Fake Microsoft Windows Security Warning

gee777,

Hi and welcome to the Daniweb forums :).

===============

The version of Internet Explorer your currently using is out of date, and should be upgraded to the newest version as soon as possible.

===============

Go to www.trendmicro.com, and then:

1. Click "Free Online Scan".
2. Click "Scan now, it's free".

It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's down:

1. Select all available drives.
2. Check(tick) "Auto Clean".
3. Click "Scan".

When it completes, post back the full filename of any files that cannot be cleaned or deleted.

===============

Now, let's open a command prompt by going to the start menu and then select 'Run'.

In the box that pops up type in 'cmd'. The command prompt will open.

OR

You can go to Start -> Programs -> Accessories -> Command Prompt. Unregister the dll(s) we're going to remove, by entering the following:

regsvr32 /u ZOLKER001.DLL

It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save typing them in.

===============

Run HiJackThis then:

1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\WINDOWS\SVCHOST.EXE
C:\WINDOWS\SYSTEM\SVCHOST.EXE

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Still in HiJackThis, click "Scan", then check(tick) the following, if present:

O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\SYSTEM\ZOLKER001.DLL

O4 - HKLM\..\Run: [Kernel32] C:\WINDOWS\SYSTEM\Kernel.dll
O4 - HKLM\..\Run: [Media Access] C:\PROGRAM FILES\MEDIA ACCESS\MediaAccK.exe
O4 - HKLM\..\Run: [Auto Update] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe zolk.dll, DllRegisterServer
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\SYSTEM\SVCHOST.EXE /s
O4 - HKLM\..\Run: [said] 12
O4 - HKLM\..\Run: [load32] C:\WINDOWS\SYSTEM\winldra.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)

O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)

O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares...ysb_regular.cab
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolbar.com/ist/softw...006_regular.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/M...bridge-c521.cab

O21 - SSODL: OLE Module - {0656A137-B161-CADD-9777-E37A75727E78} - C:\WINDOWS\SYSTEM\thn32.dll (file missing)

Now, with all windows closed (including Internet Explorer) except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

folders...

C:\PROGRAM FILES\MEDIA ACCESS

files...

C:\WINDOWS\SVCHOST.EXE
C:\WINDOWS\SYSTEM\SVCHOST.EXE
C:\WINDOWS\SYSTEM\ZOLKER001.DLL
C:\WINDOWS\SYSTEM\Kernel.dll
C:\WINDOWS\SYSTEM\winldra.exe

Search for...

zolk.dll

...using "Start | Search...".

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

-

Reboot.

===============

To help protect your system from hostile ActiveX content, or special 'downloadable' files:

Download, install and keep updated, SpywareBlaster. If you've installed it for the first time:

1) Check for any available updates; if present, they'll be automatically downloaded and installed.
2) Next, "Enable all protection".
3) Exit the program.

-

Note: Remember to regularly check for updates.

===============

After rebooting, rescan with hijackthis and post back a new log. Let me know how everything goes.

Thank you very much.Below are the results of the virus scan showing the viruses that could not be cleaned.Meanwhile I will finish the rest of the procedures and keep you posted.

Virus Scan 0 virus cleaned, 0 virus deleted

Results:We have detected 5 infected file(s) with 5 virus(es) on your computer: - 5 virus(es) passed, 0 virus(es) no action available
- 0 virus(es) cleaned, 0 virus(es) uncleanable
- 0 virus(es) deleted, 0 virus(es) undeletable
- 0 virus(es) not found, 0 virus(es) unaccessible
Detected File Associated Virus Name Action Taken
C:\_RESTORE\ARCHIVE\FS6.CAB- A0071489.CPY TROJ_DLOADER.PX Pass
C:\_RESTORE\ARCHIVE\FS7.CAB- A0071649.CPY TROJ_DLOADER.PX Pass
C:\_RESTORE\ARCHIVE\FS26.CAB- A0081006.CPY TROJ_SMALL.AFF Pass
C:\WINDOWS\SYSTEM\vxh8jkdq5.exe TROJ_SMALL.AFK Pass
C:\WINDOWS\svchost.exe TROJ_DLOADER.PX Pass

