SmitFraud infection from System Doctor 2006: trojan.FakeAlert.CX

SmitFraud variant infection from System Doctor 2006 malware site visit

While researching something on Google recently I apparently clicked on a web link (about 11/28/06) that was a malware site to System Doctor 2006. This site reduced my browser then it quickly put up a few small gray dialog boxes which I clicked on “cancel” each time. Then this site re-directed me to the System Doctor 2006 site. Afraid that I may have seriously gone to a bad site I ran every anti-virus/spyware program that I had on my system…..multiple times…but found no problems so I assumed that I was safe.

I presently have Windows XP, Zone Alarm, Norton Internet Security 2006 (with the Personal Firewall turned off as I have found it very frustrating to use and Zone Alarm seems better), and Ad-aware; these are my primary protection programs but I run others periodically. A few months ago I added IE-Spy-AD, Spyblaster, and Ewido. Last month I added SpyBot Search & Destroy (with TEATIMER OFF!!!). Recently I downloaded Mozilla Firefox to which I am trying to use rather than IE Explorer 6.

After using IE Explorer I try to click “delete all Tempory Files” on browser closing. In addition, I frequently run the Disk Cleaner Utility before system shutdown.

After visiting some forums and reading about System Doctor 2006 I felt a very strong possibility that I was still infected despite the utility programs that I ran. (All those listed above) The sites suggested that I might be infected with a SmitFraud virus so I downloaded a SmitFraud Fix (from another supposedly reliable site). I also downloaded KILLBOX just in case I should need it (Never used it yet though). On one forum, possibly on your site, it was mentioned that this trojan puts the following programs on the machine.

DriveCleaner
MarketResearch
Viewpoint Media Player

I checked my Add/Remove program list and I found the “Viewpoint Media Player” which I removed immediately.

Since I still suspected that I was infected I went to Spyware Warrior site rogue site list and followed their suggestions as to other system checking programs in a list that they had. I download and ran Bit Defender but it found nothing. I downloaded Windows Defender and a scan of my system found “PowerRegScheduler” in my Startup for which I was advised to remove; initially I ignored the advice but eventually I “quarantined it”.

I ran HiJackThis –log posted below. (see attached file)

• Edit by bjgarrick: Unrequested, Inline HJT log removed!

In addition, I went to another site at SpyData.com and downloaded and ran the System Spyware Interrogator program but found nothing. A search sent me to HiJackRemote.com which analyzes HJT; this site stated that an “O2-BHO: DriveLetterAccess-{5CA3D7OE-1895-11CF-8E15-001234567890}- C:\WINDOWS\system32\dla\tfswhshx.dll” in the log could result in a “slow pc”. I put this information aside for further investigation.

I also went to “Geeks-to-go” and followed a general “spring cleaning” PC maintenance protocol in a post by a “Malware Removal Specialist”. They suggested downloading ATF-Cleaner by Atribune which I ran. (However, I may have overreacted as I had it cleanse everything including “Prefetch”, cookies, etc). I download a program called StartUp Inspector but it did not seem to do much so I later deleted it.

In Safe Mode (with cable internet disconnected) I ran a program called Stinger from McAffee, which was part of a maintenance protocol from another site but it found got aborted somehow. Sometime while running it I got a system error message dialog box that stated “Windows –Delayed Write Failed: Windows unable to save all data for file C:\#mft. Data lost. Failure may be caused by hardware/network failure. Save file elsewhere.” I aborted this Stinger program. ( I did have Windows Defender Realtime running..I think)

After quarantining “PowerRegScheduler” I ran SpyBot and somehow it was now able to find “System Doctor 2006” trojan. I fixed it and completely removed it from my Recover tab then cleansed and purged my system. In the process or when running the ATF Cleaner I must have deleted all my past SpyBot logs, including this one soo I am unable to post the log for this fix.

I finally found your site Malware Detection Removal Protocol and followed that advice with some slight modifications.

