Getting "Security Warning"

Discussion in 'Windows Desktop Systems' started by dadecamp, Nov 9, 2003.

  1. dadecamp

    dadecamp under worked, over paid

    Messages:
    123
    Location:
    Arizona desert
    How do I get this to stop popping up. It happens about evry 2-5 minutes.
    I have Kerio personal firewall. Is there some way to configure it to stop it?
     
  2. Enyo

    Enyo Moderator

    Messages:
    1,338
    I assume you talking about a kerio firewall dialog.

    What version of Kerio?

    In 2.1.x on the administration screen move the slider up to the top (Deny unknown)
     
  3. dadecamp

    dadecamp under worked, over paid

    Messages:
    123
    Location:
    Arizona desert
    No, it is a windows security window. I tried to post a picture but for some reason it would not post. The window is the one that comes up when you try to install something and it says:

    "Caution:Dynamic Desktop Media asserts that this content is safe. You should only install/view this content if you trust Dynamic Desktop Media to make that assertion."

    The box pops up almost every time I do a Google search

    I'm sure its some kind of spyware. I also get one for Gator.
     
  4. Enyo

    Enyo Moderator

    Messages:
    1,338
    Its not related to Kerio and no function of 2.1.x can help control this.

    Obtain HijackThis and look over your log. If you want post it here.

    Also look at SpywareBlaster which will stop these warnings coming up for known spyware activeX controls.

    Read this thread for download links and cleaning help.
     
  5. dadecamp

    dadecamp under worked, over paid

    Messages:
    123
    Location:
    Arizona desert
    Here is my Hijack This save file. I hope you can make since of it. Thanks:

    Logfile of HijackThis v1.97.5
    Scan saved at 9:07:13 AM, on 11/10/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    E:\Program Files\Executive Software\Diskeeper\DkService.exe
    e:\Program Files\Kerio\Personal Firewall\persfw.exe
    e:\Program Files\ProxyPlus\ProxyPlus.exe
    C:\WINDOWS\System32\svchost.exe
    E:\Program Files\Trend Micro\Tmntsrv.exe
    E:\Program Files\Trend Micro\PCCPFW.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    E:\Program Files\Trend Micro\pccguide.exe
    E:\Program Files\Trend Micro\PCCClient.exe
    E:\Program Files\Trend Micro\Pop3trap.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    C:\WINDOWS\htpatch.exe
    C:\WINDOWS\SOUNDMAN.EXE
    E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Internet Optimizer\optimize.exe
    C:\WINDOWS\ddm\0\1\1\msbb.exe
    C:\Program Files\DownloadWare\dw.exe
    E:\Program Files\Trend Micro\WebTrap.EXE
    C:\Program Files\ClipGenie\WebInstall.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\uptodate.exe
    C:\WINDOWS\System32\67751711.exe
    C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
    C:\Program Files\Messenger\msmsgs.exe
    E:\Program Files\SETI@home\SETI@home.exe
    E:\Program Files\EarthLink TotalAccess\TaskPanl.exe
    E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    e:\Program Files\Kerio\Personal Firewall\PFWADMIN.EXE
    E:\Program Files\ProxyPlus\ProxyPlus.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    E:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
    E:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    E:\Program Files\QuoteTracker\stocks.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    T:\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startium.com/metasearch.php?dst=M3
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchenhancement.com/searchbar/iev1.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.start.earthlink.net/
    R3 - URLSearchHook: WebSearch Class - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - C:\Program Files\scbar\v2\scbar.dll
    O2 - BHO: (no name) - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - C:\WINDOWS\ipinsigt.dll
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-AB2D-8D32436313D9} - C:\WINDOWS\bsx5.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbdist.DLL
    O2 - BHO: (no name) - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - E:\Program Files\EarthLink TotalAccess\PnEL.dll
    O2 - BHO: (no name) - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\Program Files\Support Software\SS2.DLL
    O2 - BHO: (no name) - {A85C4A1B-BD36-44E5-A70F-8EC347D9B24F} - C:\WINDOWS\bs3.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {D5B72AED-E54A-11D6-B1B2-444553540000} - C:\WINDOWS\ddm\0\1\4\bho.dll
    O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - E:\PROGRA~1\STARDO~1\SDIEInt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - E:\Program Files\EarthLink TotalAccess\PnEL.dll
    O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL
    O4 - HKLM\..\Run: [pccguide.exe] "E:\Program Files\Trend Micro\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "E:\Program Files\Trend Micro\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "E:\Program Files\Trend Micro\Pop3trap.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [ATIPTA] e:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [msbb] C:\WINDOWS\ddm\0\1\1\msbb.exe
    O4 - HKLM\..\Run: [Bsx3] RunDLL32.EXE C:\WINDOWS\bs3.dll,DllRun
    O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
    O4 - HKLM\..\Run: [SearchEnhancement] "C:\Program Files\scbar\v2\scbar.exe" /U
    O4 - HKLM\..\Run: [WebInstall2] C:\Program Files\ClipGenie\WebInstall.exe /R
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
    O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
    O4 - HKLM\..\Run: [bxsx5] RunDLL32.EXE C:\WINDOWS\bsx5.dll,DllRun
    O4 - HKLM\..\Run: [4769533.exe] C:\WINDOWS\System32\4769533.exe
    O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [seticlient] e:\Program Files\SETI@home\SETI@home.exe -min
    O4 - HKCU\..\Run: [E6TaskPanel] "E:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O4 - Global Startup: hp psc 2000 Series.lnk = E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Download with Star Downloader - E:\Program Files\Star Downloader\sdie.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O9 - Extra button: WeatherBug (HKCU)
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/update.CAB
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
    O16 - DPF: {4FCFF034-6F56-4D65-8C31-70D98C475428} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/ddm_control.CAB
    O16 - DPF: {9656B666-992F-4D74-8588-8CA69E97D90C} - http://www.commonname.com/eng/oneclick/uninstbb.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37870.7578819444
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{66D30B1E-F061-402B-8A99-587A3DF5ADA4}: NameServer = 192.168.0.1
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FDE5A023-E46B-4907-9464-1AE9505264CC}: NameServer = 207.69.188.187 207.69.188.186
     