Trojan/Worm Check 0 worm/Trojan horse deleted

What we checked:Malicious activity by a Trojan horse program. Although a Trojan seems like a harmless program, it contains malicious code and once installed can cause damage to your computer.
Results:We have detected 1 Trojan horse program(s) and worm(s) on your computer: - 0 worm(s)/Trojan(s) passed, 0 worm(s)/Trojan(s) no action available
- 0 Worm(s)/Trojan(s) deleted, 0 worm(s)/Trojan(s) undeletable
Trojan/Worm Name Trojan/Worm Type Action Taken
VBS_REDLOF Others Unknown

Spyware Check 12 spyware programs removed

What we checked:Whether personal information was tracked and reported by spyware. Spyware is often installed secretly with legitimate programs downloaded from the Internet.
Results:We have detected 13 spyware(s) on your computer: - 1 spyware(s) passed, 0 spyware(s) no action available
- 12 spyware(s) removed, 0 spyware(s) unremovable
Spyware Name Spyware Type Action Taken
COOKIE_1433 Cookie Pass
ADW_RBLASTDLL.A Adware Removal successful
SPYW_SITEBAR.A Spyware Removal successful
ADW_ISTBAR.C Adware Removal successful
SPYW_DUMARIN.O Spyware Removal successful
ADW_WUPD.F Adware Removal successful
SPYW_AGENT.HS Spyware Removal successful
SPYW_DYFUCA.L Spyware Removal successful
SPYW_MEDACCESS.A Spyware Removal successful
ADW_BLAZE.B Adware Removal successful
ADW_WINAD.L Adware Removal successful
ADW_ISTBAR.R Adware Removal successful
ADW_MEDACCESS.A Adware Removal successful

Microsoft Vulnerability Check 16 vulnerabilities detected

What we checked:Microsoft known security vulnerabilities. These are issues Microsoft has identified and released Critical Updates to fix.
Results:We have detected 16 vulnerability/vulnerabilities on your computer.Risk Level Issue How to Fix
Highly Critical This vulnerability enables a remote attacker to access a Windows 9x/ME shared file without having to know the entire password assigned to that share, since just by sending a 1-byte password that matches the first character of the real password could allow access to that share. MS00-072
Highly Critical This vulnerability enables a remote attacker to execute arbitrary commands via a malicious web page or e-mail. This is caused by the Microsoft Virtual Machine allowing the security settings of Internet Explorer to be bypassed. MS00-075
Highly Critical This vulnerability enables attackers to launch an attachment automatically by making use of an unusual MIME type that IE handles incorrectly. MS01-020
Critical This vulnerability enables a remote attacker to execute arbitrary code through the use of a malformed Advanced Streaming Format (ASF) file. It is caused by a buffer overflow in Microsoft Windows Media Player 6.4. MS01-056
Critical This vulnerability enables a remote attacker to execute arbitrary codes on the users system. It is caused by Internet Explorer 6.0 believing that the file to be opened is safe to open without user confirmation, due to some changes made in the HTML header.;This vulnerability enables a remote attacker to read any file contained in the users system that could be opened through Internet Explorer 5.5 or 6.0.;This vulnerability enables a remote attacker to represent the file name in the File Download dialogue box of Internet Explorer 5.5 or 6.0 with a different name that could fool users into thinking that the said file is safe to download. MS01-058
Critical This vulnerability allows a remote attacker to execute arbitrary code via a web page that specifies embedded ActiveX controls in a way that causes 2 Unicode strings to be concatenated when buffer overflow in the implementation of an HTML directive in mshtml.dll in Internet Explorer 5.5 and 6.0 is triggered.;A remote attacker could read arbitrary files via malformed requests to the GetObject function because Internet Explorer 5.01, 5.5 and 6.0 bypass some of GetObject's security checks.;File Download box in Internet Explorer 5.01, 5.5 and 6.0 allows the modification of the displayed name of the file through Content-Disposition and Content-Type HTML header fields, which could allow an attacker to trick a user into believing that a file is safe to download.;Because Internet Explorer 5.01, 5.5 and 6.0 does not properly handle the Content-Type HTML header field, a remote attacker is allowed to modify which application is used to process a document.;Internet Explorer 5.5 and 6.0 bypass restrictions for executing scripts via an object that processes asynchronous events after the initial security checks have been made, which could allow a remote attacker to compromise user system through the said vulnerability.;Internet Explorer 5.5 and 6.0 allows the reading of certain files and spoofing of the URL in the address bar through the Document.open function, which could allow a remote attacker to compromise user system through the said vulnerability.;This vulnerability allows a remote attacker to read arbitrary files by specifying a local file as an XML Data Source. This is caused by the XMLHTTP control found in Microsoft XML Core Services 2.6 and later not properly handling Internet Explorer Security Zone settings. MS02-005
Critical This vulnerability enables a remote attacker to run scripts in the Local Computer zone. This is done via a script that is embedded in a cookie that would be saved to the users system.;This vulnerability enables a remote attacker to invoke an executable on the users system via an HTML web page that includes an object tag. MS02-015
Critical This vulnerability enables a remote attacker to execute code via a malformed HTTP request to the Data Stub when the heap-based buffer overflow in the Remote Data Services (RDS) component of Microsoft Data Access Components (MDAC) 2.1 through 2.6, and Internet Explorer 5.01 through 6.0 is triggered. MS02-065
Highly Critical This vulnerability enables a remote attacker to execute any file that can be rendered as text, and be opened as part of a page in Internet Explorer. MS03-014
Critical This vulnerability enables a remote attacker to cause a denial of service and execute arbitrary code through a specially formed web page or HTML e-mail. This is caused by a flaw in the way the HTML converter for Microsoft Windows handles a conversion request during a cut-and-paste operation. MS03-023
Critical This vulnerability enables a remote attacker to execute arbitrary code through a specially crafted MIDI file. This is caused by multiple buffer overflows in a Microsoft Windows DirectX MIDI library (QUARTZ.DLL). MS03-030
Highly Critical These vulnerabilities, which are due to Internet Explorer not properly determining an object type returned from a Web server in a popup window or during XML data binding, respectively, could allow an attacker to run arbitrary code on a user's system. MS03-040
Critical This vulnerability could allow an attacker to access information from other Web sites, access files on a user's system, and run arbitrary code on a user's system, wherein this is executed under the security context of the currently logged on user.;This vulnerability could allow an attacker to save a file on the users system. This is due to dynamic HTML events related to the drag-and-drop of Internet Explorer.;This vulnerability, which is due to the incorrect parsing of URLs which contain special characters, could allow an attacker to trick a user by presenting one URL in the address bar, wherein it actually contains the content of another web site of the attackers choice. MS04-004
Critical The MHTML URL Processing Vulnerability allows remote attackers to bypass domain restrictions and execute arbitrary code via script in a compiled help (CHM) file that references the InfoTech Storage (ITS) protocol handlers.This could allow an attacker to take complete control of an affected system. MS04-013
Critical This update resolves a newly-discovered, publicly reported vulnerability. A vulnerability exists in the HTML Help ActiveX control in Windows that could allow information disclosure or remote code execution on an affected system. MS05-001
Critical This vulnerability exists in the DHTML Editing Component ActiveX Control. This vulnerability could allow information disclosure or remote code execution on an affected system. MS05-013

Manually delete this one; C:\WINDOWS\SYSTEM\vxh8jkdq5.exe and then get the MS updates please.

Done.Thanks a lot for your help.Here is my latest HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 6:38:19 PM, on 6/30/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\MY DOCUMENTS\DALMATION\KNOWLEDGE ECONOMY\2005 DOWNLOADS\TRENDMICRO\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 90.0.0.1:3128
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

Do you think I am 'safe' now?Somehow my SpywareBlaster cannot download updates.The message I get is "Cannot establish a connection to download".

1. You are running Sygate's Personal Firewall; which is the most likely culprit in terms of SpwareBlaster's conneciton problem. Disable the firewall completely and try SpywareBlaster again. If it connects, you'l have to manually configure Sygate to allow SpywareBlaster to connect.

2. The following entry in your log indicates that you are not connecting directly to the Internet, but are instead being routed through a proxy server first. Can you give us more information on that please?:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 90.0.0.1:3128

DMR. That proxy may also be the cause of the problem too. I have noticed that a lot of programs like spywareblaster can only update with a direct connection.

DMR. That proxy may also be the cause of the problem too. I have noticed that a lot of programs like spywareblaster can only update with a direct connection.

Yeah, exactly; that's one of the places I was going with that one. Another thing I found suspicious is that an nslookup and whois search on the 90.0.0.1 IP address in the proxy entry did not turn up anything in regard to a domain name.

I think you guys are right about my proxy server being the culprit.I tried to disable the sygate firewall but still I could not update SpywareBlaster.

I use the internet at work - and my computer is part of a large network of computers.My IT knowledge is not the best but I think I am connecting through the Local Area Network (LAN).I am in Africa - by the way.

My sygate frewall tells me that kernel 32.dll wants to connect the internet.Is this something that HJT can cure?