Skip to content

March 2, 2012

If Trojan:Win32/Tibs.IT AKA FakeAlert / System Check hits you, hit back

by Darren W Baker

My wife screamed. No, not at me, not this time. At her computer. She was getting system error messages and could no longer access her files. I looked at the system and there were Pop up messages and system bar messages telling her that the hard drive had a critical failure. Her machine is severly crippled and nothine works. All the files and applications are not accessable. The only thing you can launch is Internet Explorer.

I thought that was odd, then I noticed the errors had grammar and punctuation issues. (note: I did not capture all the errors on the screen, there was over 50 of them and it was really annoying to have to close them all. )

 

 

Then, I also noticed two icons in the task bar that are not standard Windows applications that looked like a Windows flag and a red stop icon and under all the popup windows was an application running that said SYSTEM CHECK.

I know I didn’t install it, and my wife doesn’t install applications. UAC is set to ALWAYS NOTIFY on her computer, so she would have seen a prompt had this installed correctly. This was a Trojan, and not a very nice one. Notice the “Click here to activate”? They want you to pay to fix the damage they caused. All clicks on the application try to take you to their website. I turned off her wireless before attempting anything.

 

Here is what it did to her:

1.      It disabled the Task Manager.

2.      It flagged all of her files and folders hidden, including Desktop and Documents.

3.      It renamed her profile to ADMIN

4.      It added itself to the registry so it would start each time the system booted.

5.      It removed all the programs and RUN command from the start menu.

 

Obviously, hiding the files was designed to make you think the drive was really damaged. Preventing you from applications and tools makes you panic. Fortunately, all the key commands still work.

 

Press the WINDOWS key and “E”

If you press the Windows key on your keyboard at the same time as the letter E, you can launch File Explorer. With File Explorer, you can navigate to files or search for applications and launch them.

The first thing I did is use File Explorer to search for and launch Task Manager (TASKMGR.EXE) to see what was running. (right clicking the task bar to get Task Manager was disabled).

 

Task Manager shows the application SYSTEM CHECK running, but when you hover over the application on the task bar, it has random letters as if it were a temporary file.

I switched over the Processes Tab in Task Manager, but couldn’t END PROCESS on System Check. I chose to SET PRIORITY to LOW, so I could regain some CPU power.

 

I then ran System Configuration (MSCONFIG.EXE) from the File Explorer to see if anything unusual was in Startup. Sure enough, there it was. I disabled it from starting again by unchecking the box. You can use the Registry Editor to remove it permanently, but I don’t recommend using Registry Editor if you don’t know what you are doing.

 

You might notice that the files are in C:\ProgramData. That is a hidden directory and the files are hidden inside it. If you change the settings in File Explorer’s Tools Folder options, you can see them.

 

 

Time for Some Research.

 

On my computer, I researched this System Check and confirmed it was a Trojan to trick you into paying the creator to put your system back the way it is supposed to be. I also found several tools that would also remove the Trojan if you paid for them. I am always suspicious of anti-malware tools that have only one purpose.

 

I ran across this article on BLOGSPOT for removing System Check. It states “Free Utilities by GridinSoft LLC” so I downloaded them to a USB key to try them out. There is even a nice video to show you what to do.

 

There are 3 separate tools you will need:

 

1.      GridinSoft Trojan Killer from http://trojan-killer.net/download.php

To detect and remove the Trojan

2.      GridinSoft Restore from http://trojan-killer.net/download/restore.exe

To remove the registry changes, and put your files back in the right location.

3.      GridinSoft Unhider from http://trojan-killer.net/download/unhider.exe

To flag the files and directories so they are no longer hidden.

 

 

I installed the GridinSoft Trojan Killer and it found the Trojans files right away. Wow, that was fast. A little too fast, like it knew exactly what it was looking for.

Conveniently Trojan Killer was able to terminate the System Check Trojan and its subprocesses that I had not discovered yet. It even confirmed what I discovered earlier about where they were located.

Everything was going well until the scan was complete and I was presented the option to permanently remove the Trojan. When you click on the Remove Selected button, it asks you for your credit card.

Well, isn’t that interesting. That little bit of information was missing from the video…

 

 Trojan Killer terminated the Trojan that was running in Memory, and I know where the files are, in the C:\ProgramData directory.

I renamed all the files that were associated to the Trojan and my tinkering with it. Interestingly enough, we can see exactly when the file arrived on her system. 4:43 PM and 4:48 PM today. I asked her what website she was on at that time. She said she was doing some research and visited a website she had never been to before. I looked in her browser history and there was only about 20 websites she had visited today so it shouldn’t be very hard to determine where it came from.

 

Putting things back.

I still need to fix her files. The GridinSoft restore and unhider applets work well for that and do the job pretty quickly. They don’t prompt you for anything, they just do the job and stop.

 

1.      GridinSoft Restore from http://trojan-killer.net/download/restore.exe

To remove the registry changes, and put your files back in the right location.

2.      GridinSoft Unhider from http://trojan-killer.net/download/unhider.exe

To flag the files and directories so they are no longer hidden.

 

If you notice that files are still missing (probably still hidden), you can go to the C:\USERS directory, right click on your profile directory and select PROPERTIES. From the General tab, uncheck the READONLY and HIDDEN buttons. You will get a dialog to confirm the UNHIDE, select Apply changes to this folder, subfolder and files.

 

Reboot the computer and everything should be back to the way it was.

 

Lingering Questions…

 

Some things are still bothering me. How did this install without prompting? She has administrative rights, but UAC is cranked up to ALLWAYS NOTIFY for everything. I created an  administrative account on the box and put a password on it, and removed her from the administrative group. Hopefully this shouldn’t happen again.

 

You are probably asking, why aren’t you running anti-virus, anti-malware. We are. She runs Microsoft Forefront and settings show that had updated at 2 am that morning. I have it scheduled to scan her computer every morning now. I don’t understand why it didn’t detect and prevent this application from running. As I was experimenting with the Trojan to reproduce some the screen shots, Forefront did eventually detect it.

 

Better late than never doesn’t apply to something like this.  

 

 Here are the details on Trojan:Win32/Tibs.ITfrom the Microsoft Malware Projection Center.

 

Stuff like this really annoys me. It takes a great deal of time to research, fix and make sure everything is ok. Time I could be spending with my family.

I can’t imagine what people would do if they couldn’t trouble shoot things like I can. Do they pay the money and hope it fixes it? Pay for a “third party” utility to fix it, even though their current antivirus they paid for didn’t or couldn’t? Or, worse still, take it to a “computer repair shop” and hope they can figure it out and not just wipe and reload Windows and lose all their data?

I use SkyDrive and Live Mesh to protect and sync my work data. I think it’s time I introduce my wife to the cloud.

 

 

 

 

 

Read more from Sogeti

Comments are closed.

%d bloggers like this: