Your computer is infected with malicious software? Do you have popups on your PC?
If so, search this blog for removal instructions or find computer threats by category.

Saturday, December 31, 2011

Remove "System Check" (Uninstall Guide)

Tell your friends:
System Check is malicious software posing as Windows system utility. Although, it may look like a real thing, it isn't! You are actually dealing with scareware and the newest TDL rootkit. Once installed, this fake system utility starts throwing lots of bogus error messages, blocks Task Manager and other programs (including antivirus software), hides all icons and program shortcuts. It does the same thing in safe mode too. As you can tell already, it's a nasty virus. In a previous writeup, we analyzed another rogue program called System Fix. It's pretty much the same type of infection. The two most important things to remember when removing this virus: do not purchase it and do not delete temporary Windows files stored in %Temp% folder using CCleaner or similar software. To remove System Check malware from your computer, please follow the removal instructions below.



Common symptoms of System Check infection:
  • false error messages, "Hard drive clusters are partly damaged" and similar
  • all icons and shortcuts are gone
  • Task Manager and other system utilities are blocked
  • can't run anti-virus software
  • search results page got redirected to irrelevant and infected websites. Happens in Internet Explorer and Mozilla Firefox.
The following websites where requested from the remote web server while our computer was infected with System Check scareware:
  • rosedalolandou.com
  • ushbrenerw.net
Here's and example of a fake system error:



Don't blame yourself if you fell for this scam. Call your credit card company and dispute the charges. Then follow the steps in the removal guide below to remove System Check and associated malware from your computer. If you have any questions, please leave a comment below. Good luck and be safe online!


Quick removal:


1. Use debugged registration key and fake email to register System Check malware. This will allow you to download and run any malware removal tool you like and restore hidden files and shortcuts. Choose to activate "System Check" manually and enter the following email and activation code:

mail@mail.com
15801587234612645205224631045976 (new code!)

mail@mail.com
1203978628012489708290478989147 (old code, may not work anymore)



2. Download TDSSKiller and run a system scan. Remove found rootkits as shown in the image below. Reboot your computer if required.

3. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this virus from your computer.


Alternate System Check removal instructions:

1. Open Internet Explorer. If the shortcut is hidden, pelase Select Run... from the Start Menu or just hit the key combination CTRL+R on your keyboard. In the Open: field, enter iexplore.exe and hit Enter or click OK.



2. Download and run this utility to restore missing icons and shortcuts.

3. Now, please download TDSSKiller and run a system scan. Remove found rootkits as shown in the image below. Reboot your computer if required.



Please note that your computer might be rootkit free, not all version of System Check comes bundled with rootkits. Don't worry if TDSSKiller didn't find a rootkit.

4. Finally, download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this virus from your computer.

5. System Check virus should be gone. If certain icons and shortcuts are still missing, please use restoresm.zip.


Associated System Check files and registry values:

Files:

Windows XP:
  • %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS]
  • %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS].exe
  • %UsersProfile%\Start Menu\Programs\System Check\
%AllUsersProfile% refers to: C:\Documents and Settings\All Users
%UserProfile% refers to: C:\Documents and Settings\[User Name]

Windows Vista/7:
  • %AllUsersProfile%\[SET OF RANDOM CHARACTERS]
  • %AllUsersProfile%\[SET OF RANDOM CHARACTERS].exe
  • %UsersProfile%\Start Menu\Programs\System Check\
%AllUsersProfile% refers to: C:\ProgramData
%UserProfile% refers to: C:\Users\[User Name]

Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS].exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'yes'
Share this information with your friends:

52 comments:

Anonymous said...

I hope this works! -L.B

Anonymous said...

This didnt work. :(

Anonymous said...

kaan

hiç biri olmadı :(

Anonymous said...

So this all comes down to the final step of PURCHASING Spyware Doctor? Come on, man!

Anonymous said...

Thanks so much. My daughter got this from a fake Adobe Flash update. I downloaded all of the files mentioned above onto a CD-ROM. Probably not necessary, but I was afraid of infecting a USB flash drive.

Anonymous said...

my computer has a firewall update that I can'y answwer becuase there is no choice , and it is stuck on my computer blocking my view of things. Is there any way to get it down?

Anonymous said...

Great... Now I still have System Check on my computer, AND I now have to unstall Spyware Doctor. Your tutorial on how to fix my computer absolutely sucks.

Anonymous said...

Good solution, however it does not mention that Spyware doctor is only for detection, as the removal is not free. I guess once identified they can be removed manually.

