Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Fake Windows Security Center Pop-Ups

Started by DancingTree , May 29 2008 10:00 AM

Please log in to reply

#1
DancingTree

Posted 29 May 2008 - 10:00 AM

New Member

Member
3 posts

Fake Windows Security Center page at startup indicates I need to buy SystemErrorFixer, SystemDefender and SysCleaner. There's a red shield with an X in it both at the top of the fake page and in my lower right side task bar (next to time). I can close the page but it pops up again and so do various warning messages from the shield at lower right asking me to click on the balloon to fix them or for more information.

Running Windows XP Media Center Edition with critical downloads up-to-date. Up-to-date McAfee Control Suite was running when it started, but since it was days from expiring I deleted it. Have run new AdAware, new Avast, and now new OneCare. None have found anything wrong...but it still there. How can I remove this annoyance? Can upload HiJack Now status if needed. Thanks!

Edited by DancingTree, 29 May 2008 - 10:06 AM.

#2
OldTimer

Posted 29 May 2008 - 01:14 PM

Global Moderator

Global Moderator
3,273 posts

Hello DancingTree and welcome to G2G. Let's see what we can find. Please follow the teps below in order:

Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.

Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.

If you use Firefox browser, do this also:

Click Firefox at the top and choose Select All from the list.
Click the Empty Selected button.
NOTE : If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

Click Opera at the top and choose Select All from the list.
Close ALL Internet browsers (very important).
Click the Empty Selected button.
NOTE : If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Now download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

Close ALL OTHER PROGRAMS.
Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
In the Drivers section click on Non-Microsoft.
Under Additional Scans click the checkboxes in front of the following items to select them:
- Reg - BotCheck
  File - Additional Folder Scans
Do not change any other settings.
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Save the file to your desktop or other location where you can find it back.

Use the Add Reply button and attach the file in your next post (do not try to copy/paste it into the post).

Cheers.

OT

#3
DancingTree

Posted 29 May 2008 - 02:38 PM

New Member

Topic Starter
Member
3 posts

OT Scan attached. Thanks!

Attached Files

OTScanIt_200805291635DT.txt 230KB 157 downloads

#4
OldTimer

Posted 29 May 2008 - 07:49 PM

Global Moderator

Global Moderator
3,273 posts

Hi DancingTree. Let's see what we can do. Follow the steps below in order:

Step #1

Please download The Avenger by Swandog46 to your Desktop.

Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
%systemroot%\system32\rxwlrqix.dll
c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr0.dat
c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr1.dat
e:\autoexec.ns0
e:\autoexec.ns1
e:\autoexec.ns2
e:\autoexec.ns3
e:\autoexec.ns4
e:\autoexec.ns5
e:\autoexec.ns6
e:\autoexec.ns8
Folders to delete:
%systemroot%\system32\.14177ce4

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.

Click in the window labeled Input Scrupt Here and paste the text copied to the clipboard into it by pressing (Ctrl+V).
Click the Execute button
Answer "Yes" twice when prompted.