I ran the on-line Panda Scan (in Normal mode). Post below. (see attached file)

• Edit by bjgarrick: Unrequested, Inline Panda log removed!

I downloaded the Ccleaner and CounterSpy along with other recommended programs and saved to desktop. Since I suspected a SmitFraud infection I downloaded a SmitFix program from another supposedly reliable site too.

I unchecked and exposed all Hidden files (but left the Hidden System protected files checked at this time)

In SAFE MODE I ran Ccleaner, to clean out temporary files.
BitDefender was not run again.
SpyBot found no threats.

CounterSpy was run and it did find a threat which I had quarantined. (see attached file)

• Edit by bjgarrick: Unrequested, Inline CounterSpy log removed!

I had the isearch.DesktopSearch Spyware quarantined. Please advise how to further handle this alert.

(See next message post)

 

SmitFraud infection cont’d post #2

SmitFraud infection cont’d post #2

Since I believed that I had a SmitFraud infection I ran the SmitFraud Fix program which I got from another site in Safe Mode. The log is posted below. (see attached file)

• Edit by bjgarrick: Inline logs removed!

I went to the TrendMicro site and had Housecall do a Spyware scan.
It found: Document and Settings\RK\Desktop\Computer Programs\SmitFraudFix\SmitFraudFix\dumphive.exe

It was noted that “dumphive.exe” is a freeloader that “piggy-backs on other programs. Apparently the downloaded SmitFix program was infected. I had TrendMicro clean this.
-----------------------------------------
In the TrendMicro virus database they give a good technical description of what the SmitFraud.C virus does in a technical buletin. It turns the background screen to blue and gives pop-ups among other things.

---------------------------------------------------------------------

In Safe Mode I ran the ATF-Cleaner, SpyBot S&D, and CounterSpy again.

While running CounterSpy in SafeMode I got another “Windows Delayed Write Failed” error dialog box that stated that there was a problem with C:\Document and settings\AllUsers\ApplicationData\Gtek\GTUpdate ….(unable to get rest but GTEK is a DELL program)

(see next post)

---------------------------------------------------------------------

 

SmitFraud infection cont’d post #3- trojan.FakeAlert.CX

SmitFraud infection cont’d post #3- trojan.FakeAlert.CX

Ran HiJackThis –see posted results (see attached file)

• Edit by bjgarrick: Inline HJT log removed!

--------------------------------------
Next day 12/05/06 I turned on my computer and my computer screen desktop was now blue!!!! This was after running my programs the previous day in SafeMode with Networking on. I also kept Zone alarm activated while using the internet in safe mode.

Ran SpyBot and it found some errors in the Microsoft Active Desktop.
--- Report generated: 2006-12-05 12:59 ---

Microsoft.Windows.ActiveDesktop: User settings (Registry change, fixed)
HKEY_USERS\S-1-5-21-2025429265-746137067-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoHTMLWallPaper!=W=1

(See attached file)
-------------------------------------------------
Ran Ewido
Changed Hidden Files at this time to allow viewing Hidden protected files.
Norton 2006 antivirus scan found nothing.
Windows Defender with realtime was on.
I decided to backup my logfiles from Norton at this time (Websites viewed and Connection).
-------------------------------------

I wemt to SOPHOS and downloaded their rootkit. Ran this but it found nothing.
-------------------------------
I checked the TrendMicro technical details on what parameters might be changed for SmitFraud.C.

Found in the Registry:
HKEY_CURRENT_USER>Control Panel>Desktop
Wallpaper=(missing)

[This parameter was missing whereas it was found on an earlier occasion to be set equal to “bliss”.]

HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Policies>
System
NoDispAppearancePage found
NoDispBackgroundPage found

I deleted both of these as instructed.


I went to Control panel> Appearance> …. And changed my desktop wallpaper back to “bliss”.