  6. Enyo

    Enyo Moderator

    Messages:
    1,338
    Suspicious Running Process to examine:

    C:\WINDOWS\htpatch.exe
    C:\WINDOWS\ddm\0\1\1\msbb.exe
    C:\Program Files\ClipGenie\WebInstall.exe - ClipGenie Spyware
    C:\WINDOWS\uptodate.exe - Spyware
    C:\WINDOWS\System32\67751711.exe
    C:\Program Files\DownloadWare\dw.exe - Spyware

    Run Entries to examine:

    O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
    O4 - HKLM\..\Run: [msbb] C:\WINDOWS\ddm\0\1\1\msbb.exe
    O4 - HKLM\..\Run: [Bsx3] RunDLL32.EXE C:\WINDOWS\bs3.dll,DllRun
    O4 - HKLM\..\Run: [SearchEnhancement] "C:\Program Files\scbar\v2\scbar.exe" /U
    O4 - HKLM\..\Run: [WebInstall2] C:\Program Files\ClipGenie\WebInstall.exe /R
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
    O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
    O4 - HKLM\..\Run: [bxsx5] RunDLL32.EXE C:\WINDOWS\bsx5.dll,DllRun
    O4 - HKLM\..\Run: [4769533.exe] C:\WINDOWS\System32\4769533.exe
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H

    Hijacked browser:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startium.com/metasearch.php?dst=M3
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.searchenhancement.com...sm&sstring=
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.searchenhancement.com...sm&sstring=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchenhancement.com/searchbar/iev1.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.searchenhancement.com...sm&sstring=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.searchenhancement.com...sm&sstring=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.searchenhancement.com...sm&sstring=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.searchenhancement.com...sm&sstring=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.start.earthlink.net/

    Bad BHOs:

    R3 - URLSearchHook: WebSearch Class - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - C:\Program Files\scbar\v2\scbar.dll
    O2 - BHO: (no name) - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - C:\WINDOWS\ipinsigt.dll
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-AB2D-8D32436313D9} - C:\WINDOWS\bsx5.dll
    O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbdist.DLL
    O2 - BHO: (no name) - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - E:\Program Files\EarthLink TotalAccess\PnEL.dll
    O2 - BHO: (no name) - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\Program Files\Support Software\SS2.DLL
    O2 - BHO: (no name) - {A85C4A1B-BD36-44E5-A70F-8EC347D9B24F} - C:\WINDOWS\bs3.dll
    O2 - BHO: (no name) - {D5B72AED-E54A-11D6-B1B2-444553540000} - C:\WINDOWS\ddm\0\1\4\bho.dll
    O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL


    Bad Plugins:

    O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/update.CAB
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/mini...ransporter.cab?
    O16 - DPF: {4FCFF034-6F56-4D65-8C31-70D98C475428} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/ddm_control.CAB
    O16 - DPF: {9656B666-992F-4D74-8588-8CA69E97D90C} - http://www.commonname.com/eng/oneclick/uninstbb.cab


    Remove the above items and check the run entires i flagged. Run Ad-Aware and virus scan.
    Once clean install IE-SPYAD and Spyware Blaster to stay protected and run scans with Ad-Aware often.
     
  7. TheBlueRaja

    TheBlueRaja BR to Some

    Messages:
    766
    Location:
    Fawkirk!
    Jezus,
    I wouldnt know where to start with that, could he just run Spybot Search & Destroy and let that do all the work for him?
     
  8. Enyo

    Enyo Moderator

    Messages:
    1,338
    Well HijackThis does the work all you do is tick the right boxes. Then after that then yes run AAW or SpyBot.
     
  9. dadecamp

    dadecamp under worked, over paid

    Messages:
    123
    Location:
    Arizona desert
    Enyo,

    Are you saying to checkmark everything you posted or just the bad plug ins?
     
  10. Enyo

    Enyo Moderator

    Messages:
    1,338
    Everything
     
  11. dadecamp

    dadecamp under worked, over paid

    Messages:
    123
    Location:
    Arizona desert
    SUCCESS!

    Enyo

    :) I did as you suggested and I don't get that security warning anymore.

    I did the SpywareBlaster, IE-spyad, virus scan (clean) and HijackThis.


    Thanks