You've been the victim of a SmitFraud attack that has downloaded SystemDoctor 2006 and told you that you need to purchase it to remove many spyware problems. SmitFraud attacks show fake antispyware
programs popups on your screen and/or a balloon popup from the windows system tray displaying a warning message that your computer is infected with spyware and telling you to purchase, download & install their program to remove it.
If your computer has become infected with one of these "spyware removal programs", you probably downloaded an infected codec program when you tried to watch a video online or you may have been hit by a "drive-by" installation of Smitfraud.
In any case, you'll want to follow the directions below to remove both the Smitfraud infection and SystemDoctor 2006 and gain control of your computer again.
In many of the infected computers I've dealt with, programs like "Video Access ActiveX Object" show up in the Control Panel and are the initial infection that start the whole issue. Most of these programs when scanned with an up-to-date virus scanner are shown to be infected with viruses like Troj.Zlob.AN or Trojan-Spy.Win32@MX.
Soon after being infected, I was confronted with the following System Alert popup message telling me I have been infected with Trojan-Spy.@Win32@MX. I was also presented with a window that loaded the System Doctor 2006 advertisement.
Soon after I was presented with the System Doctor 2006 installation that started scanning my system. It found the infection that loaded along with many benign cookies and temp files on my computer.
I found the System Doctor 2006 icon placed on my desktop as well.
Logfile of HijackThis v1.99.1
Scan saved at 1:07:41 PM, on 4/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Video Access ActiveX Object\pmsnrr.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Video Access ActiveX Object\pmmnt.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SystemDoctor 2006 Free\USDR6cw.exe
C:\Program Files\SystemDoctor 2006 Free\dcmon.exe
C:\Program Files\SystemDoctor 2006 Free\pasmon.exe
C:\Program Files\SystemDoctor 2006 Free\sd2006.exe
C:\WINDOWS\System32\svchost.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SystemDoctor 2006 Free] C:\Program Files\SystemDoctor 2006 Free\sd2006.exe -scan
O4 - HKLM\..\Run: [dc6_check] C:\Program Files\SystemDoctor 2006 Free\dcmon.exe
O4 - HKLM\..\Run: [USDR6cw] C:\Program Files\SystemDoctor 2006 Free\USDR6cw.exe -c
O4 - HKLM\..\Run: [pas_check] C:\Program Files\SystemDoctor 2006 Free\pasmon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadcontrol.com/files/installers/cab/SystemDoctor2006FreeInstall.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163981700061
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
Step by Step Procedure for Removing System Doctor 2006
Before attempting this removal procedure, download the following removal tools to your desktop and install them.
1) Download the programs above to your desktop, extracting and install them.
2) Open SmitFraudFix, and choose option 4 to check for updates and download any updates, then quit the program
3) Restart your computer in Safe Mode
4) Open the SmitRem folder and double-click on RunThis.bat to start the SmitRem removal procedure. Besides removing particular files that it looks for, the tool also runs the Disk Cleanup tool to remove temporary files on the hard drive that may contain problem files. For a Tutorial on using SmitRem click here
5) After SmitRem has finished, open SmitFraudFix and choose to search (option 1) and clean (option 2) and run a full system scan to remove anything it finds. For a tutorial on using SmitFraudFix click here
6) Double-click on MalwareBytes Anti-Malware, install it, update it, and run it to remove misc rogue application files. If you prefer you can purchase MalwareBytes Anti-Malware which provides a realtime monitor that will alert you if you attempt to download a rogue program.
7) While still in Safe Mode, run CCleaner. Analyze and Clean files it finds, then click on the Issues button on the left side of the screen and Scan and Fix any Registry issues CCleaner discovers. Run both the Registry Scanner and the File Analyzer until nothing else is found.
programs popups on your screen and/or a balloon popup from the windows system tray displaying a warning message that your computer is infected with spyware and telling you to purchase, download & install their program to remove it.
If your computer has become infected with one of these "spyware removal programs", you probably downloaded an infected codec program when you tried to watch a video online or you may have been hit by a "drive-by" installation of Smitfraud.
In any case, you'll want to follow the directions below to remove both the Smitfraud infection and SystemDoctor 2006 and gain control of your computer again.
In many of the infected computers I've dealt with, programs like "Video Access ActiveX Object" show up in the Control Panel and are the initial infection that start the whole issue. Most of these programs when scanned with an up-to-date virus scanner are shown to be infected with viruses like Troj.Zlob.AN or Trojan-Spy.Win32@MX.
Soon after being infected, I was confronted with the following System Alert popup message telling me I have been infected with Trojan-Spy.@Win32@MX. I was also presented with a window that loaded the System Doctor 2006 advertisement.
Soon after I was presented with the System Doctor 2006 installation that started scanning my system. It found the infection that loaded along with many benign cookies and temp files on my computer.
I found the System Doctor 2006 icon placed on my desktop as well.
