Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Windows Security Center" popup and "...At risk" balloon.


  • Please log in to reply
1 reply to this topic

#1 BuenoCabra

BuenoCabra

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Location:Tennessee
  • Local time:12:48 AM

Posted 07 July 2005 - 04:08 AM

So there I was, surfing around, and all of a sudden, a window popped up and suggested that I make it my homepage. After clicking "No" about a hundred times, IE eventually just disappeared off my screen. When I tried to start it again, it took me to what appeared to be a search site or something with a box in the upper right that said something about my computer being possibly being infected.

Before I could see what was really going on, the browser closed and my McAfee alerted me that a file associated with a Trojan of some sort had been detected and deleted. I tried several times to reset my homepage to about:blank before the window would close, but I couldn't get it to take (each time, the alert from McAfee would show). I ran my McAfee virus scan, it found some stuff, and I deleted/cleaned it. I tried to open IE again, and the same thing happened. I finally got my start page reset to blank, and I ran McAfee again, which found more stuff, which I again cleaned/deleted. Obviously, McAfee wasn't getting at the problem, so I went to get Spybot S&D. I had a hard time using IE, because after a couple of clicks, my browser window(s) would just close. No error or alert, just close. I finally outsmarted whatever it was (it tried to send me to a weird site when I clicked a link instead of where I was going, so I opened the link in a new window and got a "Page cannot be displayed"). I downloaded S&D, which found a bunch of stuff, which I cleaned/deleted.

At some point, either before or after I got S&D, IE would crash when I tried to open it, error reporting option and all. Well, eventually, I got IE working normally again (S&D found a bunch of stuff like things added to my Favorites and such). Soon after, a popup appeared, along with a tray icon and bubble. I believe Sophos best describes what my computer is doing now (http://www.sophos.com/virusinfo/analyses/trojdloadermk.html):

Troj/Dloader-MK is a downloader Trojan on the Windows platform.

Once installed, the Trojan displays a fake message box with the caption 'Windows Security Center' and the text 'WARNING: Windows Firewall detected suspicious network activity on your computer. Malicious software codes try to steal your privacy information, such as credit card numbers, electronic mail accounts, financial data or passwords.'

If the user clicks on the Yes button, Troj/Dloader-MK opens up Internet Explorer to point to a remote search engine website. If the user clicks on the No button, the message box closes.

With either option chosen, the Trojan subsequently installs a shell tray icon which gives a balloon tip with the following message:

'Your computer might be at risk
- Your virus protection status is bad
- Spyware Activity Detected.
Click this balloon to fix this problem'

Once the balloon is clicked, Troj/Dloader-MK spawns an Internet Explorer process which attempts to connect to a remote website and download a Microsoft Windows Html Help Data file (CHM).

The Trojan also attempts to download files from other remote websites silently and run them.


The first time it happened, I, in my frustration, clicked yes and clicked the balloon.

I know. I'm sorry.

It took me to an obviously fake website that claimed to have help for virus and spyware stuff, citing Microsoft at one point. I closed that out and searched online for the text that was in the Windows Security box. I saw a couple of forums where people had posted similar problems, and I scanned through the replies. I poked around my computer and deleted some files that I found to be associated with malware, and some stuff that was just suspicious to me that was dated and timed appropriately to be a part of my problem. I then ran three online scans at the advice given to other people: McAfee, Symantec, and TrendMicro. McAfee, not surprisingly, found nothing. Symantec found one file in C:\, which I deleted. TrendMicro found 3 files (I think), and couldn't get rid of one because it said it wasn't there. I believe it was msoffice.ini (or something similar), and if it was, I deleted it. Throughout this, the popup and bubble came back a couple of times (which is why I kept working on it).

I restarted my computer, and the popup and bubble came back again. I read that Ad-Aware was better than S&D, so I downloaded that. It found a crapload of stuff, the most malicious of which was CoolWeb or CoolSearch, something like that. So I quarantined and deleted everything it found. I then surfed the web a bit and ran it again, and it found more stuff. After the second scan, I restarted my computer. I was greeted by the popup and balloon. I scanned again, and found nothing. I searched around online and found the Sophos description, which tells me to use its software to fix my problem. Thanks, guys. Big help.

So, according to Sophos, I appear to have Troj/Dloader-MK, but I don't know what to do about it, and I can't find a site in English that isn't Sophos that mentions the Trojan. Please help, my boy is sick and needs to be healed. I'm not opposed to downloading new software or doing whatever I need to. I'm also not tied down to this Dloader-MK thing, so if it could be something else, I'm all ears.

Oh, and I'm running WinXP. I don't know what other info you need. Sorry I can't give more specifics in the way of file names, I didn't anticipate having to post this problem. Also, I wasn't sure if this was the right place for this post, so let me know if it needs to go somewhere else.

BC AdBot (Login to Remove)

 


#2 Leurgy

Leurgy

    Voted most likely


  • Members
  • 3,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:11:48 PM

Posted 07 July 2005 - 07:05 AM

Since Spybot and Ad-Aware found "a bunch of stuff" and the other virus scans haven't been helpful I suggest you generate a HiJack This Log for our team to look at. See How to submit a Hijackthis Log.

When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users