Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser hijacked - fake security software


  • This topic is locked This topic is locked
2 replies to this topic

#1 LaurelRavenclaw

LaurelRavenclaw

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 15 December 2009 - 11:47 AM

While surfing the web last night, I clicked a link to a site that infected my computer. (I may or may not have been trying to search for some free ROM software...) I'm on Windows XP laptop SP3, using a Firefox browser. My desktop image changed to a message that says

"YOUR SYSTEM IS INFECTED (large red bold letters)

System has been stopped due to a serious malfunction.
Spyware activity has been detected.

It is recommended to use spyware removal tool to prevent data loss.
Do not use the computer before all spyware removed"

and a MS windows pop-up box with the message

"Attention! System detected a potential hazard (TrojanSPM/LX) on your computer that may infect executable files. You private information and PC safety is at risk. To get rid of unwanted spyware and keep your computer safe you need update your current security software. Click OK to download official intrusion detection system (IDS software)"

grammar mistakes intact. I have not clicked on that box or done anything since this happened except getting online to try and fix this. When trying to browse the web to get to this forum, I'm occasionally getting redirected to other sites, mostly pseudo-legit "info" sites, or sites sites asking me to download software to protect my computer.

Also, there's a balloon notification pop-up from my system tray

"Click here to protect your computer from spyware!
Your computer is infected..."

and then it went away. I don't want to click on that.


Here's the DDS log file as requested, and I'm attaching the "attach" file and the "ark" file.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Laurel at 10:00:42.05 on Tue 12/15/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.141 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\IBM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
svchost.exe
C:\Program Files\Array Networks\Common\8,4,0,72\arr_isrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Array Networks\Array SSL VPN\8,4,0,72\arr_srvs.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\doubleTwist 2.0\doubleTwist.DeviceHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\winupdate86.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\system32\imapi.exe
C:\Documents and Settings\Laurel\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\winlogon86.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [doubleTwist] c:\program files\doubletwist 2.0\DoubleTwist.DeviceHelper.exe
uRun: [notepad] rundll32.exe c:\docume~1\laurel\ntload.dll,_IWMPEvents@0
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [TrackPointSrv] c:\program files\lenovo\trackpoint\tp4serv.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [StorageGuard] "c:\program files\veritas software\update manager\sgtray.exe" /r
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [BMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE
mRun: [BMMMONWND] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatInfEx.dll,BMMAutonomicMonitor
mRun: [BLOG] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [notepad] rundll32.exe c:\windows\system32\notepad.dll,_IWMPEvents@0
mRun: [winupdate86.exe] c:\windows\system32\winupdate86.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bttray.lnk - c:\program files\ibm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{ccbaa1f7-e5e1-48b2-9ed9-a79c6a37ce78}\Icon3E5562ED7.ico
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\ibm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\windows\system32\winhelper86.dll
DPF: {2DAD3559-2923-4935-AD49-B673D2539944} - hxxp://www-307.ibm.com/pc/support/acpir.cab
DPF: {42418043-06FB-4F5C-BA5C-DA0E62D56872} - hxxps://ra.tcfef.com/prx/000/http/localhost/fatproxyx.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {B6648EB8-2460-484F-9255-9654454C4C70} - hxxps://ra.tcfef.com/prx/000/http/localhost/arr_x.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
TCP: {E1B1B474-FAD4-4C6A-B22E-E52AD3C340E6} = 10.48.254.42,10.48.254.14
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\laurel\applic~1\mozilla\firefox\profiles\sp5aq8ek.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\laurel\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\musicnotes\npmusicn.dll
FF - plugin: c:\program files\musicnotes\NPSibelius.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2009-7-1 16384]
R2 Array_Utility_Service8.4.0.72;Array Utility Service 8,4,0,72;c:\program files\array networks\common\8,4,0,72\arr_isrv.exe [2009-7-21 372809]
R2 ArraySSL_VPN_Service8.4.0.72;Array SSL VPN Service 8,4,0,72;c:\program files\array networks\array ssl vpn\8,4,0,72\arr_srvs.exe [2009-7-21 229449]
R2 iPodDrv;iPodDrv;c:\windows\system32\drivers\iPodDrv.sys [2009-10-30 6656]
R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2003-8-11 30208]
R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\symant~1\symant~1\Rtvscan.exe [2003-10-7 647168]
R3 NAVAP;NAVAP;c:\progra~1\symant~1\symant~1\NAVAP.sys [2003-8-11 224768]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091214.004\NAVENG.sys [2009-12-14 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091214.004\NAVEX15.sys [2009-12-14 1323568]
S3 ATP;ArrayNetworks SSL VPN Miniport Driver;c:\windows\system32\drivers\atpdrvr.sys [2009-7-21 16896]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2009-12-15 16:00:10 0 ----a-w- c:\windows\system32\25667.exe
2009-12-15 15:40:07 0 ----a-w- c:\windows\system32\19912.exe
2009-12-15 15:20:02 0 ----a-w- c:\windows\system32\1869.exe
2009-12-15 15:00:01 0 ----a-w- c:\windows\system32\11538.exe
2009-12-15 14:40:00 0 ----a-w- c:\windows\system32\14771.exe
2009-12-15 14:19:43 0 ----a-w- c:\windows\system32\21726.exe
2009-12-15 13:59:26 0 ----a-w- c:\windows\system32\5447.exe
2009-12-15 13:39:08 0 ----a-w- c:\windows\system32\19895.exe
2009-12-15 13:18:51 0 ----a-w- c:\windows\system32\19718.exe
2009-12-15 12:58:34 0 ----a-w- c:\windows\system32\18716.exe
2009-12-15 12:38:17 0 ----a-w- c:\windows\system32\17421.exe
2009-12-15 12:17:59 0 ----a-w- c:\windows\system32\12382.exe
2009-12-15 11:57:42 0 ----a-w- c:\windows\system32\292.exe
2009-12-15 11:37:25 0 ----a-w- c:\windows\system32\153.exe
2009-12-15 11:17:07 0 ----a-w- c:\windows\system32\3902.exe
2009-12-15 10:56:50 0 ----a-w- c:\windows\system32\14604.exe
2009-12-15 10:36:33 0 ----a-w- c:\windows\system32\32391.exe
2009-12-15 10:15:54 0 ----a-w- c:\windows\system32\5436.exe
2009-12-15 09:55:54 0 ----a-w- c:\windows\system32\4827.exe
2009-12-15 09:35:53 0 ----a-w- c:\windows\system32\11942.exe
2009-12-15 09:15:53 0 ----a-w- c:\windows\system32\2995.exe
2009-12-15 08:55:52 0 ----a-w- c:\windows\system32\491.exe
2009-12-15 08:35:52 0 ----a-w- c:\windows\system32\9961.exe
2009-12-15 08:15:51 0 ----a-w- c:\windows\system32\16827.exe
2009-12-15 07:55:13 0 ----a-w- c:\windows\system32\23281.exe
2009-12-15 07:35:12 0 ----a-w- c:\windows\system32\28145.exe
2009-12-15 07:15:12 0 ----a-w- c:\windows\system32\5705.exe
2009-12-15 06:55:10 0 ----a-w- c:\windows\system32\24464.exe
2009-12-15 06:35:10 0 ----a-w- c:\windows\system32\26962.exe
2009-12-15 06:15:09 0 ----a-w- c:\windows\system32\29358.exe
2009-12-15 05:55:09 0 ----a-w- c:\windows\system32\11478.exe
2009-12-15 05:35:08 0 ----a-w- c:\windows\system32\15724.exe
2009-12-15 05:15:08 0 ----a-w- c:\windows\system32\19169.exe
2009-12-15 04:55:07 0 ----a-w- c:\windows\system32\26500.exe
2009-12-15 04:35:07 0 ----a-w- c:\windows\system32\6334.exe
2009-12-15 04:15:06 0 ----a-w- c:\windows\system32\18467.exe
2009-12-15 04:06:11 0 d-----w- c:\program files\Trend Micro
2009-12-15 03:55:06 0 ----a-w- c:\windows\system32\41.exe
2009-12-15 03:54:55 1375232 ----a-w- c:\windows\system32\AVR10.exe
2009-12-15 03:54:53 18944 ----a-w- c:\windows\system32\winhelper86.dll
2009-12-15 03:54:46 2854 ----a-w- c:\windows\system32\critical_warning.html
2009-12-15 03:54:45 19968 ----a-w- c:\windows\system32\winupdate86.exe
2009-12-15 03:54:45 19968 ----a-w- c:\windows\system32\winlogon86.exe
2009-11-19 00:35:55 0 d-----w- c:\program files\Magic M4A to MP3 Converter
2009-11-18 16:47:02 0 d-----w- c:\docume~1\laurel\applic~1\Sibelius Software

==================== Find3M ====================

2009-11-10 19:38:40 165112 ----a-w- C:\all.zip
2009-11-09 16:07:19 65556 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-30 20:37:18 6656 ----a-w- c:\windows\system32\drivers\iPodDrv.sys
2009-10-29 07:46:59 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 12:40:24 90752 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20:16 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-03-21 14:06:58 29696 --sha-w- c:\windows\system32\notepad.dll
2009-07-04 22:43:38 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009070420090705\index.dat

============= FINISH: 10:01:31.03 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 LaurelRavenclaw

LaurelRavenclaw
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 15 December 2009 - 07:02 PM

Fixed it myself using the excellent Internet Security 2010 (Uninstall Guide). THANKS!!! This guide saved me a LOT of headaches.

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,012 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:29 PM

Posted 17 December 2009 - 11:51 PM

Hello

Thank you for letting us know. I'm glad that your computer problems have been fixed. Since this issue seems to be resolved, this thread will now be closed.

In case you experience any problems with the computer, please start a new topic.

Happy computing,

Orange Blossom :(
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users