Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Exploere 7 Redirected to Rogue Anivirus Scanner

  • This topic is locked This topic is locked
2 replies to this topic

#1 Spolk


  • Members
  • 3 posts
  • Local time:06:19 PM

Posted 13 February 2009 - 11:49 AM

I noticed yesterday that Explorer 7 and Outlook Express were acting up, and my computer was running slow in general. Explorer quit responding MANY times and Outlook could not send/receive emails. I updated and ran Ad-Aware Personal (which stopped responding after the scan was complete), Spyware Doctor, and Norton Internet Security 2008, and though Spywares were detected and removed on both of the latter programs, my computer continued to have the aforementioned symptoms. Early this morning when I was on MySpace, I got a pop-up about buying Antivirus 2009 and though I don't think I responded at all (I was half asleep), Explorer 7 immediately redirected to a webpage that began scanning my computer for viruses and I was inundated with pop ups trying to sell me a virus cleaner. I just Xed out all the pages. My Browsing History shows: and antiviralscanner14.com, though I did not visit either of these pages. I Googled "antiviralscanner14" and only found a yahooanswers entry about it. Since I don't trust those answers I searched a bit more about fake virus scanners, etc and found a Wikipedia article about rogue antivirus programs. I firmly believe I have something of this type, but do not know which one. I followed the advice in the Wikipedia article to use HijackThis and followed instructions from Trendmicro.com to you.

DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 9:36:21.34 on Fri 02/13/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.117 [GMT -6:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Lexmark 7300 Series\lxcimon.exe
C:\Program Files\Lexmark 7300 Series\ezprint.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Online Backup\OnlineBackup.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.wunderground.com/cgi-bin/findweather/getForecast?query=76426
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.5\CoIEPlg.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [@BackupScheduler] c:\program files\online backup\OnlineBackup.exe
uRun: [QuickenScheduledUpdates] c:\program files\quicken\billmind.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [<NO NAME>]
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [ShowWnd] ShowWnd.exe
mRun: [CHotkey] zHotkey.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [LXCICATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCItime.dll,_RunDLLEntry@16
mRun: [lxcimon.exe] "c:\program files\lexmark 7300 series\lxcimon.exe"
mRun: [EzPrint] "c:\program files\lexmark 7300 series\ezprint.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AOL Spyware Protection] "c:\progra~1\common~1\aol\aolspy~1\AOLSP Scheduler.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\billmi~1.lnk - c:\program files\quickenw\billmind.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {5AA5A569-F96F-4628-A528-8B3698F558BB} - hxxp://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1212172402328
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl-esd.sun.com/update/1.4.0/jinstall-1_4_0-win.cab
DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14-win.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F73BE1F4-82AA-4405-AB81-FAFB5A122359} - hxxp://stores.homestead.com/storeadmin/utilities/pssbedit.cab
Notify: igfxcui - igfxsrvc.dll

============= SERVICES / DRIVERS ===============

R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R2 lxci_device;lxci_device;c:\windows\system32\lxcicoms.exe -service --> c:\windows\system32\lxcicoms.exe -service [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-1-11 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090212.055\NAVENG.SYS [2009-2-13 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090212.055\NAVEX15.SYS [2009-2-13 876112]
R3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-3-20 1245064]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-7-17 42376]
S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-7-17 66952]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-7-17 81288]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-7-17 337800]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-7-17 1017224]

=============== Created Last 30 ================

2009-02-13 06:53 <DIR> --d----- c:\program files\Trend Micro

==================== Find3M ====================

2009-02-12 10:34 31,972 a------- c:\docume~1\owner\applic~1\wklnhst.dat
2009-01-09 07:24 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-09 07:24 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-01-09 07:24 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-09 07:24 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2008-12-20 17:15 826,368 a------- c:\windows\system32\wininet.dll
2008-10-14 21:33 95,600 a------- c:\program files\nppdf32.dll
2008-09-02 10:05 203 a------- c:\program files\forminfo.dat
2007-11-07 09:43 204,800 a------- c:\program files\orfcexec.dll
2007-11-07 09:42 262,144 a------- c:\program files\orfcmain.dll
2007-11-07 09:42 258,048 a------- c:\program files\orfcgui.dll
2007-10-23 08:35 151,552 a------- c:\program files\formflds.dll
2007-10-02 15:27 33,448 ac------ c:\program files\omupdate.exe
2002-02-21 10:13 48,381 ac------ c:\program files\np_orfc.dat
2002-02-21 10:13 48,381 a------- c:\program files\orfc.dat
1999-11-17 12:27 1,756 ac------ c:\program files\orfc.class
2008-08-17 08:26 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081720080818\index.dat

============= FINISH: 9:36:48.45 ===============

Thank you in advance! I'm hopeful that someone can save me!

Attached Files

BC AdBot (Login to Remove)


#2 Spolk

  • Topic Starter

  • Members
  • 3 posts
  • Local time:06:19 PM

Posted 16 February 2009 - 05:31 PM

YEA!! I REMOVED IT! :thumbup2: It was Win32Tr\.\NewMedia Here is a screen shot of where it took me:

Posted Image

Here is Lavasoft's info about these bugs: http://www.lavasoft.com/support/securityce...?p=366#more-366


1) Backed up all files

2) Restored to a date before (unauthorized) software change

3) Downloaded Ad-Aware Anniversay Edition, updated and ran scan

4) Scan found [ Win32Tr\.\NewMedia - "Serious Threat" - MALWARE that trys to infect registry by redirecting your browser to rogue anivirus and causes popups to purchase product, and thereby release infection. ]

5) DELETED, restarted, ran again and it appears to be gone!

NOTE: Ad-Aware 2008, Malwarebytes, Spyware and Norton Internet Securitry 2008 all missed it, and though my computer acted better after I restored to an earlier date, I wanted to make sure I had done all I could. And I'm glad I did!

Best of luck!

Edited by Spolk, 16 February 2009 - 06:01 PM.

#3 KoanYorel


    Bleepin' Conundrum

  • Staff Emeritus
  • 19,461 posts
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:07:19 PM

Posted 18 February 2009 - 06:40 PM

Thanks for informing us what you have done. Good luck.

This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.

The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users