Fake "Windows Security Center" and ad-pops

Status
Not open for further replies.
L

leongaignun

Lately I have been recieving a pop up titled "Windows Security Center" that looks like a valid popup but is in fact some kind of ad-program that redirects you to a bad website.

"Windows Security Center"

WARNING: Windows Firewall detected suspicious network activity on your computer. Malicious software codes try to steal your privacy information, such as credit card numbers, electronic mail accounts, financial data or passwords.

I have also been getting popups to webpages concerning gambling, porn, and what not from it.

Everything I have tried will NOT REMOVE it. I am going nuts and pulling out my hair. The pop ups and alerts are causing my programs to close on me at critical moments.

This is my Hijackthis log:

Logfile of HijackThis v1.99.0
Scan saved at 7:37:51 PM, on 11/11/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Final Fantasy\Desktop\HijackThis.exe

O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: .63.219.181.7[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1097700653811
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe


Anyone that could possibly help me I would greatly appreciate it.
 
leongaignun it may be time to try....drumroll please...firefox. But seriously it is much better then IE (at least security)


Sean :darth:
 
Your HJT-log looks quite normal.

I would be suspicious though of these entries:

O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
This is Incredifind, which may well lead you astray to those off-sites.

O15 - Trusted Zone: .63.219.181.7[/url]
Never trust anybody!

In safe mode, run HJT as the only program and have it fix those 2.
 
Thanks for the replies.. however it will not delete with HijackThis (the trusted zone), even in safe mode. It keeps coming back. I even tried deleting the registry.. I don't remember where it was at.. but it came back even then.

Getting very frusterated with it.
 
You may be able to uninstall incredifind in add remove programmes look for an entry named mx-targeting.

Regards Howard :wave:
 
go to winnt\system32\drivers\etc and open the HOSTS file with Notepad.
add a new line in this format

127.0.0.1 *.63.219.181.7

with at least one space after the 127.0.0.1
Normally you put the website's name in there, but the first * could be anything between 0-255.
Probably belongs to: Beyond The Network America, Inc.

do the same for 12.129.205.209 Incredifind (belongs to CERFnet in San Diego)

I don't know if the HOSTS file can stop IP-numbers but it is worth a try.
Save the file using "save as" and save HOSTS without an extension!

See more about HOSTS here: http://accs-net.com/hosts/what_is_hosts.html
 
Posible Solution

HI
Have just finished working on second computer sent to me with this problem. First one was last year and no-one had a solution so had to do fresh install. This time have managed to clear it all up using Ad-Aware and AVG and editing and deleting stuff.. Last update from AVG found 3 variants of Trojan as follows... Clicker.BN in ipcfg.exe, Clicker.BO in scands32.exe and Clicker. BP in snnpapi.exe. Removed all 3,.... also while running AVG discovered there were hidden files (mainly porn type jpgs) in Temporary Internet Files/IEContent folder.... the only way I could see them was to go to 'find' and look for jpgs...... they did not show up any other way.... even in DOS (computer running W98) so the only way I could get rid of them was to delete all the folders in the IEContent folder. Since these last 2 things I haven't had the fake message or the poker/insurance/you name it thingys attempting to access internet and computer now seems fine and ready to go home to it's owner. Ad-aware had also cleaned out heaps of malware, dialers, droppers, trojans etc before I got to this point... but it seems that AVG may have been the answer for the last couple of things as I had deleted the files that were hidden earlier on (although they weren't hidden then!!) Also installed Zone Alarm and it seems to be keeping a huge amount of attacks at bay. Oh the Clicker trojans also appeared in backups of those files as well.
Hope this might help someone else.
Regards
River Stan
 
Status
Not open for further replies.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
797
uber_beetle
uber_beetle
wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni
A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A

Latest posts

Back