The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

Step #2

Start OTScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Registry - Non-Microsoft Only]
< RunOnceEx [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
YN -> ~EmptyValue -> []
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YY -> rxwlrqix -> %SystemRoot%\system32\rxwlrqix.dll
< Drives - Autoruns > -> 
NY -> AUTOEXEC.NS0 [@C:\PROGRA~1\NORTON~1\NAVDX.EXE /Startup | @ECHO OFF | SET BLASTER=A220 I7 D1 T2 | SET SNDSCAPE=C:\WINDOWS |  | REM [Header] |  | REM [CD-ROM Drive] | REM C:\WINDOWS\COMMAND\MSCDEX /D:MSCD001 |  | REM [Miscellaneous] |  | REM [Display] |  | SET PATH=C:\PROGRA~1\DELL\RESOLU~1\COMMON\BIN |  | ] -> E:\AUTOEXEC.NS0 [ FAT32 ]
NY -> AUTOEXEC.NS1 [@C:\PROGRA~1\NORTON~1\NAVDX.EXE /Startup | @ECHO OFF | SET BLASTER=A220 I7 D1 T2 | SET SNDSCAPE=C:\WINDOWS |  | REM [Header] |  | REM [CD-ROM Drive] | REM C:\WINDOWS\COMMAND\MSCDEX /D:MSCD001 |  | REM [Miscellaneous] |  | REM [Display] |  | SET PATH=C:\PROGRA~1\DELL\RESOLU~1\COMMON\BIN |  | ] -> E:\AUTOEXEC.NS1 [ FAT32 ]
NY -> AUTOEXEC.NS2 [@C:\PROGRA~1\NORTON~1\NAVDX.EXE /Startup | @ECHO OFF | SET BLASTER=A220 I7 D1 T2 | SET SNDSCAPE=C:\WINDOWS |  | REM [Header] |  | REM [CD-ROM Drive] | REM C:\WINDOWS\COMMAND\MSCDEX /D:MSCD001 |  | REM [Miscellaneous] |  | REM [Display] |  | SET PATH=C:\PROGRA~1\DELL\RESOLU~1\COMMON\BIN |  | ] -> E:\AUTOEXEC.NS2 [ FAT32 ]
NY -> AUTOEXEC.NS3 [@C:\PROGRA~1\NORTON~1\NAVDX.EXE /Startup | @ECHO OFF | SET BLASTER=A220 I7 D1 T2 | SET SNDSCAPE=C:\WINDOWS |  | REM [Header] |  | REM [CD-ROM Drive] | REM C:\WINDOWS\COMMAND\MSCDEX /D:MSCD001 |  | REM [Miscellaneous] |  | REM [Display] |  | SET PATH=C:\PROGRA~1\DELL\RESOLU~1\COMMON\BIN |  | ] -> E:\AUTOEXEC.NS3 [ FAT32 ]
NY -> AUTOEXEC.NS4 [@C:\PROGRA~1\NORTON~1\NAVDX.EXE /Startup | @ECHO OFF | SET BLASTER=A220 I7 D1 T2 | SET SNDSCAPE=C:\WINDOWS |  | REM [Header] |  | REM [CD-ROM Drive] | REM C:\WINDOWS\COMMAND\MSCDEX /D:MSCD001 |  | REM [Miscellaneous] |  | REM [Display] |  | SET PATH=C:\PROGRA~1\DELL\RESOLU~1\COMMON\BIN |  | ] -> E:\AUTOEXEC.NS4 [ FAT32 ]
NY -> AUTOEXEC.NS5 [@ECHO OFF | SET BLASTER=A220 I7 D1 T2 | SET SNDSCAPE=C:\WINDOWS |  | REM [Header] |  | REM [CD-ROM Drive] | REM C:\WINDOWS\COMMAND\MSCDEX /D:MSCD001 |  | REM [Miscellaneous] |  | REM [Display] |  | SET PATH=C:\PROGRA~1\DELL\RESOLU~1\COMMON\BIN |  | ] -> E:\AUTOEXEC.NS5 [ FAT32 ]
NY -> AUTOEXEC.NS6 [@ECHO OFF | SET BLASTER=A220 I7 D1 T2 | SET SNDSCAPE=C:\WINDOWS |  | REM [Header] |  | REM [CD-ROM Drive] | REM C:\WINDOWS\COMMAND\MSCDEX /D:MSCD001 |  | REM [Miscellaneous] |  | REM [Display] |  | SET PATH=C:\PROGRA~1\DELL\RESOLU~1\COMMON\BIN |  | ] -> E:\AUTOEXEC.NS6 [ FAT32 ]
NY -> AUTOEXEC.NS8 [@ECHO OFF | SET BLASTER=A220 I7 D1 T2 | SET SNDSCAPE=C:\WINDOWS |  | REM [Header] |  | REM [CD-ROM Drive] | REM C:\WINDOWS\COMMAND\MSCDEX /D:MSCD001 |  | REM [Miscellaneous] |  | REM [Display] |  | SET PATH=C:\PROGRA~1\DELL\RESOLU~1\COMMON\BIN |  | ] -> E:\AUTOEXEC.NS8 [ FAT32 ]
[Files/Folders - Created Within 30 days]
NY -> 5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Files/Folders - Modified Within 30 days]
NY -> .14177ce4 -> %SystemRoot%\System32\.14177ce4
NY -> 5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
NY -> qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.
If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.

Step #3

Now let's run an online virus scan. Both of these require Internet Explorer. Try F-Secure first. Sometimes it doesn't play nice with other system components so if it cannot complete then try the Kaspersky scan. You only need to complete one of the two.

Run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

Click on Online Services and then Online Scanner
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.

If the F-Secure scan did not work then try an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
  - Extended (if available otherwise Standard)
- Scan Options:
  Scan Archives
  Scan Mail Bases
Click OK
Now under select a target to scan:
Select My Computer
The program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Step #4

Run a new OTScanIt scan with the following options

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

Close ALL OTHER PROGRAMS.
Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.
Just use the default settings.
Do not change any other settings.
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Step #5

Post the following back here by copy/pasting them into the reply:

The Avenger report (c:\Avenger.txt)
The latest OTScanIt fix log (look in the OTScanIt folder for the MovedFiles folder. In that folder will be a file with a name in the form of mmddyyyy_hhmmss.log for month, day, year, hours, minutes, and seconds that the scan was run. )
The online virus scan report (whichever one you ran)

Attach the following back here in the reply:

The new OTScanIt scan log

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Cheers.