----------------------------------------------------------
I downloaded the SmitFraud Removal program from your site written by Noah. I ran that program. The results are posted. (see attached)

• Edit by bjgarrick: Inline Smitfix log removed!

…..but not really!!!!

 

SmitFraud infection cont’d post #4- trojan.FakeAlert.CX

SmitFraud infection cont’d post #4- trojan.FakeAlert.CX

Ran SOPHOS CL2I in safe command mode as directed (I downloaded this earlier)
During the scan I still got Windows-Delayed Write Failed dialogs (a couple) stating that certain files in My pictures were deleted. I checked later and they seemed to still be there.

No viruses were found. I think that it scanned certain major executable files.
-----------------------------
Ran the TrendMicro HouseCall for Spyware

Found:
C:\Document and Settings\RK\SmitFraudRemoval\SmitRem\dumphive.exe

C:\Document and Settings\RK\SmitFraudRemoval\SmitRem\dumphive.exe

I had TrendMicro clean this.

It appears that many of the online SmitFraud trojan fix programs (from supposedly reliable sites too!) are infected. Sites should be notified of this and this fix should be removed until cleansed. Moreover, this file should be scanned by an anti-virus/trojan program after download prior to extracting etc. Unfortunately, I have found very few anti-virus programs that seem to be able to detect the SmitFraud variant trojans or indications that it might be infecting a machine with deposited files or registry changes.
-
--------------------------------------------------
Ran Panda Scan again

The new SmitFraud Removal tool still seemed infected
--------------------------------------------
Ran ShowNew.bat again (see attached file)

• Edit by bjgarrick: Inline ShowNew log removed!

Still Found:
***********************************************************************
Locating all files created in C:\WINDOWS\System32\components within the last 90 days.
This folder is now being used by Trojan.FakeAlert.CX aka SmitFraud

No matches found.
******************************************************************************
Ran HiJackThis again (see attached file)

• Edit by bjgarrick: Inline HJT log removed!

-------------------------------------------------------
I have tried on my own to cleanse this trojan but I do not know what to do at this point. It seems like the trojan.FakeAlert.CX may be infecting my WINDOWS\system32 folder but neither it nor the infectd files can be found.

Please evaluate my logs for this and other malware and let me know what to do. In the meantime I have re-set my Hidden protected system files so it is checked. I am running Windows Defender in Real time and I have activated the CounterSpy monitor.

It seems that the pop-ups happen mainly when in Safe mode.

I think that there is one post on your site for someone who had trojan.FakeAlert.CX.

Thank you for your assistance.

 

Please do not post anymore logs inline, from now on ATTACH every log requested.

I am not going to even attempt to go thru all of those logs so I will ask a simple question and then request the logs I need.

After everything you have ran, what problems are you currently having?

 

Present problems re: SmitFraud infection and malware

At present my computer seems to be operating okay.

I may still be getting those scare alert pop up dialogs (mainly in safe mode) re: Windows-Delayed Write error.

I will try running Stingray again and see if these still pop up.

-----------------------------------------------
The newfiles reports both stated that my Windows/System32 folder was infected with the trojan.FakeAlert.CX

How can I have this system32 folder checked to see if it is clean and okay?

How can i check the Registry to see if it is still clean and okay? Should I get a Registry Cleaner? If so, what do you recommend?

-----------------------------------------------
Please evaluate the results of what the SmitFix and SmitRmoval (Noah's) program did.

---------------------------------------------------

I compared the GetRunKeys report results on page 8 from both runs. Under "Listing HKCU Policies Registry Keys" I found a number of changes. Please evaluate.

----------------------------------------------
Please evaluate the questioned programs and both explain them and evaluate what I did with any suggestions.:

iSearch.DesktopSearch Spyware-quarantined in CounterSpy
PowerRegScheduler found in Windows Defender
dumphive.exe- found by other online scans

----------------------------------------------------------
Should I delete any of these programs? ie. SmitFraudFix or SmitRemoval by Noah?

