Fake "Windows Security Center" and ad-pops

By leongaignun
Nov 28, 2004
  1. Lately I have been recieving a pop up titled "Windows Security Center" that looks like a valid popup but is in fact some kind of ad-program that redirects you to a bad website.

    "Windows Security Center"

    WARNING: Windows Firewall detected suspicious network activity on your computer. Malicious software codes try to steal your privacy information, such as credit card numbers, electronic mail accounts, financial data or passwords.

    I have also been getting popups to webpages concerning gambling, porn, and what not from it.

    Everything I have tried will NOT REMOVE it. I am going nuts and pulling out my hair. The pop ups and alerts are causing my programs to close on me at critical moments.

    This is my Hijackthis log:

    Logfile of HijackThis v1.99.0
    Scan saved at 7:37:51 PM, on 11/11/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Final Fantasy\Desktop\HijackThis.exe

    O1 - Hosts: search.netscape.com12.129.205.209
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: http://*.
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

    Anyone that could possibly help me I would greatly appreciate it.
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Please will you enter your system specs in at the top of the page(click on edit profile)

    Take a look at the first half of this thread.

    Regards Howard :wave: :wave:
  3. AtK SpAdE

    AtK SpAdE TechSpot Chancellor Posts: 1,495

    leongaignun it may be time to try....drumroll please...firefox. But seriously it is much better then IE (at least security)

    Sean :darth:
  4. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Your HJT-log looks quite normal.

    I would be suspicious though of these entries:

    O1 - Hosts: search.netscape.com12.129.205.209
    This is Incredifind, which may well lead you astray to those off-sites.

    O15 - Trusted Zone: http://*.
    Never trust anybody!

    In safe mode, run HJT as the only program and have it fix those 2.
  5. leongaignun

    leongaignun TS Rookie Topic Starter

    Thanks for the replies.. however it will not delete with HijackThis (the trusted zone), even in safe mode. It keeps coming back. I even tried deleting the registry.. I don't remember where it was at.. but it came back even then.

    Getting very frusterated with it.
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You may be able to uninstall incredifind in add remove programmes look for an entry named mx-targeting.

    Regards Howard :wave:
  7. jstillion

    jstillion TS Rookie Posts: 91

  8. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    go to winnt\system32\drivers\etc and open the HOSTS file with Notepad.
    add a new line in this format *.

    with at least one space after the
    Normally you put the website's name in there, but the first * could be anything between 0-255.
    Probably belongs to: Beyond The Network America, Inc.

    do the same for Incredifind (belongs to CERFnet in San Diego)

    I don't know if the HOSTS file can stop IP-numbers but it is worth a try.
    Save the file using "save as" and save HOSTS without an extension!

    See more about HOSTS here:
  9. River Stan

    River Stan TS Rookie

    Posible Solution

    Have just finished working on second computer sent to me with this problem. First one was last year and no-one had a solution so had to do fresh install. This time have managed to clear it all up using Ad-Aware and AVG and editing and deleting stuff.. Last update from AVG found 3 variants of Trojan as follows... Clicker.BN in ipcfg.exe, Clicker.BO in scands32.exe and Clicker. BP in snnpapi.exe. Removed all 3,.... also while running AVG discovered there were hidden files (mainly porn type jpgs) in Temporary Internet Files/IEContent folder.... the only way I could see them was to go to 'find' and look for jpgs...... they did not show up any other way.... even in DOS (computer running W98) so the only way I could get rid of them was to delete all the folders in the IEContent folder. Since these last 2 things I haven't had the fake message or the poker/insurance/you name it thingys attempting to access internet and computer now seems fine and ready to go home to it's owner. Ad-aware had also cleaned out heaps of malware, dialers, droppers, trojans etc before I got to this point... but it seems that AVG may have been the answer for the last couple of things as I had deleted the files that were hidden earlier on (although they weren't hidden then!!) Also installed Zone Alarm and it seems to be keeping a huge amount of attacks at bay. Oh the Clicker trojans also appeared in backups of those files as well.
    Hope this might help someone else.
    River Stan
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...