problems with homepage virus

Discussion in 'adware, spyware & hijack cleaning' started by rosticg, Feb 17, 2004.

Thread Status:
Not open for further replies.
  1. rosticg

    rosticg Registered Member

    Joined:
    Feb 17, 2004
    Posts:
    3
    Hi,

    I have a virus that opens C://WINNT/secure.html whenever I open IE. I dlded adaware and hijackthis, and got the log file. If you could please help that would be great. THanks

    Logfile of HijackThis v1.97.7
    Scan saved at 12:02:58 AM, on 2/17/2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
    C:\Program Files\Common files\updater\wupdater.exe
    C:\WINNT\reg32.exe
    C:\Program Files\Nikon\NkView6\NkvMon.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\temp\hijackthis.exe
    C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.windowws.cc/sp.htm?id=9
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINNT\system32\searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.windowws.cc/sp.htm?id=9
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.windowws.cc/sp.htm?id=9
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://out.true-counter.com/b/?100 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.windowws.cc/sp.htm?id=9
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://out.true-counter.com/b/?100 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.puh.ru/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINNT\system32\searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://out.true-counter.com/b/?100 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://out.true-counter.com/b/?100 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://out.true-counter.com/b/?100 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://out.true-counter.com/c/?100 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://e-plus.cc/search.php?aff_id=46&keyword=%s
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://out.true-counter.com/b/?100 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://out.true-counter.com/b/?100 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINNT\system32\searchbar.html
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINNT\hh.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
    O4 - HKLM\..\Run: [Internat Conf] C:\WINNT\System32\bootconf.exe
    O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
    O4 - HKLM\..\Run: [Reg32] C:\WINNT\reg32.exe
    O4 - HKCU\..\Run: [iedll] C:\WINNT\iedll.exe
    O4 - HKCU\..\Run: [loader] C:\WINNT\loader.exe
    O4 - HKCU\..\Run: [ibh7svt7p6] C:\WINNT\12yyiasx5p.exe
    O4 - HKCU\..\Run: [vrc1rdck5f] C:\WINNT\1xthhrt04e.exe
    O4 - HKCU\..\Run: [ltsvnsl8k5] C:\WINNT\12yyiasx5p.exe
    O4 - HKCU\..\Run: [zk6zc1p9p7] C:\WINNT\wr5np3ouak.exe
    O4 - HKCU\..\Run: [2m8174oehw] C:\WINNT\1xthhrt04e.exe
    O4 - HKCU\..\Run: [jnwft9p4f2] C:\WINNT\lciz6bgzfa.exe
    O4 - HKCU\..\Run: [xsci8yi7by] C:\WINNT\l06baccvoa.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
    O9 - Extra button: AIM (HKLM)
    O15 - Trusted Zone: *.msn.com
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.5.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DD44E779-4EB6-44A9-833C-F496C3D410B1}: NameServer = 192.168.1.1
    O19 - User stylesheet: C:\WINNT\Web\oslogo.bmp
    O19 - User stylesheet: C:\WINNT\default.css (HKLM)
     
  2. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Hi rosticg,

    welcome to wilders , :)

    please download CWShredder , unzip the program, close all other windows except CWShredder, run FIX.

    reboot your computer and post a fresh Hijack log

    thx

    Updated version CWShredder - Pieter
     
  3. rosticg

    rosticg Registered Member

    Joined:
    Feb 17, 2004
    Posts:
    3
    Hi Subratam,

    First of all thanks for trying to help me out regardless of what the results will be. Did what you told me. Here's the new log. Thanks

    Logfile of HijackThis v1.97.7
    Scan saved at 10:25:14 AM, on 2/17/2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
    C:\Program Files\Common files\updater\wupdater.exe
    C:\Program Files\Nikon\NkView6\NkvMon.exe
    C:\temp\hijackthis.exe
    C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.puh.ru/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINNT\hh.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
    O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
    O4 - HKCU\..\Run: [vrc1rdck5f] C:\WINNT\12yyiasx5p.exe
    O4 - HKCU\..\Run: [zk6zc1p9p7] C:\WINNT\wr5np3ouak.exe
    O4 - HKCU\..\Run: [xsci8yi7by] C:\WINNT\l06baccvoa.exe
    O4 - HKCU\..\Run: [csomtndn8n] C:\WINNT\1xthhrt04e.exe
    O4 - HKCU\..\Run: [a1sh8l3peb] C:\WINNT\lciz6bgzfa.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.5.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DD44E779-4EB6-44A9-833C-F496C3D410B1}: NameServer = 192.168.1.1
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi rosticg,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.puh.ru/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINNT\hh.dll

    O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
    O4 - HKCU\..\Run: [vrc1rdck5f] C:\WINNT\12yyiasx5p.exe
    O4 - HKCU\..\Run: [zk6zc1p9p7] C:\WINNT\wr5np3ouak.exe
    O4 - HKCU\..\Run: [xsci8yi7by] C:\WINNT\l06baccvoa.exe
    O4 - HKCU\..\Run: [csomtndn8n] C:\WINNT\1xthhrt04e.exe
    O4 - HKCU\..\Run: [a1sh8l3peb] C:\WINNT\lciz6bgzfa.exe

    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.5.cab

    Then reboot and delete:
    C:\Program Files\INCREDIFIND <= entire folder
    C:\Program Files\Common files\updater\wupdater.exe
    C:\WINNT\12yyiasx5p.exe
    C:\WINNT\wr5np3ouak.exe
    C:\WINNT\l06baccvoa.exe
    C:\WINNT\1xthhrt04e.exe
    C:\WINNT\lciz6bgzfa.exe
    C:\WINNT\secure.html

    Regards,

    Pieter
     
  5. rosticg

    rosticg Registered Member

    Joined:
    Feb 17, 2004
    Posts:
    3
    Hi,

    Well it seems like everything is ok. Thank you soo soo much, it was really a pain. If anything stops working again, I'll put up another reply, but otherwise, thank you for all the help. Rosticg
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Glad we could help. :)

    Pieter
     
Thread Status:
Not open for further replies.