Fake Windows Security Center

Hi all,

i have a fake windows security center icon in my systray, it also appears as a genuine window with resembling the actual windows version, it gives the following key options: UlimateFixer, SystemDefender, SysCleaner. I get constant balloon pop ups viathe systray icon, and dialogue box errors when i access new webpages. Also reboots my machine about every 30-60mins. Have searched the net and done a heap of removal attempts, malwarebytes, superantispy, smitfraudfix, and god knows what else.
Would love to hear from someone who's had success removal this thing, its proving challenging

cheers

 

Hi sprewell15,
Welcome to Major Geeks!

Please run through the instructions in the READ & RUN ME FIRST and attach the requested logs. You'll get some relief from the symptoms you describe as you work through these procedures. Afterwards we'll be able to help you.


abri

 

Hi, first 3 files attached

 

final log file

thanks

 

Hi sprewell

1) What is in the following folder? (You can look in the folder, but do not open any files if you don't know what they are.)

in this directory C:\WINDOWS\system32\ please look in the following folder:

549191~1 17 May 2008 ".5491911c"



2) Now please disable Spybot's TeaTimer. This can be done two ways.
First:

• Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
• If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
• If you have Version 1.4, Click on Exit Spybot S&D Resident

or Second, For Either Version :

• Open Spybot S&D
• Click Mode, choose Advanced Mode
• Go To the bottom of the Vertical Panel on the Left, Click Tools
• then, also in left panel, click Resident shows a red/white shield.
• If your firewall raises a question, say OK
• In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
• OK any prompts.
• Use File, Exit to terminate Spybot

3) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


4) Run C:\MGtools\analyse.exe by double clicking on it. (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O20 - Winlogon Notify: hwftlpra - C:\WINDOWS\SYSTEM32\hwftlpra.dll


After you click fix, just close hijackthis.



5) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the 'Execute' button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

6) Now run CCleaner at the default setting with the Windows tab as the top one.

7) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

You're brilliant abri! - it worked a treat.

Thanks very much for your time

 

Thanks sprewell!

I like to check to make sure the brilliance can be sustained.
Please do steps 1, 6 and 7 and attach the requested set of logs so I can make sure.
Then I'll post you the final cleanup instructions so you can get all our tools and logs back off your computer.

abri