Archive for January, 2012

Newer Entries »
Jan 02

System Check Rogue Removal Instructions

The Emsisoft malware research team has discovered a new outbreak of the System Check rogue. Emsisoft Anti-Malware detects this malware as Rogue.Win32.SystemCheck.

System Check is a rogue application, another variant of System Fix, System Restore, Data Restore, Data Recovery, System Recovery, Master Utilities, PC Repair, HDD Repair and System Repair. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

  • %AllUsersProfile%\Application Data\[random].exe
  • %AllUsersProfile%\Application Data\[random].exe
  • %AllUsersProfile%\Application Data\~[random]
  • %AllUsersProfile%\Application Data\~[random]r
  • %AllUsersProfile%\Application Data\[random]
  • %AppData%\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
  • %UserProfile%\Desktop\System Check.lnk
  • %Temp%\3.tmp
  • %Temp%\smtmp\
  • %Temp%\smtmp\2\
  • %Temp%\smtmp\4\
  • %Temp%\smtmp\1\
  • %UserProfile%\Start Menu\Programs\System Check\
  • %UserProfile%\Start Menu\Programs\System Check\Uninstall System Check.lnk
  • %UserProfile%\Start Menu\Programs\System Check\System Check.lnk

Create/modify registry entries:

  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\policies\system\
    DisableTaskMgr = 01000000
  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run\
    [random].exe = %AllUsersProfile%\Application Data\[random].exe
  • HKEY_CURRENT_USER\Control Panel\
    nsreg = F82D014F
  • HKEY_CURRENT_USER\Control Panel\
    bin = 43003A005C0044006F006…
  • HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Download\
    CheckExeSignatures = no
  • HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Main\
    Use FormSuggest = Yes
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
    Hidden = (empty)
    ShowSuperHidden = (empty)
    TaskbarGlomming = (empty)
    TaskbarGlomLevel = 02000000
    Start_ShowControlPanel = (empty)
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\
    HidNoChangingWallPaperden = 01000000
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Associations\
    LowRiskFileTypess = .zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi; .mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Attachments\
    SaveZoneInformation = 01000000
  • HKEY_CURRENT_USER\softare\Microsoft\Windows\CurrentVersion\Policies\Explorer\
    NoDesktop = 01000000
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\System\
    DisableTaskMgr = 01000000

Screenshots:

Rogue.Win32.SystemCheck

Rogue.Win32.SystemCheck

Rogue.Win32.SystemCheck

Rogue.Win32.SystemCheck

To register and uninstall this rogue application, you can try the following serial number, and enter any email:

1203978628012489708290478989147

How to remove the infection of System Check (Rogue.Win32.SystemCheck)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Tags: , , , , ,
Posted in Malware Alerts, Removal Help | Comments Off

Newer Entries »