Recurring Fake Windows Security Message

Status
Not open for further replies.
Hi everyone,

I'm getting a very annoying pop up message that looks really official. It says:

----
Windows Security Center:
WARNING: Windows Firewall detected suspicious network activity on your computer. Malicious software codes try to steal your privacy information, such as credit card numbers, electronic mail accounts, financial data or passwords.
Do you want to download certificated software and protect your computer?"
----

I've run adaware personal, spybot and norton antivirus 2005 lots of times, but it still recurs.

I don't use Internet Explorer, however Internet Explorer does popup sometimes via e-mails I receive in microsoft outlook - it doesn't seem to want to open files in firefox - my default broswer. And I can't uninstall internet explorer for some reason.

I'm attaching my hijackthis file, and I'd really appreciate any advice you might be able to offer.

Thanks everyone,

emmett
 
You've already got hijackthis, so that's good. Make sure you're running the latest version of it (1991). When you're removing entries make sure to do it from safe mode. If not, then the crap running usually just puts itself back into the startup.

How to read your hijackthis log
http://www.tweaksforgeeks.com/ReadHijackThisLog.html

and just in case some spyware has screwed with your DNS (You'll see a 'Hijacked internet access by new.net' entry in hijackthis)
How to repair your DNS tables
http://www.tweaksforgeeks.com/RepairDNS.html
 
Essential Windows processes
http://www.tweaksforgeeks.com/EssentialProc.html


Mkay...

F:\WINDOWS\System32\CTsvcCDA.EXE definitely dont like
F:\WINDOWS\system32\gearsec.exe dont like
F:\WINDOWS\System32\CAPRPCSK.EXE dont like
F:\WINDOWS\System32\MsPMSPSv.exe definitely dont like
F:\WINDOWS\sysuz32.exe definitely dont like
F:\WINDOWS\System32\devldr32.exe suspicious
F:\Program Files\Messenger Plus! 2\MsgPlus.exe ?? suspicious
F:\WINDOWS\system32\crme.exe maybe bad, dunno. google it


REMOVE -

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\WINDOWS\system32\pxiij.dll/sp.html#27130
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://F:\WINDOWS\system32\pxiij.dll/sp.html#27130
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://F:\WINDOWS\system32\pxiij.dll/sp.html#27130
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\WINDOWS\system32\pxiij.dll/sp.html#27130
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://F:\WINDOWS\system32\pxiij.dll/sp.html#27130
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://F:\WINDOWS\system32\pxiij.dll/sp.html#27130
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://F:\WINDOWS\system32\pxiij.dll/sp.html#27130
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:80
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {46015205-9C0D-68F5-0714-0BA8A0DA3C56} - F:\WINDOWS\javasa.dll

O4 - HKLM\..\Run: [CrazyTalk Serve] rundll32.exe F:\WINDOWS\System32\CrazyTalk.dll,DllServeMediaFile

O4 - HKLM\..\Run: [MessengerPlus2] "F:\Program Files\Messenger Plus! 2\MsgPlus.exe"

O4 - HKLM\..\Run: [541.tmp] F:\DOCUME~1\Emmett\LOCALS~1\Temp\541.tmp.exe 0 10001

O4 - HKLM\..\Run: [crme.exe] F:\WINDOWS\system32\crme.exe
O4 - HKLM\..\RunOnce: [sysuz32.exe] F:\WINDOWS\sysuz32.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.eircom.net
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149


remember to do it from safe mode.
 
that's great, thanks so much. i've removed all that stuff, except for the processes. is there a way to do that via hijackthis? (i only see them in the logfile, not in the hijackthis window). or do i just manually delete them via windows explorer?

thanks, i really appreciate your help!

emmett
 
ctrl+alt+delete and select the processes tab. Select all but the essential windows processes and end the process. Then run HijackThis again and clean up some more. This should prevent the stuff from loading at all. When you reboot you can do the ctrl+alt+delete again and see what has loaded.

MSConfig is also handy. Some stuff you may also even want to leave running so that's what msconfig is good for. It's easier to undo.

How to modify Windows startup
http://www.tweaksforgeeks.com/ModSysStart.html
 
Status
Not open for further replies.
Back