1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Recurring Fake Windows Security Message

By legofireman ยท 4 replies
Mar 2, 2005
  1. Hi everyone,

    I'm getting a very annoying pop up message that looks really official. It says:

    Windows Security Center:
    WARNING: Windows Firewall detected suspicious network activity on your computer. Malicious software codes try to steal your privacy information, such as credit card numbers, electronic mail accounts, financial data or passwords.
    Do you want to download certificated software and protect your computer?"

    I've run adaware personal, spybot and norton antivirus 2005 lots of times, but it still recurs.

    I don't use Internet Explorer, however Internet Explorer does popup sometimes via e-mails I receive in microsoft outlook - it doesn't seem to want to open files in firefox - my default broswer. And I can't uninstall internet explorer for some reason.

    I'm attaching my hijackthis file, and I'd really appreciate any advice you might be able to offer.

    Thanks everyone,

  2. Sootah

    Sootah TS Rookie

    You've already got hijackthis, so that's good. Make sure you're running the latest version of it (1991). When you're removing entries make sure to do it from safe mode. If not, then the crap running usually just puts itself back into the startup.

    How to read your hijackthis log

    and just in case some spyware has screwed with your DNS (You'll see a 'Hijacked internet access by new.net' entry in hijackthis)
    How to repair your DNS tables
  3. Sootah

    Sootah TS Rookie

    Essential Windows processes


    F:\WINDOWS\System32\CTsvcCDA.EXE definitely dont like
    F:\WINDOWS\system32\gearsec.exe dont like
    F:\WINDOWS\System32\CAPRPCSK.EXE dont like
    F:\WINDOWS\System32\MsPMSPSv.exe definitely dont like
    F:\WINDOWS\sysuz32.exe definitely dont like
    F:\WINDOWS\System32\devldr32.exe suspicious
    F:\Program Files\Messenger Plus! 2\MsgPlus.exe ?? suspicious
    F:\WINDOWS\system32\crme.exe maybe bad, dunno. google it

    REMOVE -

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\WINDOWS\system32\pxiij.dll/sp.html#27130
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://F:\WINDOWS\system32\pxiij.dll/sp.html#27130
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://F:\WINDOWS\system32\pxiij.dll/sp.html#27130
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\WINDOWS\system32\pxiij.dll/sp.html#27130
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://F:\WINDOWS\system32\pxiij.dll/sp.html#27130
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://F:\WINDOWS\system32\pxiij.dll/sp.html#27130
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://F:\WINDOWS\system32\pxiij.dll/sp.html#27130
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {46015205-9C0D-68F5-0714-0BA8A0DA3C56} - F:\WINDOWS\javasa.dll

    O4 - HKLM\..\Run: [CrazyTalk Serve] rundll32.exe F:\WINDOWS\System32\CrazyTalk.dll,DllServeMediaFile

    O4 - HKLM\..\Run: [MessengerPlus2] "F:\Program Files\Messenger Plus! 2\MsgPlus.exe"

    O4 - HKLM\..\Run: [541.tmp] F:\DOCUME~1\Emmett\LOCALS~1\Temp\541.tmp.exe 0 10001

    O4 - HKLM\..\Run: [crme.exe] F:\WINDOWS\system32\crme.exe
    O4 - HKLM\..\RunOnce: [sysuz32.exe] F:\WINDOWS\sysuz32.exe

    O14 - IERESET.INF: START_PAGE_URL=http://www.eircom.net
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.awmdabest.com (HKLM)
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted IP range:

    remember to do it from safe mode.
  4. legofireman

    legofireman TS Rookie Topic Starter

    that's great, thanks so much. i've removed all that stuff, except for the processes. is there a way to do that via hijackthis? (i only see them in the logfile, not in the hijackthis window). or do i just manually delete them via windows explorer?

    thanks, i really appreciate your help!

  5. Sootah

    Sootah TS Rookie

    ctrl+alt+delete and select the processes tab. Select all but the essential windows processes and end the process. Then run HijackThis again and clean up some more. This should prevent the stuff from loading at all. When you reboot you can do the ctrl+alt+delete again and see what has loaded.

    MSConfig is also handy. Some stuff you may also even want to leave running so that's what msconfig is good for. It's easier to undo.

    How to modify Windows startup
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...