System Checker Trojan

[Peach]

OH..... EM..... EFF... GEE


I have never, ever experienced a rogue trojan as bad as this one. I'm STILL trying to recover from it and I've been working on it for 6 hours.

I went to brush my teeth last night before bed and came back to find about a million popups saying the system couldn't write or something to C:\System32\00026a23. I got other popups telling my harddrive was failing, the RAM was at critical levels. All my desktop items were gone, my background was gone, all the start menus were gone. It LOOKED LEGIT! It immediately popped up this "System Checker" that looked like a Windows program. Did it's "scan" and "found" problems with my harddrive being corrupted, etc. etc. It only "removed" SOME of them but wanted me to buy the full version ($85). It even has VeriSign and McAfee "badges" (none link to anything) to fool you. If you actually pay the money, you end up downloading the REAL virus.

Anyway, I panicked for a bit, thinking it was legit, then hopped on my Android to Google (b/c I couldn't access the Internet from the computer or else the damn popups would come back). Found it was a virus.

I couldn't start in Safe Mode.
I couldn't do a restore (still can't).

I kept trying, and trying, and trying to start in Safe mode. FINALLY it let me.

I found this website:
Remove System Check (Uninstall Guide)

And followed it. When I went to install Malwarebytes (which I already had on the computer but couldn't access), the trojan tells me it was a "corrupt" file and "Access Denied." I tried several times before I just decided to IGNORE it and re-click on the installer for Malwarebytes. That worked. It tricked the trojan into allowing it to run.

I let the full scan run while I slept and came back with 7 reported problems. I fixed them all according to the tutorial.

I followed the rest of the tutorial but I'm still under attack.

My icons still aren't back on my desktop. I still can't change my background (it's black at the moment). I can't access my Task Manager. I can't do a system restore.

I'm running another Malware scan.

I have to go to work soon, so I'll have to try and finish this when I get home.

But holy jeez this is the worst I've ever had. I've never had it where you couldn't get into Safe mode and do a restore.

There's no trojans left, apparently (UnhackMe told me so lol) but I bet there are still viruses. Unfortunately, the company I was working for pulled my Kaspersky off and put on Avast! which failed to catch the viruses (if they're viruses).

If I can't fix it, I'm going to have to take it in and have someone with more expertise do it since my computer guy isn't answering his damn texts!

I'd rather do it myself, since I'm about to go to the vet with the dog and fork out another $150 for a urine culture and antibiotics. Did I mention I have $11 in my bank account?

This week cannot get any worse.

[Aboiement]

Wipe drive -> reinstall Windows.

[Peach]

Quote:

Originally Posted by Aboiement

Wipe drive -> reinstall Windows.

Can't. It won't let me do anything like that.

And I'm not ready to give up so easily. I have a lot of pictures on this computer and no external drive to throw them on to save them. Reinstalling Windows would make me lose them all. Not doing that.

..........

[brianxlt]

Best way to get rid of it is to restore to factory settings. My computer got that virus and that is what I had to do. I was able to back up/copy all my image and other files than just started new. Reloaded all my software and images/songs and what not. No problem since I also updated my Norton 360 it has blocked this four times already. You can get it from Facebook, e-mail, youtube and other sites.

[Peach]

Quote:

Originally Posted by Photoboothguy

Ah, the Hijack virus. That's a fun one. Those are a challenge to remove, even for highly technical people.

Last time I got one of those, I had to perform a large amount of registry edits, which isn't something most people should do. I think it took me almost 2 hours to get rid of it completely.

The time before that, I ended up backing up my system and performing a complete OS reinstall.

I'm not sure if it's the hijack; I can/could Google search with no problem even before I started the tutorial (It's how I got to it, when I realized that MSN was opening up and I could access Firefox from there). I've had a Hijack before; where you can't get to any google search; it reroutes you to a different webpage all the time. That's not what was happening with me.

[Peach]

Quote:

Originally Posted by brianxlt

Best way to get rid of it is to restore to factory settings. My computer got that virus and that is what I had to do. I was able to back up/copy all my image and other files than just started new. Reloaded all my software and images/songs and what not. No problem since I also updated my Norton 360 it has blocked this four times already. You can get it from Facebook, e-mail, youtube and other sites.

I cannot restore. It has blocked access to any Restore selections. (Start - Programs - Accessories - System Tools, and also Task Manager). I'd restore all the way back as far as I could, if I could, but I can't at the moment. And, as I said, I'm not ready to lose everything.

[brianxlt]

Do you have the factory disk? Or the backup disk that came with it or made yourself? If you can get in to my computer - drive folders and copy everything over to a external. I know you said you didn't have one, but they are reasonably inexpensive if you can get one and copy everything over then use your recovery disk to restore your computer to factory settings ( just like new) out of the box.

[ceremus]

This sort of thing is why you should always run Windows under a Limited account, aka not the Administrator account. An admin account can do anything. Edit the registry. Screw with the critical system folder files. Reroute your IP traffic to a proxy. Run malicious programs at start up on every account. Block access to system critical functions. You name it. If you're running as an admin and malicious code manages to find its way onto your system, that code has a free pass to screw up your PC in whatever awful ways it pleases.

When running as a Limited account however, you pretty much only have permission to change the settings within that account. You can't install malicious software, nor mess with \Windows\system32, nor \Program Files, nor the registry, nor any setting that affects the OS on a system-wide basis. If your account gets a virus/trojan, the infection is effectively quarantined to that single account. You can make a new account, delete the old one, and never worry about the infection again. Learn to love the limited account, it will save your ass.

[ceremus]

Quote:

Originally Posted by Peach

I cannot restore. It has blocked access to any Restore selections. (Start - Programs - Accessories - System Tools, and also Task Manager). I'd restore all the way back as far as I could, if I could, but I can't at the moment. And, as I said, I'm not ready to lose everything.

If you have access to a bootable Linux disc you can boot from that, attach an external hard drive, and copy the data that you need to save onto the external. Then you can proceed with a full reinstall of Windows if you're unable to wrestle out the trojan infection.