[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Annoying Fake system security warning - how to remove, using server 2003

Posted on 2009-04-05
7
Medium Priority
?
998 Views
Last Modified: 2013-12-06
hi
im using windows server 2003, using the server with Thin Clients (RDP)
recently it shows a Fake warning: "your conmputer may be infected, do u want bla bla bla bla,..... to scan your computer" with an annoying unremoveable red small icon on the systray.

performed HIJackThis and the log is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:38:11, on 06/04/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\Documents and Settings\Administrator\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hasplms.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\ismserv.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\ntfrs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\lserver.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Tracker Software\PDF-XChange 3 Pro\pdfSaver\pdfSaver3.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.walla.co.il/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MSConfig] "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [pdfSaver3] "C:\Program Files\Tracker Software\PDF-XChange 3 Pro\pdfSaver\pdfSaver3.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &ÙÙæÕÐ ÐÜ Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator\windows\system32\mswsock.dll' missing
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233737970009
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233830568953
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dadash.co.il
O17 - HKLM\Software\..\Telephony: DomainName = dadash.co.il
O17 - HKLM\System\CCS\Services\Tcpip\..\{BF9FA7E1-24BD-486B-B0C8-A5FDA4C1F711}: NameServer = 192.115.106.35,4.2.2.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dadash.co.il
O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\hasplms.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 6520 bytes
0
Comment
Question by:shlomidadash
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 3

Expert Comment

by:rmmustafa
ID: 24074655
Run msconfig , go to tools and look for any suspicious tool , you may disable them all and restart your server , if the warning is gone then the application is on this list , try them half by half till you get it ,,, if not succeeded , try it with services (hide all Microsoft Services and look for any suspicious service , you may do the same as with tools but be carful regarding to your server accessibility
0
 
LVL 29

Expert Comment

by:chilternPC
ID: 24075254
to remove and other malware
use the free malwarebytes software from:
http://www.malwarebytes.org/
also the free spybot from:
http://www.safer-networking.org/en/download/index.html
0
 
LVL 23

Accepted Solution

by:
Mohamed Osama earned 500 total points
ID: 24076739
Malwarebytes should be able to remove this
however the culprit in your log is this one
 C:\Documents and Settings\Administrator\WINDOWS\System32\smss.exe
if MBAM fails to fix this , please boot your server in safe mode & delete this file
Also ,are the below DNS servers legit & are used within your organization And / OR provided by your ISP ?
O17 - HKLM\System\CCS\Services\Tcpip\..\{BF9FA7E1-24BD-486B-B0C8-A5FDA4C1F711}: NameServer = 192.115.106.35,4.2.2.2

if not then needs to be fixed using Hijack this
if the problem persists, please post a fresh Hijack this log.


0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 
LVL 23

Assisted Solution

by:Mohamed Osama
Mohamed Osama earned 500 total points
ID: 24077560
Windows Malicious Software Removal Tool - March 2009 (KB890830) 
This one will also remove many of the rogue software in question, shouldn't hurt trying it as well first.

0
 
LVL 29

Expert Comment

by:chilternPC
ID: 24077894
I agree - form the  reports I've read it takes around 3 different anti-malware programs to find them all.
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 24077988
That server is updated / current?  2003 server and fake alerts and port details here may add insight:  Use filtering to block unauthorized access to the Alerter service
For added security, you can add filtering rules to the internal perimeter firewall to block unauthorized traffic to the Alerter service port (UDP port 5359) on the managed device.
Because the Alerter service communicates with managed Windows Mobile devices through the VPN tunnel, blocking port 5359 on external and internal firewalls does not impact Alerter communications (such as Wipe Now requests). Blocking port 5359 may provide additional security in the following instances: - some Best Practices and source below.
http://technet.microsoft.com/en-us/library/dd252814.aspx
 When you said " recently it shows a Fake warning: "your conmputer may be infected, do u want bla bla bla bla,..... to scan your computer" with an annoying unremoveable red small icon on the systray"  I would add that knowing the exact error message would probably expedite a solution.

WINDOWS DEFENDER is an excellent FREE resource - First, how to escalate intrusions in Windows and 2003 server environs and more follow - http://www.microsoft.com/windows/products/winfamily/defender/resources.mspx?tab=report%20potential%20spyware

Windows Defender antispyware cycle
See an illustration of how Windows Defender analyzes software before the software runs on your computer, and how the Microsoft team of spyware analysts create updates from information that users provide.

 
0
 
LVL 29

Expert Comment

by:chilternPC
ID: 24078094
I've seen the "your conputer may be infected, do u want bla bla bla bla,..... to scan your computer"
its very popular (or should that be imfamous?)  :-)   - windows defender won't touch it.   Malwarebytes will.

also when downloading malwarebytes - rename it as certain varients of this infection will stop anti malware from running.  so I would rename malwarebytres..exe  to blahblah.exe  and then install otherwse as soon as the malware sees the process name it kills it off. good luck
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most PC repair technicians (if not all) always start their cleanup process by emptying the temp folders before running any removal tools. It makes sense because temp folders are common places for malware installers to lurk and removing all the junk …
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question