Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Critical System Warning Popup Hijacking Me


  • Please log in to reply
13 replies to this topic

#1 SteveKaz99

SteveKaz99

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North NJ
  • Local time:08:30 PM

Posted 02 June 2008 - 11:13 PM

Please help me!!!

I'm a software guy so I have some idea how to fix a PC.

My IE7 goes to a bogus .mht file in my system32 folder called spywarewarning.mht

C:\WINDOWS\System32\spywarewarning.mht

It looks like a fake XP Security Center window.

Also getting a Critical System Warning every few seconds, I have to CAD the proccess called adsnwz.exe to make it stop.

The text in the Critical System Warning reads

Posted Image

Took the image from another website.

I used Ad-Aware, Spybot, SmitfraudFix, and Symantic AV with zero success.

Please help me!!!!

SteveKaz99

XP MediaCenter Ed. at SP 2[/size]

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:30 PM

Posted 03 June 2008 - 10:52 AM

Hello and welcome. Would you please post the SmitFraud log .
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Edited by boopme, 03 June 2008 - 10:53 AM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 SteveKaz99

SteveKaz99
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North NJ
  • Local time:08:30 PM

Posted 03 June 2008 - 09:13 PM

boopme,

Thanks for your help. I ran it again.

I also have HijackThis on my PC if it is needed.

Steve

+++++++++++++++++++++++++++++++++++
SmitFraudFix v2.323

Scan done at 22:06:37.95, Tue 06/03/2008
Run from C:\Documents and Settings\Steve\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Steve


C:\Documents and Settings\Steve\Application Data


Start Menu


C:\DOCUME~1\Steve\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\PROGRA~1\\Google\\GOOGLE~1\\GOEC62~1.DLL"
"LoadAppInit_DLLs"=dword:00000001


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


Rustock



DNS

Description: Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 167.206.245.130
DNS Server Search Order: 167.206.245.129

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2F9FBC39-C724-4E7B-AEFD-EDFE1FAC9BF8}: DhcpNameServer=10.30.0.9 10.30.0.2
HKLM\SYSTEM\CCS\Services\Tcpip\..\{6ED0CF48-42E1-40F9-B2C5-674784D77340}: DhcpNameServer=10.30.0.9 10.30.0.2
HKLM\SYSTEM\CCS\Services\Tcpip\..\{BB442341-89B9-43FF-8CBF-7871DAFDDC2A}: DhcpNameServer=167.206.245.130 167.206.245.129
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2F9FBC39-C724-4E7B-AEFD-EDFE1FAC9BF8}: DhcpNameServer=10.30.0.9 10.30.0.2
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6ED0CF48-42E1-40F9-B2C5-674784D77340}: DhcpNameServer=10.30.0.9 10.30.0.2
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BB442341-89B9-43FF-8CBF-7871DAFDDC2A}: DhcpNameServer=167.206.245.130 167.206.245.129
HKLM\SYSTEM\CS3\Services\Tcpip\..\{2F9FBC39-C724-4E7B-AEFD-EDFE1FAC9BF8}: DhcpNameServer=10.30.0.9 10.30.0.2
HKLM\SYSTEM\CS3\Services\Tcpip\..\{6ED0CF48-42E1-40F9-B2C5-674784D77340}: DhcpNameServer=10.30.0.9 10.30.0.2
HKLM\SYSTEM\CS3\Services\Tcpip\..\{BB442341-89B9-43FF-8CBF-7871DAFDDC2A}: DhcpNameServer=167.206.245.130 167.206.245.129
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=167.206.245.130 167.206.245.129
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=167.206.245.130 167.206.245.129
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=167.206.245.130 167.206.245.129


Scanning for wininet.dll infection


End

#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:30 PM

Posted 03 June 2008 - 09:44 PM

http://www.bleepingcomputer.com/forums/ind...mp;#entry811062

would you run a scan with MBAM and post a log
Chewy

No. Try not. Do... or do not. There is no try.