----------------------------------

I assummed that the following sites are safe. Evaluate and let me know if they are known malware sites.
SpyData.com with System Interogator
HiJackRemote.com

---------------------------------------------------------
What sites can I go to for comprehensive and technical information on both trojans and viruses? (Trend Micro was a good site with good technical info on what SmitFraud viruses do)

-----------------------------------------------------
I would like to specify the malware site link somplace so that it appropriate action can be taken to protect others as well. Perhaps if this was sent someplace the nature of the threat coulkd be properly analyzed.

I assume that if I manually transcribe the link by hand and type it in a message to send it someplace I should be safe. (I do not want to put my cursor over the link and accidentally activate it)

What do you recommend and how should I go about doing this?
--------------------------------------------------------

I realize that I did a very comprehensive check for this trojan on my own....perhaps over-comprehensive. I am new to this so accept my apologies if I should not have posted my logs in my posts as i did not realize that doing so was improper protocol.

Thanks again for your assistance.

 

I downloaded a fresh copy of Stinger 2.6.0 and ran it in Safe mode with my Internet cable connection turned off.

After running it for awhile I obtained the same error message that I obtained during a previous run on 11/29/06.

Stinger stopped and froze at File: C:\.....Document and Settings\All Users\Application.....

hardware.jpg

The following dialog box appeared in the lower right of the screen:

Windows: Delayed Write Failed

C:\$Mft data lost.
Shutdown to prevent further damage.

Shortly after a blue screen appeared (the normal windows problem screen). It stated:

Windows shutdown to prevent further damage.

Run CHKDSK /F to check for hard drive corruption.

Ntfs.sys-Address F855F746 base at F854E00, Date Stamp 41107eea

I powered down the system to write this update.

I will run the CHKDSK /F then I will try running Stinger again.

In the meantime.. please evaluate what i have submitted and give me your advice.

(I realize that I sent a number of attachments. It is probably only necessary to look at the last HJT, the activescan, the Counterspy scan, the final Newfiles and GetRunkey scans, and the results of both SmitFix program runs. A comparison of both newfile runs as mentioned in the previous post might be helpful too.)

Thanks again for you assistance.

 

Re: SmitFraud infection- Possible Firewall and/or Anti-virus corruption

When I downloaded Stinger I also downloaded CWShredder. This was part of a security protocol "the Security Tango" from another site, Nick Francesco, (http://securitytango.com/).

After running Stinger2.6.0 in SAFE mode and getting the error I rebooted my computer into NORMAL mode.

I ran CounterSpy again and it found that I now had Spy Sheriff Rogue Security program which I immediately quarantined. (counterspy.txt log attached))

Detected spyware

SpySheriff Rogue Security Program more information...
Details: SpySheriff is a purported anti-spyware application to scan for and remove spyware from users' computers.
Status: Quarantined

Infected registry entries detected
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ForceActiveDesktopOn


I believed that my Firewall might have been working improperly so just in case I went to Zone Alarm and updated a fresh copy. This time I got the Zone Alarm Pro (15day free trial). I kept all old settings doing just an update.
----------------------------------------------------------------
Also, while at the Zone Alarm site, I checked out their virus/trojan database which is very good.

Searched "Smitfraud" and "SmitFraud.C" and reviewed all related technical reports.:

Found that it may be part of the Win32/ Cadux familyand has many aliases depending on the Virus research site. (ie. Win32.Alemod.B; AleSpy-B (Sophos), etc.

SmitFraud search found Win32/Cadux family with aliases Adware.Win32.CashDeluxe (Kaspersky). This was from a Zone Alarm re-direction to site "www3.ca.com/securityadvisor/virusinfo/virus?ID=55595"


I also reviewed the bulletin for "Spy Sheriff" on Zone Alarm site.

-----------------------------------------------------------
I updated to the Zone Alarm Pro and made my configurations.

