Home page hijacked - secure32

  • Thread starter Thread starter JET
  • Start date Start date
J

JET

Home page hijacked - secure32

Explorer Home Page being hijacked and redirected to SECURE32.HTML. Can't
seem to get ride of it. Just purchased and ran Norton Virus but doesn't fix
it.
 
JET said:
Home page hijacked - secure32

Explorer Home Page being hijacked and redirected to SECURE32.HTML.
Can't seem to get ride of it. Just purchased and ran Norton Virus but
doesn't fix it.
Click to expand...

Google is your friend:
http://computercops.biz/postt10732.html

You need to run HijackThis and post your log there as there could be several
variations of this pest.
Please download HijackThis into a C:\HJT folder you creat for this and unzip
it there.
http://www.merijn.org/files/hijackthis.zip

Run it and click on Scan.
Let it run to completion.

Do not remove anything in there yet as not all items are bad.

Then when it is finished click on Save log.
A screen will pop up with Save logfile... Click on Save.
Notepad will open up.
This is the full log that is needed and use Ctrl-a to mark all then Ctrl-c
to copy and create a new topic in that forum and Ctrl+V to past the contents
into the topic.
 
Log results from running hijackthis startuplist. Any comments on which lines
are problems greatly appreciated.
=================
StartupList report, 1/12/2004, 2:36:10 PM
StartupList version: 1.52
Started from : C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE
Detected: Windows ME (Win9x 4.90.3000)
Detected: Internet Explorer v5.50 (5.50.4134.0100)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MSTASKM.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\STARTEAK.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\REG32.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\WINHLP32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Compaq Knowledge Center.lnk = C:\Program Files\Compaq Knowledge
Center\bin\silent.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
SystemTray = SysTray.Exe
CPQInet = c:\compaq\CPQInet\CpqInet.exe
MotiveMonitor = C:\Program Files\Motive\motmon.exe
SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
CPQEASYACC = C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
EACLEAN = C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
PCHealth = C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
ATTBroadbandUpdate = C:\Program Files\AT&T\BBClient\Programs\SAUpdate.exe
RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe
SYSTEMBOOTHIDEPLAYER
Winsock2 driver = WINCFG.SCR
DxLoad = C:\WINDOWS\DX3DRndr.exe
Tapicfg.exe = \tapicfg.exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
WebScan = C:\PROGRAM FILES\ACCELERATION
SOFTWARE\ANTI-VIRUS\DEFSCANGUI.EXE -k
Reg32 = C:\WINDOWS\reg32.exe
Symantec Core LC = C:\Program Files\Common Files\Symantec
Shared\CCPD-LC\symlcsvc.exe start
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
NAV CfgWiz = C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID
NAV /CMDLINE "REBOOT"
zSPGuard = c:\program files\pjw\spguard\spguard.exe /s

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe
*StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe
SVC Socks = C:\WINDOWS\SYSTEM\mstaskm.exe
ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script
Blocking\SBServ.exe" -reg
ccEvtMgr = "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
ccSetMgr = "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=C:\WINDOWS\SYSTEM\mstaskm.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 12/1/2004, 13:45:6)

[Rename]
NUL=C:\WINDOWS\SYSTEM\MSCRLREV.DLL
C:\WINDOWS\SYSTEM\MSCRLREV.DLL=C:\WINDOWS\SYSTEM\SETD053.TMP

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP
SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\WINDOWS\SYSTEM

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT
5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRAM FILES\AT&T\BBCLIENT\PROGRAMS\SABHO.DLL -
{058FC709-D5CD-4A95-92DB-59E6488ECDA4}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll -
{BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

PCHealth Scheduler for Data Collection.job
Tune-up Application Start.job
Registration reminder 1.job
Registration reminder 2.job
Registration reminder 3.job
Symantec NetDetect.job
Maintenance-Defragment programs.job
Maintenance-ScanDisk.job
Maintenance-Disk cleanup.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE =
http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\AVSNIFF.DLL
CODEBASE =
http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

[Symantec RuFSI Utility Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RUFSI.DLL
CODEBASE =
http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

[ActiveDataObj Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ACTIVEDATA.DLL
CODEBASE =
https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

[ActiveDataInfo Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\SYMADATA.DLL
CODEBASE = https://www-secure.symantec.com/techsupp/activedata/SymAData.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL
AUHook: C:\WINDOWS\SYSTEM\AUHOOK.DLL

--------------------------------------------------
End of report, 7,448 bytes
Report generated in 0.648 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of
platform
/history - to list version history only
=================
 
JET said:
Log results from running hijackthis startuplist. Any comments on
which lines are problems greatly appreciated.
Click to expand...

The startuplist is not required at this point just the scan logfile.
http://mjc1.com/mirror/hjt/ more help.

You have a trojan:
BKDR_SPYBOT.A
http://de.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=BKDR_SPYBOT.A

Online virus scan:
http://housecall.trendmicro.com
=================
StartupList report, 1/12/2004, 2:36:10 PM
Click to expand...
 
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run [...]
Winsock2 driver = WINCFG.SCR
Click to expand...

Probable Spybot variant
DxLoad = C:\WINDOWS\DX3DRndr.exe
Click to expand...

Probable SWEN worm
Tapicfg.exe = \tapicfg.exe
Coolwebsearch

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices [...]
SVC Socks = C:\WINDOWS\SYSTEM\mstaskm.exe
Click to expand...
--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=C:\WINDOWS\SYSTEM\mstaskm.exe
Click to expand...

Coolwebsearch

For Spybot and Swen, I'd recommend Trojan Remover
http://www.simplysup.com/tremover/
That may also remove coolwebsearch, but if so it's calling it by
another name.

Otherwise for Coolwebsearch - CWShredder from
http://www.spywareinfo.com/~merijn/downloads.html

Did you *update* Norton after you installed it? Of course Swen would
have been trying to disable it...

Carol
 
Back
Top