Logfile of HijackThis v1.99.1
Scan saved at 1:07:41 PM, on 4/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Video Access ActiveX Object\pmsnrr.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Video Access ActiveX Object\pmmnt.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SystemDoctor 2006 Free\USDR6cw.exe
C:\Program Files\SystemDoctor 2006 Free\dcmon.exe
C:\Program Files\SystemDoctor 2006 Free\pasmon.exe
C:\Program Files\SystemDoctor 2006 Free\sd2006.exe
C:\WINDOWS\System32\svchost.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SystemDoctor 2006 Free] C:\Program Files\SystemDoctor 2006 Free\sd2006.exe -scan
O4 - HKLM\..\Run: [dc6_check] C:\Program Files\SystemDoctor 2006 Free\dcmon.exe
O4 - HKLM\..\Run: [USDR6cw] C:\Program Files\SystemDoctor 2006 Free\USDR6cw.exe -c
O4 - HKLM\..\Run: [pas_check] C:\Program Files\SystemDoctor 2006 Free\pasmon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadcontrol.com/files/installers/cab/SystemDoctor2006FreeInstall.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163981700061
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
Before attempting this removal procedure, download the following removal tools to your desktop and install them.
- SmitRem by NoahdFear - Tool to remove Spyaxe and related infections
- SmitFraudFix - Tool to remove most SmitFraud infections
- MalwareBytes Anti-Malware - tool to remove Rogue applications and much more (highly recommended)
- HijackThis 1.99.1 - Essential tool for finding spyware, virus, trojan, and other problems
- CCleaner - Free tool for removing temporary files, cookies, history, and cleaning up registry problems
1) Download the programs above to your desktop, extracting and install them.
2) Open SmitFraudFix, and choose option 4 to check for updates and download any updates, then quit the program
3) Restart your computer in Safe Mode
4) Open the SmitRem folder and double-click on RunThis.bat to start the SmitRem removal procedure. Besides removing particular files that it looks for, the tool also runs the Disk Cleanup tool to remove temporary files on the hard drive that may contain problem files. For a Tutorial on using SmitRem click here
5) After SmitRem has finished, open SmitFraudFix and choose to search (option 1) and clean (option 2) and run a full system scan to remove anything it finds. For a tutorial on using SmitFraudFix click here
6) Double-click on MalwareBytes Anti-Malware, install it, update it, and run it to remove misc rogue application files. If you prefer you can purchase MalwareBytes Anti-Malware which provides a realtime monitor that will alert you if you attempt to download a rogue program.
7) While still in Safe Mode, run CCleaner. Analyze and Clean files it finds, then click on the Issues button on the left side of the screen and Scan and Fix any Registry issues CCleaner discovers. Run both the Registry Scanner and the File Analyzer until nothing else is found.
8) Run Hijackthis and Remove any leftover issues. If you are not sure, if a line in Hijackthis is a problem, reboot in normal mode and use the Online HiJackthis Scanner to see if the file is a threat. Just copy and paste your Hijackthis log file into the scanner and let it analyze it for you. Although its not perfect, it will give you an idea if your system is clean or still needs some work. Do not delete anything with Hijackthis unless you are absolutely sure what the file is and what it does.
Another great tool to use is Process Library to see if a file is a threat.
For items in the Hijackthis log like the following, that will not delete manually, use KillBox to browse to the location of the file and delete it or delete it on reboot. Items that are impossible to remove unless using Killbox usually show up in the 20 section of Hijackthis.
O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll
O20 - Winlogon Notify: winrir32 - C:\WINDOWS\SYSTEM32\winrir32.dll
O20 - Winlogon Notify: dvd4free - C:\WINDOWS\SYSTEM32\dvd4free.dll
O20 - Winlogon Notify: winrir32 - C:\WINDOWS\SYSTEM32\winrir32.dll
O20 - Winlogon Notify: dvd4free - C:\WINDOWS\SYSTEM32\dvd4free.dll
9) Reboot computer in Normal mode
10) Open the Add/Remove Control Panel, and uninstall any leftover programs like "SystemDoctor 2006" or any Video Active X programs that were the root cause of the infection.
11) Delete any leftover directories for "SystemDoctor 2006 Free" in the C:\Program Files folder by right-clicking on the SystemDoctor 2006 Free folder and choosing Delete.
12) Scan your computer with online virus scanner like Housecall, BitDefender, or eTrust or download and install an antivirus program and run a complete scan. A list of online scanners is below, some however will only scan but not remove issues.
Online Virus Checkers
Trend Micro Housecall - will scan and remove threats
BitDefender Scan Online - will scan and remove threats
Ewido Online Scanner - will scan and remove threats
Kaspersky Online Scan - will scan and remove threats
Panda Activescan - appears to only scan for but not remove threats
McAfee FreeScan - appears to only scan for but not remove threats
eTrust Antivirus Web Scanner - will scan and remove threats
Symantec Security Check - will scan and remove threats
Dr.Web Online Check - user can upload and test for threats on particular files
Trend Micro Housecall - will scan and remove threats
BitDefender Scan Online - will scan and remove threats
Ewido Online Scanner - will scan and remove threats
Kaspersky Online Scan - will scan and remove threats
Panda Activescan - appears to only scan for but not remove threats
McAfee FreeScan - appears to only scan for but not remove threats
eTrust Antivirus Web Scanner - will scan and remove threats
Symantec Security Check - will scan and remove threats
Dr.Web Online Check - user can upload and test for threats on particular files
You may also want to run a thorough scan for adware/spyware using Ad-aware SE, Spybot Search and Destroy, or Windows Defender as well to make sure your system is absolutely clean of other malware.
You can visit my page for other Essential Tools to Use in Removing Spyware, Adware, Trojans, and Viruses
Congratulations! Your computer should be free of the System Doctor 2006. Please be careful when being prompted to download any more Video Active X components to watch a particular video. If in doubt, dont install it.
No comments:
Post a Comment