|
| ||
| Fake "Microsoft Windows Security Warning" & Browser Hijacks Fake "Microsoft Windows Security Warning" & Browser Hijacks Hello Bonjour, Here it is : - This popup appears every 5 minutes : --------------------------------------------------------------- Microsoft Windows Security Warning Your Windows is corrupted with spyware virus You must patch your PC urgently to protect yourself. Private info is accessed by ports : -8080 -3128 You can patch your PC for free only now and delete all spyware viruses. Click OK to choose and download free spyware removal using antiSPY. (OK) (Annuler) ---------------------------------------------------------------- - Internet Start page is Hijacked to : wZZZZZw.hotpics-tgp.com/cgi-bin/h.pl & open randomly : wZZZZww.hotpics-tgp.com/congratulations.html wZZZww.globolook.com/ - Nothing found with : NORTON Antivirus Spybot - Search & Destroy Ad-Aware SE Personal Spy Sweeper CWShredder Scan Spyware a-squared StartCenter AboutBuster 4.0 (ALL in safe mode, system restoration off) - When I fix this line in HijackThis, it come back later, without rebooting. R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotpics-tgp.com/cgi-bin/h.pl It looks like the virus is disabled when i shut down explorer.exe Here is a log, .... I think it's OK Any help? Thanks a lot ...& sorry for my froggy english ! PL ------------------------- Logfile of HijackThis v1.97.7 Scan saved at 15:03:52, on 27/11/2004 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\explorer.exe C:\ZZZZ-CDsofts\VIRUUUUUUUUUUUUUUUUUs\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotpics-tgp.com/cgi-bin/h.pl O2 - BHO: (no name) - {51C8BCA8-2524-4523-BF09-738C4EEBFC58} - C:\PROGRA~1\BXNEWF~1\BXNEWF~1.DLL O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch O4 - HKLM\..\Run: [DeltTray] DeltTray.exe O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe O9 - Extra 'Tools' menuitem: Console Java (Sun) (HKLM) O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...367/wmavax.CAB O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1101428902296 O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} - http://download.microsoft.com/downlo...-US/msorun.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab |
| ||
| Re: Fake "Microsoft Windows Security Warning" & Browser Hijacks Can you update to the latest version of HijackThis, reboot and post a new log please? current version is 1.98.2 You can either use the update feature in Hijackthis or re-download from http://www.spychecker.com/program/hijackthis.html |
| ||
| Re: Fake "Microsoft Windows Security Warning" & Browser Hijacks here it is :-) Thanks. Logfile of HijackThis v1.98.2 Scan saved at 21:19:25, on 27/11/2004 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\ZZZZ-CDsofts\VIRUUUUUUUUUUUUUUUUUs\hijackthis-new\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotpics-tgp.com/cgi-bin/h.pl O2 - BHO: bxNewFolder - {51C8BCA8-2524-4523-BF09-738C4EEBFC58} - C:\PROGRA~1\BXNEWF~1\BXNEWF~1.DLL O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch O4 - HKLM\..\Run: [DeltTray] DeltTray.exe O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE O4 - HKLM\..\Run: [THGuard] C:\Program Files\TrojanHunter 4.0\THGuard.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1101428902296 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab |
| ||
| Re: Fake "Microsoft Windows Security Warning" & Browser Hijacks Was the log taken in safe mode? If so, please do another in normal mode and post that. When you *fix* with hijackthis, all Internet explorer windows must be closed. |
| ||
| Re: Fake "Microsoft Windows Security Warning" & Browser Hijacks 1 Attachment(s) Hi, Im having this same problem. Tried everything but a reinstall to get rid of this. Ive got all my Windows Updates, I'm running ad-aware and PC-Cillan, and I've run every other anti-spam/worm/trojan/virus/spyware app I could find. I cleaned out my registry start-up entries manually, tried all of this in safe mode too. Happy to post my HijackThis Log but wanted to make sure someone hasnt already figured out how to fix this. Thanks in advance, and heres what the popup looks like: (I get this every 5 minutes or so, how evil is this?) |
| ||
| Re: Fake "Microsoft Windows Security Warning" & Browser Hijacks Heres my logfile anyhow: _________________________________________ Logfile of HijackThis v1.99.0 Scan saved at 7:41:32 PM, on 12/28/2004 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\System32\Tablet.exe C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\AIM\aim.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\Documents and Settings\Johnny\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/a0002/ O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://*.windowsupdate.microsoft.com O15 - Trusted Zone: http://*.windowsupdate.com O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1104263596270 O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Trend Micro Central Control Component - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe O23 - Service: Trend Micro Real-time Service - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe O23 - Service: Trend Micro Personal Firewall - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe O23 - Service: Trend Micro Proxy Service - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe |
| ||
| Re: Fake "Microsoft Windows Security Warning" & Browser Hijacks This worked for me: search for a file named systr.dll c:/windows/system32/ rename or delete the file, reboot, rescan with adaware se, it will find again a few reg keys/values and remove them. And that's it! As a pecaution I also did a clean history, cookies etc. Before that the reg keys and IE homepage were rewritten at a rate of about 20/sec. (viewed with regmon). Now it-s all quiet. And get Firefox as a browser. IE is much more vulnerable. ;) |
| All times are GMT -4. The time now is 9:48 pm. |
Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC