Problems with Winnt/secure.html start up page.

Discussion in 'adware, spyware & hijack cleaning' started by robertinho7, Mar 9, 2004.

Thread Status:
Not open for further replies.
  1. robertinho7

    robertinho7 Guest

    Hi! I ran Ad-Aware and SpyBot but they couldnt fix the start up page in IExplorer. Here I'm posting my HijackThis log, Thanks in advance!

    Logfile of HijackThis v1.97.7
    Scan saved at 23:04:48, on 09/03/2004
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
    C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
    C:\WINNT\system32\drivers\dcfssvc.exe
    C:\WINNT\System32\svchost.exe
    C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.EXE
    C:\Archivos de programa\Terra ASDL Plus\CnxDslTb.exe
    C:\WINNT\loadqm.exe
    C:\Archivos de programa\Analog Devices\SoundMAX\Smtray.exe
    C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
    C:\WINNT\reg32.exe
    C:\WINNT\System32\RUNDLL32.EXE
    C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
    D:\Microsoft Visual Studio\Common\MSDev98\Bin\MSDEV.EXE
    D:\eMule\eMule.exe
    C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
    C:\Archivos de programa\Winamp\winamp.exe
    C:\ARCHIV~1\WINZIP\winzip32.exe
    C:\Documents and Settings\Rob\Configuración local\Temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\Adobe\Acrobat Reader 5\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Archivos de programa\Terra ASDL Plus\CnxDslTb.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Smapp] C:\Archivos de programa\Analog Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [sys] regedit -s sys.reg
    O4 - HKLM\..\Run: [Reg32] C:\WINNT\reg32.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
    O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38003.6132638889
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A0EBD2B5-2915-4BD5-B04B-C371D5D892DF}: NameServer = 195.235.113.3,195.235.96.90
     
  2. robertinho7

    robertinho7 Guest

    I think I manage to fix the problem, I had a look at that sys.reg file and deleted al registry keys and files related to that. It seems to be fixed, but I could have other problems. By the way, how can I avoid this kind of spybot in the future? Thx
     
  3. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Hi robertinho,

    would you please post Hijack log again, as its not that easy to handle these malwares. To be on safe side, reviewal of your Hijack log would be helpful.
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    If you did not fix and delete reg32.exe the hijack will be back.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.