Recurring Fake Windows Security Message

By legofireman
Mar 2, 2005
Topic Status:
Not open for further replies.
  1. Hi everyone,

    I'm getting a very annoying pop up message that looks really official. It says:

    ----
    Windows Security Center:
    WARNING: Windows Firewall detected suspicious network activity on your computer. Malicious software codes try to steal your privacy information, such as credit card numbers, electronic mail accounts, financial data or passwords.
    Do you want to download certificated software and protect your computer?"
    ----

    I've run adaware personal, spybot and norton antivirus 2005 lots of times, but it still recurs.

    I don't use Internet Explorer, however Internet Explorer does popup sometimes via e-mails I receive in microsoft outlook - it doesn't seem to want to open files in firefox - my default broswer. And I can't uninstall internet explorer for some reason.

    I'm attaching my hijackthis file, and I'd really appreciate any advice you might be able to offer.

    Thanks everyone,

    emmett
  2. Sootah

    Sootah Newcomer, in training

    You've already got hijackthis, so that's good. Make sure you're running the latest version of it (1991). When you're removing entries make sure to do it from safe mode. If not, then the crap running usually just puts itself back into the startup.

    How to read your hijackthis log
    http://www.tweaksforgeeks.com/ReadHijackThisLog.html

    and just in case some spyware has screwed with your DNS (You'll see a 'Hijacked internet access by new.net' entry in hijackthis)
    How to repair your DNS tables
    http://www.tweaksforgeeks.com/RepairDNS.html
  3. Sootah

    Sootah Newcomer, in training

    Essential Windows processes
    http://www.tweaksforgeeks.com/EssentialProc.html


    Mkay...

    F:\WINDOWS\System32\CTsvcCDA.EXE definitely dont like
    F:\WINDOWS\system32\gearsec.exe dont like
    F:\WINDOWS\System32\CAPRPCSK.EXE dont like
    F:\WINDOWS\System32\MsPMSPSv.exe definitely dont like
    F:\WINDOWS\sysuz32.exe definitely dont like
    F:\WINDOWS\System32\devldr32.exe suspicious
    F:\Program Files\Messenger Plus! 2\MsgPlus.exe ?? suspicious
    F:\WINDOWS\system32\crme.exe maybe bad, dunno. google it


    REMOVE -

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\WINDOWS\system32\pxiij.dll/sp.html#27130
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://F:\WINDOWS\system32\pxiij.dll/sp.html#27130
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://F:\WINDOWS\system32\pxiij.dll/sp.html#27130
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\WINDOWS\system32\pxiij.dll/sp.html#27130
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://F:\WINDOWS\system32\pxiij.dll/sp.html#27130
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://F:\WINDOWS\system32\pxiij.dll/sp.html#27130
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://F:\WINDOWS\system32\pxiij.dll/sp.html#27130
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:80
    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {46015205-9C0D-68F5-0714-0BA8A0DA3C56} - F:\WINDOWS\javasa.dll

    O4 - HKLM\..\Run: [CrazyTalk Serve] rundll32.exe F:\WINDOWS\System32\CrazyTalk.dll,DllServeMediaFile

    O4 - HKLM\..\Run: [MessengerPlus2] "F:\Program Files\Messenger Plus! 2\MsgPlus.exe"

    O4 - HKLM\..\Run: [541.tmp] F:\DOCUME~1\Emmett\LOCALS~1\Temp\541.tmp.exe 0 10001

    O4 - HKLM\..\Run: [crme.exe] F:\WINDOWS\system32\crme.exe
    O4 - HKLM\..\RunOnce: [sysuz32.exe] F:\WINDOWS\sysuz32.exe

    O14 - IERESET.INF: START_PAGE_URL=http://www.eircom.net
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.awmdabest.com (HKLM)
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted IP range: 206.161.125.149


    remember to do it from safe mode.
  4. legofireman

    legofireman Newcomer, in training Topic Starter

    that's great, thanks so much. i've removed all that stuff, except for the processes. is there a way to do that via hijackthis? (i only see them in the logfile, not in the hijackthis window). or do i just manually delete them via windows explorer?

    thanks, i really appreciate your help!

    emmett
  5. Sootah

    Sootah Newcomer, in training

    ctrl+alt+delete and select the processes tab. Select all but the essential windows processes and end the process. Then run HijackThis again and clean up some more. This should prevent the stuff from loading at all. When you reboot you can do the ctrl+alt+delete again and see what has loaded.

    MSConfig is also handy. Some stuff you may also even want to leave running so that's what msconfig is good for. It's easier to undo.

    How to modify Windows startup
    http://www.tweaksforgeeks.com/ModSysStart.html
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.