How did I get infected with "System Check"?

3

2

Possible Duplicate:
Computer is infected by a virus or a malware, what do I do now?

I've been infected with the "System Check" scareware not once, but twice -- after a reformat. It's now clear that I must absolutely find out how I got infected.

Some information:

  • I've been on the internet for 12 years now and this is the first time ever I get infected with any sort of virus.
  • After my reformat I didn't open any untrusted executables. In fact, I did very little such as installing firefox, Visual Studio, and a few other programs.
  • I downloaded and installed all windows updates.
  • I control which TCP ports I have open for inbound connections.
  • I did visit a lot of websites since the reformat.
  • My E:\ hard drive, which contains all of my data and was not reformatted, wasn't mounted.

In short: the infection couldn't have come (for the second time at least) from user error or cross-contamination.

This leaves exploits in software I use. And it leaves me completely lost as everything I personally installed I re-downloaded and is thus updated to the latest version.

3 anti-viruses out of 4 that I tried (including AVG) couldn't detect "System Check" even though it wasn't removed yet and was still running. The 4th finally detected it and it also detected an infected file in: C:\Users\MyName\AppData\LocalLow\Sun\Java\Development\cache\6.0\56\6a3c9ff8-68fce308.

Java is not updated to the latest version (Version 6 Update 21; latest is Update 30). I didn't personally install it, it must have come with something else I installed (probably NetBeans), and I'll be damn sure to install the latest version myself on the next reformat.

However I'm still worried. That file may have been a false positive. Version 30 could still be vulnerable. It may have nothing to do with java and just be some place the malware decided to install itself to be kept hidden. It may be 1000 other things.

What can I do?

Anonymous

Posted 2012-02-02T22:20:02.850

Reputation: 31

Question was closed 2012-02-08T17:37:12.367

PS: I forgot to say, before running the scans I activated System Check (with a "pirated" key of course). Once activated it leaves you alone and it lets you run virus scans. – Anonymous – 2012-02-02T22:28:18.767

PS2: I'm more interested about information specific to how "System Check" propagates rather than generic advice on how to stay safe, which I'm most likely already aware of. But general advice is better than nothing I think. Just don't go "don't open exe mail attachments" – Anonymous – 2012-02-02T22:34:46.357

Could you say which AV product detected it? – Apache – 2012-02-02T23:04:18.273

Please decide what you really want (What can I do? or How System Check propagates?) and edit the question accordingly. (In the latter case, I wonder if this might be question for another forum.) Also the PS comments you added would better suit as edits. You can edit your question as many times as needed. – Alois Mahdal – 2012-02-02T23:08:04.337

1considering the virus was detected in the java cache, either it's caused by a local program (which you state you didn't install java, so something did, find out what that was, and you'll probably have your answer), or b), you were infected online with an infected java app. In either case, I would always update to the latest version of java, and make sure your system is setup properly. I would also recommend a 'Dr Web Cureit' scan on the system to ensure that no rootkit or other major infection exits. – zackrspv – 2012-02-02T23:58:41.077

If you can, zero fill the hard drive before you clean install again. – Moab – 2012-02-03T00:11:58.977

Answers

1

The two most common vectors of infection for System Fix are fake online scanner pages and through the exploitation of vulnerabilities in browser plugins, like Java, or possibly in a browser scripting language like Javascript or VBScript (IE only.) When you think about it, it makes sense since a plugins/scripts allows the attacker to run his code on your machine as soon as you visit an infected website; all he needs is a vulnerability that allows him to escape the sandbox.

Given that the malware was detected in the Java cache, it seems likely that the out-of-date Java plugin you have served as the means of infection. You would only need to have visited a malicious or compromised website to become infected. If it was done well, you would likely not have even noticed anything strange happening.

The best protection against plugin- and script-based attacks is, of course, not to allow them to run. This can be done selectively with a browser addon like NoScript, or globally by disabling plugins and/or scripting.

Andrew Lambert

Posted 2012-02-02T22:20:02.850

Reputation: 7 136

@Anonymous A side helper to some of these items, is "spyware blaster". It certannly cant stop new ones, and stop everything, but it is so passive, it doesnt hurt to use it. There are a few places where things wont work right with it, and that is good most of the time . its java-cool :-) – Psycogeek – 2012-02-03T05:22:12.713

Asked: 2012-02-02T22:20:02.850

Viewed: 480 times

Active: 2012-02-03T00:46:47.167