PDA

View Full Version : Windows Security Alert Warning! Potential Spyware Operation!--please help me..


kucheque
2007-09-20, 09:36
Dear experts,

i'm facing a problem which I have been getting a pop up constantly and I don't know if they are Windows generated or from a spyware. The message is as follows:

Windows Security Alert Warning! Potential Spyware Operation! Your computer is making unauthorized copies of your system & Internet files. Run full scan now to pervent any unathorised access to your files. Click YES to download spywear. (Notice the misspelled words pervent & unathorised)

How do I find and delete this stuff? Please help me dear experts.... Thank you..
Shaba
2007-09-21, 18:04
Hi kucheque

Click here (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe) to download HJTInstall.exe
Save HJTInstall.exe to your desktop.
Doubleclick on the HJTInstall.exe icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
kucheque
2007-09-25, 06:10
Dear Shaaba...this is what i got from performing the scan..please help me..thank you for your assist...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01:37 PM, on 9/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20627)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\SYSTEM32\osk.exe
C:\WINDOWS\SYSTEM32\MSSWCHX.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://aa.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://asia.search.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: IEHlprObj Class - {ABCDECF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\vtr.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKLM\..\RunServices: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\system32\testtestt.exe
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\JEEVAR~1\LOCALS~1\Temp\63584.exe
O4 - HKCU\..\Run: [Winstj] C:\DOCUME~1\JEEVAR~1\LOCALS~1\Temp\616384.exe
O4 - HKCU\..\Run: [Winstx] C:\DOCUME~1\JEEVAR~1\LOCALS~1\Temp\616384.exe
O4 - HKCU\..\Run: [Winstt] C:\DOCUME~1\JEEVAR~1\LOCALS~1\Temp\616384.exe
O4 - HKCU\..\Run: [Winste] C:\DOCUME~1\JEEVAR~1\LOCALS~1\Temp\616384.exe
O4 - HKCU\..\Run: [Winstf] C:\DOCUME~1\JEEVAR~1\LOCALS~1\Temp\616384.exe
O4 - HKCU\..\Run: [Winsti] C:\DOCUME~1\JEEVAR~1\LOCALS~1\Temp\616384.exe
O4 - HKCU\..\Run: [Winsto] C:\DOCUME~1\JEEVAR~1\LOCALS~1\Temp\616384.exe
O4 - HKCU\..\Run: [Winstw] C:\DOCUME~1\JEEVAR~1\LOCALS~1\Temp\616384.exe
O4 - HKCU\..\Run: [Winstr] C:\DOCUME~1\JEEVAR~1\LOCALS~1\Temp\616384.exe
O4 - HKCU\..\Run: [Winstm] C:\DOCUME~1\JEEVAR~1\LOCALS~1\Temp\616384.exe
O4 - HKCU\..\Run: [Winstq] C:\DOCUME~1\JEEVAR~1\LOCALS~1\Temp\616384.exe
O4 - HKCU\..\Run: [Winsts] C:\DOCUME~1\JEEVAR~1\LOCALS~1\Temp\616384.exe
O4 - HKCU\..\Run: [Winstp] C:\DOCUME~1\JEEVAR~1\LOCALS~1\Temp\616384.exe
O4 - HKCU\..\Run: [Winsth] C:\DOCUME~1\JEEVAR~1\LOCALS~1\Temp\616384.exe
O4 - HKCU\..\Run: [Winstc] C:\DOCUME~1\JEEVAR~1\LOCALS~1\Temp\616384.exe
O4 - HKCU\..\Run: [Winstn] C:\DOCUME~1\JEEVAR~1\LOCALS~1\Temp\616384.exe
O4 - HKCU\..\Run: [Winstu] C:\DOCUME~1\JEEVAR~1\LOCALS~1\Temp\616384.exe
O4 - HKCU\..\Run: [Winsta] C:\DOCUME~1\JEEVAR~1\LOCALS~1\Temp\616384.exe
O4 - HKCU\..\Run: [Winstl] C:\DOCUME~1\JEEVAR~1\LOCALS~1\Temp\616384.exe
O4 - HKCU\..\Run: [Winstv] C:\DOCUME~1\JEEVAR~1\LOCALS~1\Temp\616384.exe
O4 - HKCU\..\Run: [Winsty] C:\DOCUME~1\JEEVAR~1\LOCALS~1\Temp\616384.exe
O4 - HKCU\..\Run: [Winstd] C:\DOCUME~1\JEEVAR~1\LOCALS~1\Temp\616384.exe
O4 - HKCU\..\Run: [Winstz] C:\DOCUME~1\JEEVAR~1\LOCALS~1\Temp\616384.exe
O4 - HKCU\..\Run: [Winstk] C:\DOCUME~1\JEEVAR~1\LOCALS~1\Temp\616384.exe
O4 - HKCU\..\Run: [Winstg] C:\DOCUME~1\JEEVAR~1\LOCALS~1\Temp\616384.exe
O4 - HKCU\..\Run: [Winstb] C:\DOCUME~1\JEEVAR~1\LOCALS~1\Temp\616384.exe
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [] OSK.exe
O4 - HKLM\..\Policies\Explorer\Run: [msdrvctrl] C:\WINDOWS\msdrvctrl.exe
O4 - HKUS\S-1-5-18\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - S-1-5-18 Startup: system.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: system.exe (User 'Default user')
O4 - .DEFAULT User Startup: system.exe (User 'Default user')
O4 - Startup: system.exe
O4 - Global Startup: autorun.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\systems.txt
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll (file missing)
O20 - Winlogon Notify: botreg - C:\Documents and Settings\All Users\Documents\Settings\bot.dll
O20 - Winlogon Notify: ddcca - C:\WINDOWS\system32\ddcca.dll (file missing)
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\system32\hxnmp.dll
O21 - SSODL: pWJlbjnfUui - {1CDC08C1-B676-A26B-8EA6-B05258040732} - C:\WINDOWS\system32\dgf.dll
O22 - SharedTaskScheduler: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\system32\hxnmp.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O24 - Desktop Component 0: Desktop Uninstall - C:\WINDOWS\warnhp.html

--
End of file - 8453 bytes
Shaba
2007-09-25, 09:22
Hi

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)

When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post
Shaba
2007-10-02, 15:32
Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.