Ran the Spyware deep scan

Note: While updating Firewalls i re-activated my Norton Internet Security 2006 Personal Firewall....then later turned it off once Zone Alrm was installed.

Zone Alarm will monitor Anti-virus program setting ON

---------------------------------------

Ran Norton Antivirus after liveupdate

Zone Alarm displayed suspicious behavior dialogs:

NAVW32.EXE trying to launch WINDOWS/System32/verclsid.exe
This was halted or cleansed.

No viruses or spyware found
--------------------------------------------
Note: Windows Defender (Real Time) was active thoughout)

CounterSpy monitor was disabled.

Ran CWShredder in NORMAL mode >>>>>CLEAN

Ran Stinger in NORMAL mode. It ran fine with no problems.

--------------------------------------
Ran Newfiles (this log is attached)
Ran GetRunKeys

Note: System32 still is noted as being infected with trojan.FakeAlert.CX

This is a very specific for such a rare trojan. How does newfiles come up with it?

---------------------------------------------
Lastly, I ran ATF-Cleaner and cleaned User cache, All Users cach, Internet cache, Windows cache.
---------------------------------------------------

I am going to try running Stinger in SAFE mode with Windows Defender Real Time ON to see what happens.

ZoneAlarm may give "Suspicious Program Alerts"too.

Then, I will run CHKDSK /F to check for disc corruption.

The dilemma is I have a 2004 DELL computer and the Windows Disc just has Service Pack 2. I would want to make sure that any of my new Microsoft updates such as the Service Pack 2 will still be present and not overwritten somehow.


----------------------------------------

Next I may re-install my Norton Internet Security and/orAnti-virus program in case these engines are corrupted.

Thanks for your help and I hope to hear from you soon!!

 

Sytem File Checker Utility usage inquiry to fix Malware trojan system corruption

I would like to run the System File Checker Utility to check for corrupted files.

Start>Run>sfc /scannow ("space between c and /")

The dilemma that I have is that it requests to insert the Windows XP disc. However, a number of updates have come out since, especially the Service Packs 1 and 2. How can I check to see if they are on my system and intact?

If it might not be on my system in an intact form how do I start from my base 2004 DELL Windows XP CD and then get the Service packs available so that the System File Checker can use them in their check for corrupted files.

I would also like to run CHKDSK but the same concerns hold.

This can be run by My Computer>Properties>Tools tab> Error checking>Check Now
.......then check to automatically fix the file system errors

I ran that earlier on about 11/29/06 before all my debugging. It may have helped to hold the trojan at bay.

I now need to eliminate this trojan and any corruption it made in my system.
-----------------------------------

In addition, I do have a backup in some form made from the Windows backup program for the "System settings" etc.that was made about 11/29/06 if I need to use that at some point....hopefully not.

If you can answer these additional questions I would apprecite it. Thank you.

 

Re: Malware clean-up and System Corrections

Chaslang,

Thank you for your prompt response to my malware inquiry.

I immediately uninstalled [2SE Runtime Environment 5.0 Update 10 as directed using Add/Remove programs.

My Mozilla has already been upgraded automatically to the new 2.0.0.1 version so I left that as is on my system. If I should still uninstall/re-install it please let me know.


Also, I deleted immediately
the below two files:[/B]
C:\WINDOWS\system32\1.tmp
C:\WINDOWS\system32\2.tmp

I rebooted machine my machine this morning and then put it into normal mode.

I installed Sun Java Runtime Environment from the site on your link.

I uninstalled CounterSpy using Add/Remove programs.

As I mentioned in an earlier post I use Norton Internet Security 2006 and Antivirus as my primary security/AV programs. I use ZoneAlarm with the Norton Personal Firewall turned off ( I have found that the Norton firewall is very frustrating to use).

I like Windows Defender and the real-time protection but I keep the scanner off since I already have Norton.

