Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake Windows Security Center


  • This topic is locked This topic is locked
6 replies to this topic

#1 ranber

ranber

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 16 July 2008 - 09:23 PM

I'm getting a fake windows security center pop up that looks very real. also there's a yellow notification popup in my taskbar that says, "Your computer might be at risk. Your virus protection status is bad. Click this baloon to fix the problem.". I have run ad aware se along with spybot sd and removed everything. I run these programs weekly.
any help would be appreciated.
Thanks.

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,810 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:07:23 AM

Posted 16 July 2008 - 10:52 PM

The notice that your computer may be at risk usually is a reminder to update you anti virus.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#3 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:23 AM

Posted 17 July 2008 - 04:52 AM

Would you run a scan with MBAM? Following these directions exactly.

http://www.bleepingcomputer.com/forums/ind...st&p=876163
Chewy

No. Try not. Do... or do not. There is no try.

#4 ranber

ranber
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 17 July 2008 - 07:15 AM

another Yellow balloon comes up with Windows Security Center *latest software updates are not installed*Incorrect files association*system appears to hang andFirewall has errors "click baloon to fix the problem". I am running MBAM as I type this.
Thanks

#5 ranber

ranber
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 17 July 2008 - 07:37 AM

here is the log file from MBAM

Malwarebytes' Anti-Malware 1.20
Database version: 960
Windows 5.1.2600 Service Pack 2

8:35:02 AM 7/17/2008
mbam-log-7-17-2008 (08-35-02).txt

Scan type: Quick Scan
Objects scanned: 60582
Time elapsed: 13 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\jkkLCVOH.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7ab838e7-a17e-44b4-9e9e-04d9c1b9e5ab} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7ab838e7-a17e-44b4-9e9e-04d9c1b9e5ab} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\jkklcvoh -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\jkklcvoh -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\jkkLCVOH.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\HOVCLkkj.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\HOVCLkkj.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.

#6 ranber

ranber
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 17 July 2008 - 08:21 AM

I ran MBAM again and it removed the jkkLCVOH.dll

restarted again and the windows security center is still there. It sits with a white x in the red shield in the taskbar tray. I can't right click on it to exit.
The ballon with the incorrect spelling of balloon comes up too.. its says...

! Windows Security Center
*latest software updates are not installed
*Incorrect files association
*system appears to hang andFirewall has errors
"click baloon to fix the problem"

#7 TMacK

TMacK

  • Members
  • 4,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:B.C. Canada
  • Local time:08:23 AM

Posted 17 July 2008 - 10:34 AM

Hi ranber,

I have moved your HijackThis log to the Misplaced HJT Logs forum.
Please follow all directions that I've posted, as a reply to your log.
By following these instruction, it will ensure, that your HJT log is taken care of, in the most timely manner.

Your log can be found at this link:
http://www.bleepingcomputer.com/forums/t/158227/ranbers-hjt-log/

Since you have posted a HJT log, I'm going to close this topic.
From this point on, the HijackThis Team are the only members you should take advice from, until your log has been declared clean.
If you have any questions, don't hesitate to send me a PM.
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

aaaaaaaa a~Suzie Wagner




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users