Blog Archives

The “System-Check” Virus

The “System-Check” Virus

Jan 10

Posted by

The past two days have been absolutely ridiculous. I touched on what happened a little in my last post, but today I figured I’d delve into the details of what happened. It’s been an interesting couple days.

It all started two nights ago. I downloaded a handful of Photoshop brushes and a few fonts that day. So I brought em over to my writing/art laptop and started unzipping. Unbeknownst to be, one of them was gonna turn my computer into a virus playground. My old hard drive broke. I had the laptop for years, and then it just started freezing for no apparent reason. No viruses, no nothing, just freezing. So after a mess of time-consuming hardware checks, I learned the hard drive was basically just kaput. I got a hold of an uncle of mine who’s a wiz when it comes to computers, bought and sent him a new hard drive, had him load it up with programs through the company he works for, and bam. The replacement hard drive saved me.

Problem is, the computer was never online. I never bothered to update the antivirus or anything, so when I unzipped this “brush” that I got from a third party site (that looked completely legitimate and had no red flags), all hell broke loose. Everything froze, including my heart. I probably swore; I don’t remember. The icons on my screen disappeared, a Windows “System Check” box popped up and started scanning My Computer, the HDD, the RAM, and the registry. Wait, scanning My Computer and the HDD? Aren’t those the same thing? And why is the system check still running with my custom color barf theme I created? Why is there a little “System Check” shortcut next to the start menu? Why is it is discolored and odd looking?

 

 

Who cares! My computer’s exploding! I ignored all the fishy signs and paid full attention to this scan. It only took about five minutes. Wait, what? Five minutes to scan the HDD? I’ve done that before. It took two hours. Four errors in My Computer, four in the HDD, three in the RAM, four in the registry. “The C: drive is unreadable.” No! I pressed the “Repair” button and sat patiently unpatiently. Hey!—it’s fixing the problems now! Oh wait, it can’t fix the C: drive. Awesome. I try not to cry.

The entire encounter was lots of fun. By the time I got to the end of it, the window tells me that if I want to fix all the errors, I have to pay for the full version. Pardon my Caprican, but what the frak? I have to pay to fix my computer? That ain’t right. I shut everything down and got extremely depressed, but that doesn’t mean I gave up. I’m not a computer expert, but I know my stuff. I started the boot diagnosis and… waited. The entire process takes almost two hours, so I laid down and tried to sleep, unsuccessfully. When I trudged back into the living room, expecting the worst, a pleasant sight met my eyes.

Nothing’s wrong with your computer, bro.

Okay, the screen didn’t say that, but it should have. You have no idea what a relief seeing that message was. All was not lost! Still, my computer was crawling with viruses. Things were bleak, but my hard drive was safe. Turning the computer back on (and wading through this dang “System Check” nonsense) I was able to find my files. They weren’t gone. The virus hijacked the start menu, as well as the desktop. My Computer and My Documents got moved to the “All Programs” tab. Tricky, but only to someone freaking out and blinded by thoughts of “MY COMPUTER IS BROKEN“. Everything was still there, to my incredible relief.

I went to bed at around 4am, finding solace in the fact that the virus was more a trick than a destructive force. Here I was thinking I got hit by some horrible virus that blew my hard drive to hell, like Magistr or CIH. The next morning I set out to find out what I was up against. It only took a single Google search to find my problem. The “System-Check Virus”, I found it was generally called. It’s not your typical virus, it’s called a “rogue“, or “rogueware”, and it’s a part of virus family called FakeHDD. Basically it’s a big illusion to trick you into giving out your credit card number. Remember the entire “buy the full version” prompt? You get it. Mostly people get hit by it when they get conned into those “free virus check” sites, but that certainly wasn’t how I got hit. I quickly found a step by step guide on getting rid of it and got to work. (Go bleepingcomputer.com!)

The process was pretty complicated. The first step was to turn on the computer in safe mode; easy enough. I downloaded all the necessary programs and threw them on a thumbdrive, like a warrior with his armor and weaponry coming toe to toe with the mighty dragon. The first step was to run a program called RKill, which basically kills all the processes that the virus runs to stop you from doing… anything really. Realize that it crippled my actions on the computer so badly that I couldn’t right click, move things, or even press crtl-alt-delete! It took multiple tries to run RKill, and I was forced to change the name of the program to “iExplore.exe” for the virus to let it through. That’s right, this virus protected itself in a big way. Try to run a program to fight the virus? The virus shuts it down. This was only the beginning of my battle.

Finally, after countless tries, RKill ran. It shut down a slew of processes and my desktop icons came flooding back. So far so good. The next step was to run a program called TDSSKiller. The aim of this program was to find and destroy a piece of the virus called a “rootkit“. Not only was this rootkit the culprit for killing my anti-virus and blocking out my virus killer programs, it also royally screws over your internet. If your computer is infected by a rootkit, your Google searches will give you crazy results, and you’ll often be redirected to ads and all sorts of nasty stuff. I think it’s commonly called the Google redirect virus, but either way, I had more problems than just that.

The rootkit proved to be a very difficult foe. Like diamond-hard dragon’s scales, no matter what I tried, my blows were deflected. TDSSKiller—no matter what I renamed it—was immediately shut down by this nasty bug. Why? The dolts over at Kaspersky Labs decided to put a nice big “Kaspersky Labs made this!” inside the properties of the program. So when I tried to open it, the rootkit saw the inner workings and source of the program and shut it down cold. I was screwed.

The solution was to download another program called Verpatch that I could use to change those inner properties of the TDSSKiller. Problem is, Mr. Rootkit stopped that program in its tracks too. Formidable opponent, right? I found a link to a version of TDSSKiller without Kaspersky Labs’ idiot name all over it, but to my great anger and frustration, the link was dead. I set down my sword and decided to move on to the next step.

It was time to ditch the sword and pull out the bazooka.

Malwarebytes is an awesome program. Not only did it break right through the virus’s defenses and run the setup and updates without a hitch, it also found eleven different viruses in the system. Yeah, eleven. I was back in business, and stomping out the bugs left and right. Problem was, the rootkit was still in business, protecting itself from the program that could root it out and kill it: the TDSSKiller.

I redoubled my search for the version of the program that would slip through its defenses, and I found what I was looking for. Kaspersky redeemed themselves, they had made an alternate version without their brand name all over it. If you’re screwed like I was, go HERE for the right version of TDSSKiller (you do have to register to the forums to download it). You can thank me later. I didn’t even have to rename the program from “TDSSKiller” and it started up like a charm. There are many breeds of this virus that I had; it looks like the one I had was nasty indeed, smarter than most versions. It wasn’t even looking at the name of the program—only its inner workings. Sneaky, huh?

The TDSSKiller fired up and found it. Buh-bye rootkit. I was glowing. I bested the beast. I ran Malwarebytes again and it found another handful of viruses. The rootkit was hiding them? I don’t know, but I was glad that thing was toast. I decided to turn the computer on without safe mode before running Malwarebytes two more times (yes, I was paranoid). You can only imagine my joy when the results came up with a big fat zero both scans. I was virus free. The final step was to run a little program called “Unhide.exe“, since the virus goes into your system files and checks “hidden” on all of them. A weak trick, but still.

And that’s my tale. Probably not very exciting, but I thought I would share, and hopefully help out anybody who’s run into similar problems. If you’re going through a FakeHDD virus hit and are stuck, feel free to get a hold of me. I might not be able to help, because each situation is different, but who knows?

Dealt with a rogue before? Comment about it! Viruses today are worse and worse. I’m just glad I came out on top this time.

Related articles

Posted in Flimflam, Tips & Tricks

23 Comments

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,