I added IE-SpyAD, Spyblaster, Ewido, and SpyBot (with Tea timer off) over the last few month for extra security. I would like to keep the Ewido on my system with the scanner off to be run on a as needed basis only.
I decided to completely get rid of the CounterSpy though.

The Ewido and CounterSpy are the free versions and they are both very good programs.


My Trusted Zone has may items as since I added IE-Spy-AD and Spyblaster some websites did not give me access unless I made that change. I was using IE Explorer 6.0 at that time. It is possible that my IE Explorer custom internet settings were set too high or the restricted sites added by IE-Spy-Ad or Spyblaster prevented my access to those sites.

Unfortunately, when you are blocked from visiting a site the system doesn't always tell you what parameter is causing the block. I checked the "privacy icon" in the lower left corner and it usually showed those site in the "restricted site" area. I may need to recheck that.

After restarting in Normal mode today I received the following messages:

Windows can't open file 00024508.rbf {System error}
Kodak updater tryng to access internet {Zone Alarm
message}
ipod service Module trying to remove a driver or service ...Eventlog\Applicati9n\NCSERVICE {fZone alarm}

[I read later that .rbf is a rollback file so this may be normal]

I found a number of programs that my not need to be in my startup. I unintalled some of my older versions of aol as I no longer use that service for an internet connection yet I do have old messages that I want to still be able to read.


Among the programs that may be unnecessary include:

Norton GoBack
Office Startup

 

Re: Malware Cleanup

Chaslang,


I found a number of programs that my not need to be in my startup. I unintalled some of my older versions of aol as I no longer use that service for an internet connection yet I do have old messages that I want to still be able to read.


Among the programs that may be unnecessary include:

Norton GoBack
Office Startup
Office Startup
Microsoft Findfast
Kodak software updater
AOL 8.0 tray icon
msmgs ( messenger service)
itunes helper
music match programs
Ghost Tray
qTask -quicktime
sgtray-Sonic
real scheduler -real player

Should this be removed and if so how?
I also have a number of running processes that may be unecessary? Should these be corrected via MSCONFIG>Services> Running processes?

While reviewing my files I found C:\Yampa.exe and
C:\DHCPD.exe )both from NetSurfer, Inc.)
I do not know what these do?

My malware problem may have been halted yet I do not know what changes it may have made to my system nor how it may have corrupted it. I do get a brief blue background on the Active Desktop when loading Windows just prior to when just prior to when "bliss" wallpaper is put up....this may or may not be significant.

Also, when running some utilities on a safe site I sometimes get "about:blank" screen. This may or may not be a problem.

Should I run the System File Checker with CHKDSK and scannow? There is the dilemma that they both request my Windows XP installation disc yet I have had numerous updates over the last few years from automatic updates. Can these programs still be run properly and if so how?

Should I use a registry cleaner on my system such as regclean or registry mechanic?

If there are info documents on any of the above please post the link.

I am attaching my logs for HJT and Getrunkey.

Thanks again.

 

Re: Malware Cleanup resolution

Changlang,

Thank you for your assistance. I think that my malware issue may be resolved.

I have other issues related yet if they are not malware issues and if you cannot answer them in much depth please direct me to the appropriate forum/knowledge link for further resolution) :

There are 3 issues remaining:

(1)I need to adjust my Startup programs somehow.

You have suggested the below.
1. Either change the settings within the program not to load at startup
2. delete it permanently from loading at startup if you never really want it (you can do that with HijackThis)
3. Use a program like Startup CPL to control them otherwise.


(2) You had me put things in Normal startup mode whereas I have been using Selective startup. What change should I make?

(3) How do I properly use the System File Checker with the scannow to check for corruption from this malware given my dilemma discussed previously? If this is best covered elsewhere please direct me where.

At this point I think that my computer just needs some fine tuning to get rid of much unneeded files put on it in the past. A lot of the unnecessary start-up programs were probably put on by DELL where I got my computer.


Thank you for your assistance. Have a great Holiday!!!