OT

#5
DancingTree

Posted 30 May 2008 - 09:29 AM

New Member

Topic Starter
Member
3 posts

I had no problems with any of your instructions or running any programs. All appears to be fixed. Please let me know if I need to do anything else...and THANK YOU! I probably spent 40 hours of futility trying to fix this myself. I appreciate your help!

>>dt<<

X X X X X X X X X X X X X X

AVENGER
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\rxwlrqix.dll" deleted successfully.
File "c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr0.dat" deleted successfully.
File "c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr1.dat" deleted successfully.
Folder "C:\WINDOWS\system32\.14177ce4" deleted successfully.
File "e:\autoexec.ns0" deleted successfully.
File "e:\autoexec.ns1" deleted successfully.
File "e:\autoexec.ns2" deleted successfully.
File "e:\autoexec.ns3" deleted successfully.
File "e:\autoexec.ns4" deleted successfully.
File "e:\autoexec.ns5" deleted successfully.
File "e:\autoexec.ns6" deleted successfully.
File "e:\autoexec.ns8" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

X X X X X X X X X X X X X X X X X X X X X X X X
OTScan Fix Log

[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\\~EmptyValue deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rxwlrqix\ deleted successfully.
File C:\WINDOWS\system32\rxwlrqix.dll not found.
File E:\AUTOEXEC.NS0 not found.
File E:\AUTOEXEC.NS1 not found.
File E:\AUTOEXEC.NS2 not found.
File E:\AUTOEXEC.NS3 not found.
File E:\AUTOEXEC.NS4 not found.
File E:\AUTOEXEC.NS5 not found.
File E:\AUTOEXEC.NS6 not found.
File E:\AUTOEXEC.NS8 not found.
[Files/Folders - Created Within 30 days]
[Files/Folders - Modified Within 30 days]
File C:\WINDOWS\System32\.14177ce4 not found!
File move failed. C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat scheduled to be moved on reboot.
< End of fix log >
OTScanIt by OldTimer - Version 1.0.15.4 fix logfile created on 05302008_072841

Files moved on Reboot...
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat moved successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat moved successfully.

X X X X X X X X X X X X X X X X X X X X X X X X X X X X X
FSecure Report

Scanning Report
Friday, May 30, 2008 07:38:14 - 11:04:14
Computer name: WICKHOUSE
Scanning type: Scan system for malware, rootkits
Target: C:\ E:\

Result: 3 malware found
RemoteAdmin.Win32.WinVNC (spyware)
• System
RiskTool.Win32.Reboot (spyware)
• System
Tracking Cookie (spyware)
• System

Statistics
Scanned:
• Files: 102430
• System: 4630
• Not scanned: 14
Actions:
• Disinfected: 0
• Renamed: 0
• Deleted: 0
• None: 3
• Submitted: 0
Files not scanned:
• C:\HIBERFIL.SYS
• C:\PAGEFILE.SYS
• C:\WINDOWS\TEMP\TMP0000002B4C18C511F2E39859
• C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
• C:\WINDOWS\SYSTEM32\CONFIG\SAM
• C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
• C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
• C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
• C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\RECORDED TV\TEMPREC\TEMPSBE\MSDVRMM_337083620_786432_54900
• C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\3AD391678A806EC4D691E83AAA393B6F_24ADF822-76F7-4481-B30B-FF1B40F8687F
• E:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP311\A0031489.DLL
• E:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP311\A0031490.EXE
• E:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP311\A0031491.DLL
• E:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP311\A0031492.DLL

Options
Scanning engines:
• F-Secure USS: 2.30.0
• F-Secure Blacklight: 1.0.68
• F-Secure Hydra: 2.8.8110, 2008-05-30
• F-Secure Pegasus: 1.20.0, 2008-04-14
• F-Secure AVP: 7.0.171, 2008-05-30
Scanning options:
• Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
• Use Advanced heuristics

Copyright © 1998-2007 Product support

X X X X X X X X X X X X X X

The end...Thanks again!

Attached Files

OTScanIt200805301109.txt 171.53KB 106 downloads

#6
OldTimer

Posted 30 May 2008 - 12:25 PM

Global Moderator

Global Moderator
3,273 posts

Hi DancingTree. Everything looks good. Go ahead and run the system normally for a couple of days and then get back with me and let me know if there are any continuing issues. If everything is Ok at that time, then we have some final cleanup to do and you'll be good to go.

Cheers.

OT