Anonymous said...

Tank you very much! It was great! Everything is fine, restored! Greets from Hamburg,Germany. God bless you!

Anonymous said...

WORKED GREAT!! THANKS!!

Anonymous said...

Worked beautifully for us thanks. What a cunning programme

Anonymous said...

thank you so much this worked well for me.

Anonymous said...

...ok soo how do u remove the infected material with out buying?and mine was AdWare.HotBar did any body else get this problem??and thnx this really helped...xXDRG-JR.Xx

Anonymous said...

I found this extremely helpful as I could not access any programs, files or folders following my infection. This meant I could not get files such as unhide.exe or TDSSKiller onto the computer. I did try keystrokes to get Iexplorer to run, but no joy. In safe mode with networking I was unable to download files as the browser was diverted away. In DOS mode the computer could not see USB or optical drives. The debugged registration key method has worked.

Anonymous said...

Before reading this I did a system restore. The computer seem to be back to normal however all my files and pictures are gone. Any help?

Anonymous said...

It worked for me. Thank you.

Anonymous said...

A program named "System Check" apeared in my computer blocking all my files and programs and I don't know how to remove it

Anonymous said...

for all of you complaining about spyware doctor.. use malwarebytes anti-malware. they give a free full trial for 15 days.

Anonymous said...

So are you suppose to activate the code and they let the bogus program run to fix the problems? Will that give internet access to download tdsskiller then?

No said...

!!!!Alert!!!!
Spyware Doctor must of created the 'System Check' malware. Who else is profiting from this lousy virus? I recommend re-installing windows from scratch. Why pay Spyware Doctor to fix something they started in the first place. If you call them and ask them about their company being the perps they will swear it's not them. They are sick folks.

Anonymous said...

this shit is pissing me off..I have tried everything "but spyware Dr".... I will let u know if it works. malware bites did not.

Anonymous said...

The procedure worked for me EXCEPT... I used Malwarebytes and SuperAntiSpyware instead of Spyware Dr.
I also had to remove and reinstall Microsoft Security Essentials and SuperAntiSpyware in order for them to update properly.

enkue said...

THANKS!!

Anonymous said...

Easy way to get rid of it is to do a System Restore to an earlier checkpoint in SafeMode. For Windows XP, go to Start--> Help and Support --> Performance and Maintenance --> System Restore to undo changes --> Run System Restore Wizard. I recommend restoring to at least a few days prior to noticing the infectious software to ensure any changes since are removed from the comp. Any newer version of Windows operates the same way, however you can just type "System Restore" in the search box. Some viruses infect System Restore to where you can't run it, but right clicking on it and choosing to "Run as Administrator" usually overrides the virus and allows the program to open. It worked on both a laptop and desktop computer for me and I have yet to have any issues since. Hope this helps!

Anonymous said...

I came to this page only after I'd removed the rootkit and the System Check, as I couldn't find the rest of my icons (I'd reset the permissions on the relevant folders, but the links themselves were missing).
TDDSKiller will run under safe mode *IF* you rename it first-the rootkit is obviously blocking certain files from running. Once the rootkit is gone, malwarebytes removed the rest with a full scan. The icon restore script worked a charm, thanks!

Anonymous said...

This is a nice post. The activation code helps a lot! My computer is coming back to normal after I read this post. Thank you so much!

Anonymous said...

I have been infected through a fake Flash update.

I followed the quick removal procedure (Step 1= System Check registration + Step 2= TDSSKiller), but rather to use the Spyware Doctor, I used the free Malwarebytes Anti-Malware and it perfectly worked!

Thanks!

Anonymous said...

I totally agree. Why cant they be honest upfront.

Anonymous said...

JUST DO A SYSTEM RESTORE TO A DATE PRIOR TO YOUR COMPUTER BEING INFECTED.

The SYSTEM RESTORE removes this completely. Also, use this great FREE anti-spyware, they have free tech support:

http://superantispyware.com

It worked perfectly for me!

Anonymous said...

I've activated the System Check and entered in the code provided. System check "fixed" my problems however I cannot do a full scan as my folders are still hidden. I also cannot get online to download the TDSSKiller or the link to unhide my folders. I think I am stuck. Any suggestions? My computer says I'm connected to the internet, that my connection is excellent, but also says "status:acquiring network address" and doesn't do anything when I try to repair the connection.

Anonymous said...

thank you so much for helping us,,,

Anonymous said...

The quick method worked great for me! Thanks.