#5 SteveKaz99

SteveKaz99
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North NJ
  • Local time:08:30 PM

Posted 04 June 2008 - 05:47 AM

Thanks DaChew

The Log File as requested. I took no action after the scan.

Malwarebytes' Anti-Malware 1.14
Database version: 819

6:42:43 AM 6/4/2008
mbam-log-6-4-2008 (06-42-34).txt

Scan type: Full Scan (C:\|)
Objects scanned: 136001
Time elapsed: 29 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 11
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> No action taken.
HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> No action taken.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run\IEUpdate (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run\IEUpdate (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\IEUpdate (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\IEUpdate (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\IEUpdate (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Trojan.Zlob) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\w\ (Trojan.Zlob) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL (Trojan.Zlob) -> No action taken.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Trojan.Zlob) -> No action taken.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchUrl\w\ (Trojan.Zlob) -> No action taken.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchURL (Trojan.Zlob) -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (C:\WINDOWS\system32\spywarewarning.mht) Good: (http://www.google.com/) -> No action taken.
HKEY_CLASSES_ROOT\Software\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (C:\WINDOWS\system32\spywarewarning.mht) Good: (http://www.google.com/) -> No action taken.

Folders Infected:
C:\WINDOWS\system32\824223 (Trojan.BHO) -> No action taken.

Files Infected:
C:\Documents and Settings\Christine\Local Settings\Temp\GLKE.tmp (Rogue.EvidenceEliminator) -> No action taken.
C:\WINDOWS\mrofinu72.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\adsnwz.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\clbdll.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\000070.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\000080.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\spywarewarning.mht (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\spywarewarning2.mht (Trojan.FakeAlert) -> No action taken.

#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:30 PM

Posted 04 June 2008 - 07:51 AM

the directions clearly specify a quick scan and to remove the infections

MBAM has a good restore feature for any false positives

several of those nasties will probably get worse if left on your computer
Chewy

No. Try not. Do... or do not. There is no try.

#7 SteveKaz99

SteveKaz99
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North NJ
  • Local time:08:30 PM

Posted 04 June 2008 - 08:50 PM

DaChew,

MBAM removed the spyware but the damage is done Think.

IE7 will not access Microsoft Update. Closes and crashes (Did a Reinstall)
Microsoft Live Messenger will not login without crashing (Did a Reinstall)
Google update gives a update error.

A few other programs are not updating also. Giving errors I thought it was my firewall but I disabled it. (Symantec )
  • Did a full scan with MBAM but nothing came up.
  • Tried another Admin profile.
Any ideas?

Again thank you for your help.

Also, the act of saving this post makes IE7 crash and close.

Steve

Edited by SteveKaz99, 04 June 2008 - 08:53 PM.


#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:30 PM

Posted 04 June 2008 - 08:56 PM

http://www.bleepingcomputer.com/forums/ind...mp;#entry839950

Well you have done step1, the MBAM scan and fix

let's try ATF cleaner and SAS from safe mode
Chewy

No. Try not. Do... or do not. There is no try.

#9 SteveKaz99

SteveKaz99
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North NJ
  • Local time:08:30 PM

Posted 05 June 2008 - 06:23 PM

Dachew,

I ran both programs doing exactly what the directions said.

It found a few bad things,and the other cleaned up 442 MB worth of trash.

Unfortunately I am still having problems with google updater, Windows Update via IE7 and Microsoft Messenger Live still won't connect.

I included the log file from SAS.

Strange how some programs work and other don't.

Again thanks for your help.

Steve

-------------------------------------------------------------Log from SAS-----------------------------------------------------------

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/05/2008 at 06:46 PM

Application Version : 4.15.1000

Core Rules Database Version : 3475
Trace Rules Database Version: 1466

Scan type : Complete Scan
Total Scan Time : 00:19:20

Memory items scanned : 186
Memory threats detected : 0
Registry items scanned : 5781
Registry threats detected : 6
File items scanned : 20148
File threats detected : 11

