that doesn’t have Kaspersky’s information on it (I linked the download page for that—you just have to register with Kaspersky’s forums). I found that the typical version of TDSSKiller wouldn’t open no matter what I renamed it, but this virus comes in a lot of different variations, so try everything.

      I’m not a computer whiz, but I figured out a process that works (at least with the version of the virus that I got hit with). I wish I could help more, but let me know how things go anyways!

  2. I just had that problem, I ended up just resetting my computer to factory settings to get rid of it. I lost everything on the computer, most of it exists on the internet already or on my ipod so it wasn’t much of a loss.

    • I’m sorry to hear that. It’s definitely a difficult one to get rid of, and it seems that the redirect virus within it stops a lot of people from finding the correct sites to learn HOW to get rid of it. Something tells me that’s why I get so many hits on this post, ha ha.

  3. Thank you for the blog but I had a question you might be able to help with, I believe that I have the virus stopped but I’m still having trouble recovering my documents any advice

    • Hm, I’m not really sure. This virus isn’t known to actually damage or delete any of your files (or your documents). What it does is hide a lot of files, so I would suggest you run the Unhide.exe program to see if that turns anything up. Could you explain your problem a little further?

  4. i got hit with this virus too. backing up my files now then do a recovery. Just wondering the virus is or isnot hidden in my “back up files”?? i don’t want to get reinfect after I copy the files from my disk.

    • I would strongly suggest purging the virus first by following my (and bleepingcomputer’s) guide before doing all of that. I completely solved the problem without losing any data and without having to do any restore.

  5. Thank you for this. I got nailed with this one too and, after cussing my way around the house for a while, we found this post and managed to get my computer back. :-)

  6. iv just got rid of this system check virus but now all my files and drivers have disappeered anything i can do too get them back ?

  7. Here is my story:

    March 3rd: Just got this blasted thing on my desktop and I couldn’t even get into the command prompt. It keeps sending a gazillion windows onto my desktop giving false warnings about infections and problems, as well as in the task bar. There are absolutely no icons on my desktop. I cannot access “run” from the start button either, it tells me there is nothing there. I tried using the USB drive method to run TDSS killer but it won’t work, it’s being blocked, just like everything else. The fake registration code says it’s invalid. I think a deep level format and reinstalling everything is the only option.

    Update: I have successfully reformatted the drive and reinstalled XP Pro as well as all my other programs. That is the advantage of having the operating system and all programs on backup CDs. I don’t trust recovery partitions, if something happens to the drive itself (physical damage), then you will lose the restore partition as well. I don’t buy computers that do not come with hardcopy software. That way, if your boot drive goes belly up, you can buy a new one and install the OS from disc.

    That being said, I had the daunting task of un-hiding all the personal data on my external drive, which was connected and running at the time of the attack by System Check and was affected as well. During the attack, System Check claimed that these files were corrupt and unreadable, that the drive had failed or that the file folders were empty (all bogus of course). Once I went into the Folder Options and set it to make hidden files visible, voila! everything was back but opaque. From there on I only had to go through the folders one by one and uncheck the Hide box for each. It takes a little longer to do this manually, but I really don’t trust installing any unfamiliar software. I am moving all my pictures, music and videos to another external drive (which was not running at the time) and will then reformat the first external drive to make sure there is nothing lingering on there that could compromise the system again.

    I probably went to do it the extreme way, but it will get rid of the virus for sure. As for the backed up files, I don’t think there would be anything attached to my photos and other personal data. I left anything remotely suspicious behind to be wiped out by the reformat.
    Ran both Microsoft Security Essentials and TDSSkiller and got clean bill of health from both. So far so good.

    • Glad you figured it out! For reference, this virus seems to hide your files inside the “all programs” tab. Even knee deep in the virus, I could still look through all my files and use the USB drive, so no re-installation is really needed in the end.

      You should have used Unhide.exe though!

  8. System Check hit me a couple weeks ago. And I don’t even know how I got it! It was bad enough to think the computer was done for, but I had ALL the writing I’d done on the laptop. And no, I hadn’t saved it. (I know, I know….) After letting the computer sit all alone in the bag for a week – perhaps I thought it would learn its lesson – I took it to a local computer repair place, hoping at least they could get some of my writing off the dead computer. When the nice little nerd booted it up and told me it was this system check virus, I could have kissed him! All my stuff was there, just hidden. He said they could clean the virus out for $150.00. After reading how insidious this thing is, should I try it myself, or should I cough up the money? Your post here is very detailed, but I am scared to even put the computer in safe mode. What do you think? By the way, I’ve learned the lesson: SAVE SAVE SAVE!!!

    • This is a nasty little virus and can be difficult to knock out, but $150 is outrageous! If you make a wrong step while trying to get rid of this virus, you’re not going to lose anything. I would STRONGLY suggest you follow my account here as well as bleepingcomputer’s guide first before you hand it over to an expert and pay that kind of money.

      It’s a little tough, just follow instructions! Check back in here if you have any more questions. :)

      • First, thank you for such a fast reply! I was still reading about this virus when your reply came.

        I thought $150 was kinda steep, but what do I know. I don’t even have sense enough to back up my stuff.

        I’ll give this a shot then. Your instructions and the ones on bleepingcomputer are clear, so if I take a deep breath and say a few prayers, maybe I’ll muddle through. It’ll be a few days before I try anything. That’ll give me time to round up some humans to be here with me. And I’ll be sure to print out instructions as suggested on bleepingcomputer. Love that name, by the way. Not trying to brown nose here, but you really have no idea how great it is to find help for this!!! I hope the Universe rewards you! I’ll let you know how it turns out.

      • I wish you all the best; I know how much it sucks to get hit with a virus like this. Hopefully you’ll be able to laugh about it later!

        This post has “rewarded” me with consistent hits to a blog I now am terrible at updating, so no worries. :P

      • Woooooooooooooooohoooooooo!!! I followed the instructions and I think the scareware is gone. A friend who knows about this stuff did most of the button pushing, but I crossed my fingers and prayed. Seems like everything is back to normal. (does happy dance) Thanks again for posting.(May the fleas of a thousand camels infest the armpits of the person who unleashed this mess on the internet.)

      • Glad everything worked out!

  9. Wow! This blog looks exactly like my old one!
    It’s on a entirely different subject but it has pretty much the same layout and
    design. Superb choice of colors!

  1. Pingback: Start Button On Windows 7 Stops Working, How To Fix Without Restarting The Machine? | EssayBoard

  2. Pingback: Is the “Google Redirect Virus” Turning your Searches into Virus Bait? « computerrepairsmadeeasy

State your mind!

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: