shlomidadash
asked on
Annoying Fake system security warning - how to remove, using server 2003
hi
im using windows server 2003, using the server with Thin Clients (RDP)
recently it shows a Fake warning: "your conmputer may be infected, do u want bla bla bla bla,..... to scan your computer" with an annoying unremoveable red small icon on the systray.
performed HIJackThis and the log is:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:38:11, on 06/04/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\Documents and Settings\Administrator\WIN DOWS\Syste m32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\system32\Dfssvc .exe
C:\WINDOWS\System32\dns.ex e
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\hasplm s.exe
C:\WINDOWS\system32\inetsr v\inetinfo .exe
C:\WINDOWS\System32\ismser v.exe
C:\Program Files\LogMeIn\x86\RaMaint. exe
C:\Program Files\LogMeIn\x86\LogMeIn. exe
C:\Program Files\LogMeIn\x86\LMIGuard ian.exe
C:\Program Files\McAfee\Common Framework\FrameworkService .exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\ntfrs. exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\lserve r.exe
C:\Program Files\RealVNC\VNC4\WinVNC4 .exe
C:\WINDOWS\system32\Search Indexer.ex e
C:\WINDOWS\system32\userin it.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\userin it.exe
C:\WINDOWS\system32\rdpcli p.exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\x86\LogMeInS ystray.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Tracker Software\PDF-XChange 3 Pro\pdfSaver\pdfSaver3.exe
C:\Program Files\LogMeIn\x86\LMIGuard ian.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EX E
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThi s.exe
C:\WINDOWS\system32\Search ProtocolHo st.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = res://shdoclc.dll/softAdmi n.htm
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.walla.co.il/
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Local Page = C:\WINDOWS\system32\blank. htm
F2 - REG:system.ini: UserInit=C:\WINDOWS\system 32\userini t.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-F A578C2EBDC 3} - C:\Program Files\Common Files\Adobe\Acrobat\Active X\AcroIEHe lperShim.d ll
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInS ystray.exe "
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MSConfig] "C:\WINDOWS\PCHealth\HelpC tr\Binarie s\MSConfig .exe" /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon .exe
O4 - HKCU\..\Run: [pdfSaver3] "C:\Program Files\Tracker Software\PDF-XChange 3 Pro\pdfSaver\pdfSaver3.exe "
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON .EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscu pgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON .EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscu pgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON .EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscu pgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON .EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscu pgrd.exe (User 'Default user')
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &ÙÙæÕÐ ÐÜ Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \Office12\ EXCEL.EXE/ 3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~2\Offic e12\REFIEB AR.DLL
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator\win dows\syste m32\mswsoc k.dll' missing
O16 - DPF: {6414512B-B978-451D-A0D8-F CFDF33E833 C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233737970009
O16 - DPF: {6E32070A-766D-4EE6-879C-D C1FA91D2FC 3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233830568953
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B 5AE0DC75AC 9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\T cpip\Param eters: Domain = dadash.co.il
O17 - HKLM\Software\..\Telephony : DomainName = dadash.co.il
O17 - HKLM\System\CCS\Services\T cpip\..\{B F9FA7E1-24 BD-486B-B0 C8-A5FDA4C 1F711}: NameServer = 192.115.106.35,4.2.2.2
O17 - HKLM\System\CS1\Services\T cpip\Param eters: Domain = dadash.co.il
O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\hasplm s.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint. exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn. exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService .exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4 .exe
--
End of file - 6520 bytes
im using windows server 2003, using the server with Thin Clients (RDP)
recently it shows a Fake warning: "your conmputer may be infected, do u want bla bla bla bla,..... to scan your computer" with an annoying unremoveable red small icon on the systray.
performed HIJackThis and the log is:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:38:11, on 06/04/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\Documents and Settings\Administrator\WIN
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\WINDOWS\system32\Dfssvc
C:\WINDOWS\System32\dns.ex
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\hasplm
C:\WINDOWS\system32\inetsr
C:\WINDOWS\System32\ismser
C:\Program Files\LogMeIn\x86\RaMaint.
C:\Program Files\LogMeIn\x86\LogMeIn.
C:\Program Files\LogMeIn\x86\LMIGuard
C:\Program Files\McAfee\Common Framework\FrameworkService
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\ntfrs.
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\lserve
C:\Program Files\RealVNC\VNC4\WinVNC4
C:\WINDOWS\system32\Search
C:\WINDOWS\system32\userin
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\userin
C:\WINDOWS\system32\rdpcli
C:\WINDOWS\system32\ctfmon
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\x86\LogMeInS
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Tracker Software\PDF-XChange 3 Pro\pdfSaver\pdfSaver3.exe
C:\Program Files\LogMeIn\x86\LMIGuard
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EX
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThi
C:\WINDOWS\system32\Search
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
F2 - REG:system.ini: UserInit=C:\WINDOWS\system
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-F
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInS
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MSConfig] "C:\WINDOWS\PCHealth\HelpC
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [pdfSaver3] "C:\Program Files\Tracker Software\PDF-XChange 3 Pro\pdfSaver\pdfSaver3.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscu
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscu
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscu
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscu
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &ÙÙæÕÐ ÐÜ Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator\win
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\hasplm
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4
--
End of file - 6520 bytes
Run msconfig , go to tools and look for any suspicious tool , you may disable them all and restart your server , if the warning is gone then the application is on this list , try them half by half till you get it ,,, if not succeeded , try it with services (hide all Microsoft Services and look for any suspicious service , you may do the same as with tools but be carful regarding to your server accessibility
to remove and other malware
use the free malwarebytes software from:
http://www.malwarebytes.org/
also the free spybot from:
http://www.safer-networking.org/en/download/index.html
use the free malwarebytes software from:
http://www.malwarebytes.org/
also the free spybot from:
http://www.safer-networking.org/en/download/index.html
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I agree - form the reports I've read it takes around 3 different anti-malware programs to find them all.
That server is updated / current? 2003 server and fake alerts and port details here may add insight: Use filtering to block unauthorized access to the Alerter service
For added security, you can add filtering rules to the internal perimeter firewall to block unauthorized traffic to the Alerter service port (UDP port 5359) on the managed device.
Because the Alerter service communicates with managed Windows Mobile devices through the VPN tunnel, blocking port 5359 on external and internal firewalls does not impact Alerter communications (such as Wipe Now requests). Blocking port 5359 may provide additional security in the following instances: - some Best Practices and source below.
http://technet.microsoft.c om/en-us/l ibrary/dd2 52814.aspx
When you said " recently it shows a Fake warning: "your conmputer may be infected, do u want bla bla bla bla,..... to scan your computer" with an annoying unremoveable red small icon on the systray" I would add that knowing the exact error message would probably expedite a solution.
WINDOWS DEFENDER is an excellent FREE resource - First, how to escalate intrusions in Windows and 2003 server environs and more follow - http://www.microsoft.com/w indows/pro ducts/winf amily/defe nder/resou rces.mspx? tab=report %20potenti al%20spywa re
Windows Defender antispyware cycle
See an illustration of how Windows Defender analyzes software before the software runs on your computer, and how the Microsoft team of spyware analysts create updates from information that users provide.
For added security, you can add filtering rules to the internal perimeter firewall to block unauthorized traffic to the Alerter service port (UDP port 5359) on the managed device.
Because the Alerter service communicates with managed Windows Mobile devices through the VPN tunnel, blocking port 5359 on external and internal firewalls does not impact Alerter communications (such as Wipe Now requests). Blocking port 5359 may provide additional security in the following instances: - some Best Practices and source below.
http://technet.microsoft.c
When you said " recently it shows a Fake warning: "your conmputer may be infected, do u want bla bla bla bla,..... to scan your computer" with an annoying unremoveable red small icon on the systray" I would add that knowing the exact error message would probably expedite a solution.
WINDOWS DEFENDER is an excellent FREE resource - First, how to escalate intrusions in Windows and 2003 server environs and more follow - http://www.microsoft.com/w
Windows Defender antispyware cycle
See an illustration of how Windows Defender analyzes software before the software runs on your computer, and how the Microsoft team of spyware analysts create updates from information that users provide.
I've seen the "your conputer may be infected, do u want bla bla bla bla,..... to scan your computer"
its very popular (or should that be imfamous?) :-) - windows defender won't touch it. Malwarebytes will.
also when downloading malwarebytes - rename it as certain varients of this infection will stop anti malware from running. so I would rename malwarebytres..exe to blahblah.exe and then install otherwse as soon as the malware sees the process name it kills it off. good luck
its very popular (or should that be imfamous?) :-) - windows defender won't touch it. Malwarebytes will.
also when downloading malwarebytes - rename it as certain varients of this infection will stop anti malware from running. so I would rename malwarebytres..exe to blahblah.exe and then install otherwse as soon as the malware sees the process name it kills it off. good luck