Mary Cas said...

So i followed all the instructions and all the icons and everything is back but there are icons saying system check on them.. does that mean that the computer still has the virus or what do I do with the icons???

Anonymous said...

must be an old activation code did not activate

Anonymous said...

monforEasy way to get rid of it is to do a System Restore to an earlier checkpoint in SafeMode. For Windows XP, go to Start--> Help and Support --> Performance and Maintenance --> System Restore to undo changes --> Run System Restore Wizard. I recommend restoring to at least a few days prior to noticing the infectious software to ensure any changes since are removed from the comp. Any newer version of Windows operates the same way, however you can just type "System Restore" in the search box. Some viruses infect System Restore to where you can't run it, but right clicking on it and choosing to "Run as Administrator" usually overrides the virus and allows the program to open. It worked on both a laptop and desktop computer for me and I have yet to have any issues since. Hope this helps!

Gaston said...

Thank you very much for your iexplore utility. It restored all links removed by these racketeers.
I removed it with Malwarebytes but your iexplore utility was key in my recovering the lost program links from the task bar. You saved me a lot of time.
Thanks again

Anonymous said...

Spyware Doctor was useless It did pick up other stuff but it did NOT pick up the System Check virus. Plus I am NOT going to pay to get it removed. I am trying to use the System Restore option that was posted earlier. How long will it take to restore, does anybody know?

The van der Veers said...

I've managed to remove System check and restore my desktop icons, but I still can't restore my start menu icons - help!

Anonymous said...

This has worked however i cant seem to find my desktop icons and start menu icons. please help!

Anonymous said...

I refuse to pay for a program that I will only use once.

Why doesn't someone out there create a proper tool kit to get rid of this virus and post it where folks can access and download it for free.

I think the owner of the blog would get a lot of kudos for this, rather than just give links to programs that want us to pay.

Bull$hit

Anonymous said...

after trying numerous things last night including a full virus scan, i gave up only to start trying again this morning. Only thing is, my laptop now will not start windows. I keep getting the same message in DOS mode to repair windows start up automatically. Only thing is ... the message comes back after running the option that there is no automatic solution in repairing windows start up and then directs me to only restart or shutdown. When i hit the F8 button i also cannot enter any safe mode like the DOS prompt to do anything substantial. How does anyone let alone a pro enter my system to apply these fixes that you suggest? PLeeease Help !!

Anonymous said...

Your debugged registration allowed me to access System Restore and so far has fixed the problem. Thanks for that.

murph111 said...

My mothers laptop got smacked with this.
Using Kaspersky rescue (free at their site) then following up with unhide.exe.(free) Fixed everything fairly simple.
Figuring this all out at first, hole other story,lol.
Windows XP Media 32bit NTFS file system.
Hope this saves someone the hole day I lost :(

Anonymous said...

Thank you!!!!!!!!!!!!1

Anonymous said...

THANK YOU BRO!!!!!!!!!! LOVE U....

Anonymous said...

Thank you very much. It works, followed the first step.

Anonymous said...

Well its been since Friday and I have only managed to get icons back up and running.

Have tried procedures, unhide, rootkill. System restore wouldn"t work, and neither did Kapersky.

Have run Super - spyware several times, and each time it runs, it detects malware????

Unable to run Spy Dr. and Malwares?

Still missing programs and computer running slow...what alternatives or SUGGESTIONS do I have avaialable here?

Your blog has been tremendous help so far and is truly appreciated.

Anonymous said...

I've got rid off the system check virus .Thank you so much

Anonymous said...

If this didn't work for you don't get mad at the poster. There are easy steps that can be taken to get past the initial blocks with malware. Number 1 being to restart your computer and boot to safe mode. From there you can run the msconfig utility, go to startup and look for the funky named .exe file which is always there in the case of malware. Disable it and reboot back into Windows. Now you should be able to open internet explorer, download and install malwarebytes and remove the infection. You will still need Unhide to get your icons and shortcuts back.

Don't be the jackass who acts like a fool to the poster who took their own time to try to help YOU get the virus off your computer.

Anonymous said...

Long story short: worked (unhide is important) to a)stop f'ing virus b.s., b) malwarebytes remove files (just 3), c) get PC back to normal. THANK YOU!!!!

Cuda383 said...

Just asking. How long should it take for the restore to take for XP SP3? An hour?

Thnks.

Anonymous said...

Thank you for the installation key! That felt good. I used other tools to actually clean the think but this was just what I needed.