Wednesday, January 18, 2012

System Check

I’m sure we have all been wondering where the fake HDD scanner malware has gone. Well, it’s back and a bit better than before. So let’s get started. First, let’s take a look at what the infection actually does to the system. There are 3 major changes that this rogue makes:

1. It immediately disables task manager and registry tools when launched.
2. It hides all files in the HDD, starting at the root directory.
3. It moves certain shortcuts from the start menu, the desktop, and quick launch folders into a temp folder. Path is %temp%\smtmp

This guy is easily removed with very little effort using an activation code courtesy of Xylitol. The activation code is: 1203978628012489708290478989147. All you need to do is let the program complete its scan and then enter the activation code into the activation window along with whatever email address you choose. The email address does not have to be valid and I highly recommend that you do not use any real email address in this activation window. I found that you do not necessarily need to go through the activation dialogue box to activate it. When activated, the rogue creates a text file which is placed onto the desktop. All that you need to do is move a copy of that file onto the desktop while the rogue is actively running and it will activate itself. You can find the text at the bottom of this post.

Once activated, he is very easy to remove. Process can be killed from the system tray icon and then removed with your favorite Anti-Malware product (I prefer MalwareBytes’ Anti-Malware). Once the process is killed, you can decide to take it a step further and use the uninstall icon found in the start menu to remove the desktop icon and executable if you’d like.

If you have already killed and deleted the process, and have not removed the temp files yet, don’t worry, there is still an easy way to get all of your stuff back. I wrote a small tool that will unhide all of the files that were hidden on the drive, and then move all of the shortcuts back to their original locations. It can be found here: Shortcut Recovery Tool

More images:

Here is a copy of the text file created by the rogue during activation. All you need to do is paste the below text into notepad and save it as "System Check License.txt" (without the quotes) onto your desktop, wait for your icons to be displayed again, and then reboot and move on with removal. :)

Thank you for purchase, System Check!Your activation code: 1203978628012489708290478989147Please use this download link to install Master Utilities if your software copy has been removed or lost. us through Help&Support section in the Master Utilities menu or by phone +1.877.2357459

VirusTotal: System Check

15/43 (34.9%)

MD5: fd58ad7cc72e9286a618f127fa241946

No comments:

Post a Comment