Browser Hijacker.Internet Explorer Settings Hijack
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main#Start Page [ C:\WINDOWS\system32\spywarewarning.mht ]
HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main#Start Page [ C:\WINDOWS\system32\spywarewarning.mht ]
HKU\S-1-5-19_Classes\Software\Microsoft\Internet Explorer\Main#Start Page [ C:\WINDOWS\system32\spywarewarning.mht ]
HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main#Start Page [ C:\WINDOWS\system32\spywarewarning.mht ]
HKU\S-1-5-20_Classes\Software\Microsoft\Internet Explorer\Main#Start Page [ C:\WINDOWS\system32\spywarewarning.mht ]
HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Main#Start Page [ C:\WINDOWS\system32\spywarewarning.mht ]

Adware.Tracking Cookie
Data\Mozilla\Firefox\Profiles\uu3wzkmk.default\cookies.txt ]
.adbrite.com [ C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\uu3wzkmk.default\cookies.txt ]
.adbrite.com [ C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\uu3wzkmk.default\cookies.txt ]
.adbrite.com [ C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\uu3wzkmk.default\cookies.txt ]
.adbrite.com [ C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\uu3wzkmk.default\cookies.txt ]

Malware.Installer-Pkg/Gen
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{6B6A7665-DB48-4762-AB5D-BEEB9E1CD7FA}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{26D2C2C3-CF14-4ED7-B1FC-0BE64AFBA3B3}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{3C48F877-A164-45E9-B9DA-26A049FFC207}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{6293BC00-4EB8-4C65-8548-53E2FC3BF937}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{651956B7-1969-42AA-9453-E0B813019D54}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{989E4C3B-B2C9-4486-9A09-D5A8F953837C}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{B18E9843-4255-4D8E-AA28-95ABC06443BC}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{C0A0AA4D-C79B-48CA-8843-2B02B626C9E6}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{C2D8F0E2-6978-4409-8351-BA8785DA11EE}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{D1A6F3FD-7B40-443F-8767-BADB25A0D222}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{E0814F95-5380-4892-B8C8-7FA4B349EF46}.EXE

#10 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:30 PM

Posted 05 June 2008 - 06:32 PM

Let's run a quick scan with MBAM again after updating it
Chewy

No. Try not. Do... or do not. There is no try.

#11 SteveKaz99

SteveKaz99
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North NJ
  • Local time:08:30 PM

Posted 05 June 2008 - 08:29 PM

Dachew,

It found one. Amazing how they don't go away.

Who are these people that program these things? How can people who are so smart use it for evil and not good.

Any more ideas? It's not looking good.

Thanks, Steve



----------------Log File-------------------------------------

Malwarebytes' Anti-Malware 1.15
Database version: 833

9:23:48 PM 6/5/2008
mbam-log-6-5-2008 (21-23-48).txt

Scan type: Full Scan (C:\|)
Objects scanned: 129793
Time elapsed: 38 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\Process.exe (Trojan.Agent) -> Quarantined and deleted successfully.

#12 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:30 PM

Posted 05 June 2008 - 09:03 PM

the last time I fought a bad infection I loaded SAS, ATF, MBAM and SDFix and ran them back to back several times in quick scans with SAS in safe mode part of the time


I stayed off the internet

Edited by DaChew, 05 June 2008 - 09:03 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#13 SteveKaz99

SteveKaz99
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North NJ
  • Local time:08:30 PM

Posted 05 June 2008 - 11:01 PM

Chew, That last one might have done it. Everything is working now. Wow, I have never spent so much time trying to fix my PC. Hey thanks for you help with this. It's very cool that you help people. I take it you a Starwars fan? Me to.

I bet you know what the Chewbacca defense is.

Are you an IT guy? I do Software Support, not a lot of OS Support.

Only Sending this Post and rebooting are the last things for me to do to know for sure.

Thanks again, Steve

#14 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:30 PM

Posted 06 June 2008 - 05:16 AM

I am not a software or windows shell expert at all, my background is mostly selftaught hardware, how to make a computer run faster and smoother, power use etall.

After a driveby infection I got real mad and started the Chewbacca Offense, :trumpet: :flowers: :thumbsup: :inlove:
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users