C:WINNT\Secure.html hi-jacked

Discussion in 'adware, spyware & hijack cleaning' started by Bub Henricks, Mar 18, 2004.

Thread Status:
Not open for further replies.
  1. Bub Henricks

    Bub Henricks Guest

    I'm getting hi-jacked on web page to C:WINNT\Secure.html and my IP address is being monitored. I have to do a control all delete to go back to desktop. How can I restore to normal?

    Logfile of HijackThis v1.97.7
    Scan saved at 4:08:56 PM, on 3/18/2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\svchost.exe
    C:\progra~1\scansoft\paperp~1\pptd40nt.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
    C:\WINNT\System32\wuauclt.exe
    C:\Program Files\Nortel Networks\Extranet.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\MSWorks\msworks.exe
    C:\PROGRA~1\WINZIP\wzqkpick.exe
    C:\Program Files\WinZip\WINZIP32.EXE
    C:\unzipped\hijackthis1977[1]\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
    O1 - Hosts: 3466690378 view.atdmt.com
    O1 - Hosts: 3466690378 click.atdmt.com
    O1 - Hosts: 3466690378 leader.linkexchange.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {2C52AF58-B9B1-11D5-9DF6-00508B755B44} (AXClientUtil2 Control) - https://www.xreg.net/ActiveX/AXClientUtil.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {4B387AEC-4C68-11D4-8297-00C04F7CD0A0} (InstallerToolsLib.Tools) - http://xww.valuequix.world.xerox.com/ValueQuiX/deployment/active/InstallerToolsLib.CAB
    O16 - DPF: {8C8A54A5-12CA-11D4-ABFD-005004B4382E} (AnalyzerTypesLib.KeyIndicator) - http://xww.valuequix.world.xerox.com/ValueQuiX/deployment/active/AnalyzerTypes.CAB
    O16 - DPF: {96B06C61-4DE9-11D4-8298-00C04F7CD0A0} (Global Multi-Use client object. Encapsulates all client-side functionality for Analyzer component.) - http://xww.valuequix.world.xerox.com/ValueQuiX/deployment/active/InstallerLib.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37603.3982523148
    O16 - DPF: {B2B03346-25D9-11D4-8090-00805F478EDD} (SU_Downloader.Downloader) - http://xww.valuequix.world.xerox.com/ValueQuiX/deployment/active/Downloader.CAB
    O16 - DPF: {C7AB4318-5D89-11D4-829B-00C04F7CD0A0} (SmartUpdate.CLaunch) - http://xww.valuequix.world.xerox.com/ValueQuiX/deployment/active/SmartUpdate.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E15AA241-12C9-11D4-ABFD-005004B4382E} (AnalyzerToolsLib.Tools) - http://xww.valuequix.world.xerox.com/ValueQuiX/deployment/active/AnalyzerToolsLib.CAB
    O16 - DPF: {E82ECBB3-12D5-11D4-ABFD-005004B4382E} (Global Multi-Use client object. Encapsulates all client-side functionality for Analyzer component.) - http://xww.valuequix.world.xerox.com/ValueQuiX/deployment/active/AnalyzerClientLib.CAB
    O17 - HKLM\System\CCS\Services\Tcpip\..\{88E742E0-AD12-4405-A980-F82C76E6A443}: NameServer = 13.252.44.5,13.252.44.4
    O17 - HKLM\System\CCS\Services\Tcpip\..\{AB9DE422-C0CC-4E52-AFCA-39B6F1C5FAD8}: NameServer = 209.102.191.22,209.102.191.23
     
    Bub Henricks, Mar 18, 2004
    #1
  2. Shadowwar

    Shadowwar Spyware Expert

    Joined:
    Feb 26, 2004
    Posts:
    305
    Please close all windows and internet explorers. Check mark the following items only in Hijackthis.

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
    O1 - Hosts: 3466690378 view.atdmt.com
    O1 - Hosts: 3466690378 click.atdmt.com
    O1 - Hosts: 3466690378 leader.linkexchange.com


    Click the fix button. Close hijackthis.

    Reboot and show hidden files and folders per the link in my signature.
    Please delete the following files or folders.

    Files:

    Folders:



    Run a new log and post it here
     
    Shadowwar, Mar 18, 2004
    #2
  3. gd196241

    gd196241 Guest

    Get to yahoo.co.uk. (use a search in the google bar if necessary)

    1/3 down that page is a link
    "Make Yahoo! UK & Ireland your homepage"

    Click and hey presto this is now yoru homepage and not C:WINNT\Secure

    Once this is done, yahoo.co.uk opens as the homepage every time.

    I assume yahoo.com will be the same.

    Gary
     
    gd196241, Apr 8, 2004
    #3
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...