C:WINNT\Secure.html hi-jacked

Discussion in 'adware, spyware & hijack cleaning' started by Bub Henricks, Mar 18, 2004.

Thread Status:
Not open for further replies.
  1. Bub Henricks

    Bub Henricks Guest

    I'm getting hi-jacked on web page to C:WINNT\Secure.html and my IP address is being monitored. I have to do a control all delete to go back to desktop. How can I restore to normal?

    Logfile of HijackThis v1.97.7
    Scan saved at 4:08:56 PM, on 3/18/2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\svchost.exe
    C:\progra~1\scansoft\paperp~1\pptd40nt.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
    C:\WINNT\System32\wuauclt.exe
    C:\Program Files\Nortel Networks\Extranet.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\MSWorks\msworks.exe
    C:\PROGRA~1\WINZIP\wzqkpick.exe
    C:\Program Files\WinZip\WINZIP32.EXE
    C:\unzipped\hijackthis1977[1]\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
    O1 - Hosts: 3466690378 view.atdmt.com
    O1 - Hosts: 3466690378 click.atdmt.com
    O1 - Hosts: 3466690378 leader.linkexchange.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {2C52AF58-B9B1-11D5-9DF6-00508B755B44} (AXClientUtil2 Control) - https://www.xreg.net/ActiveX/AXClientUtil.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {4B387AEC-4C68-11D4-8297-00C04F7CD0A0} (InstallerToolsLib.Tools) - http://xww.valuequix.world.xerox.com/ValueQuiX/deployment/active/InstallerToolsLib.CAB
    O16 - DPF: {8C8A54A5-12CA-11D4-ABFD-005004B4382E} (AnalyzerTypesLib.KeyIndicator) - http://xww.valuequix.world.xerox.com/ValueQuiX/deployment/active/AnalyzerTypes.CAB
    O16 - DPF: {96B06C61-4DE9-11D4-8298-00C04F7CD0A0} (Global Multi-Use client object. Encapsulates all client-side functionality for Analyzer component.) - http://xww.valuequix.world.xerox.com/ValueQuiX/deployment/active/InstallerLib.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37603.3982523148
    O16 - DPF: {B2B03346-25D9-11D4-8090-00805F478EDD} (SU_Downloader.Downloader) - http://xww.valuequix.world.xerox.com/ValueQuiX/deployment/active/Downloader.CAB
    O16 - DPF: {C7AB4318-5D89-11D4-829B-00C04F7CD0A0} (SmartUpdate.CLaunch) - http://xww.valuequix.world.xerox.com/ValueQuiX/deployment/active/SmartUpdate.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E15AA241-12C9-11D4-ABFD-005004B4382E} (AnalyzerToolsLib.Tools) - http://xww.valuequix.world.xerox.com/ValueQuiX/deployment/active/AnalyzerToolsLib.CAB
    O16 - DPF: {E82ECBB3-12D5-11D4-ABFD-005004B4382E} (Global Multi-Use client object. Encapsulates all client-side functionality for Analyzer component.) - http://xww.valuequix.world.xerox.com/ValueQuiX/deployment/active/AnalyzerClientLib.CAB
    O17 - HKLM\System\CCS\Services\Tcpip\..\{88E742E0-AD12-4405-A980-F82C76E6A443}: NameServer = 13.252.44.5,13.252.44.4
    O17 - HKLM\System\CCS\Services\Tcpip\..\{AB9DE422-C0CC-4E52-AFCA-39B6F1C5FAD8}: NameServer = 209.102.191.22,209.102.191.23
     
  2. Shadowwar

    Shadowwar Spyware Expert

    Joined:
    Feb 26, 2004
    Posts:
    305
    Please close all windows and internet explorers. Check mark the following items only in Hijackthis.

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
    O1 - Hosts: 3466690378 view.atdmt.com
    O1 - Hosts: 3466690378 click.atdmt.com
    O1 - Hosts: 3466690378 leader.linkexchange.com


    Click the fix button. Close hijackthis.

    Reboot and show hidden files and folders per the link in my signature.
    Please delete the following files or folders.

    Files:

    Folders:



    Run a new log and post it here
     
  3. gd196241

    gd196241 Guest

    Get to yahoo.co.uk. (use a search in the google bar if necessary)

    1/3 down that page is a link
    "Make Yahoo! UK & Ireland your homepage"

    Click and hey presto this is now yoru homepage and not C:WINNT\Secure

    Once this is done, yahoo.co.uk opens as the homepage every time.

    I assume yahoo.com will be the same.

    Gary
     
Thread Status:
Not open for further replies.