[Solved]Hijacked by C:/windows/secure.html HELP!

Discussion in 'adware, spyware & hijack cleaning' started by jorgk, Jul 15, 2004.

Thread Status:
Not open for further replies.
  1. jorgk

    jorgk Registered Member

    Joined:
    Jul 15, 2004
    Posts:
    2
    Hi to the Wilders Sec Froum!

    HELP NEEDED: I have been highjacked by a secure.html. Everytime I use the IE, it goes to a blue screen, on which there are links to e-shredder.com. If I try to close that window, a porn site pops up which is nasty to close.
    I tried Ad Aware, Spybot and PC Cillin, nothing works.
    Here is my highjacked.this log

    Logfile of HijackThis v1.97.7
    Scan saved at 15:03:13, on 15.07.2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\Windows\System32\smss.exe
    C:\Windows\system32\csrss.exe
    C:\Windows\system32\winlogon.exe
    C:\Windows\system32\services.exe
    C:\Windows\system32\lsass.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\system32\spoolsv.exe
    C:\Altiris\AClient\AClient.exe
    C:\Windows\System32\alg.exe
    C:\Windows\System32\Ati2evxx.exe
    C:\Windows\Cpqdiag\Cpqdfwag.exe
    C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
    C:\Windows\Explorer.EXE
    C:\Programme\QuickTime\qttask.exe
    C:\Windows\System32\ltmsg.exe
    C:\Programme\iTunes\iTunesHelper.exe
    C:\Programme\iPod\bin\iPodService.exe
    C:\Windows\System32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\Windows\System32\bcmwltry.exe
    C:\Windows\System32\atiptaxx.exe
    C:\Windows\System32\spwjzdxl.exe
    C:\Windows\System32\ctfmon.exe
    C:\Programme\Trend Micro\Internet Security\tmproxy.exe
    C:\Programme\Trend Micro\Internet Security\PccPfw.exe
    C:\Programme\Trend Micro\Internet Security\Tmntsrv.exe
    C:\Programme\Trend Micro\Internet Security\PCClient.EXE
    C:\Programme\Trend Micro\Internet Security\PCCGUIDE.EXE
    C:\Programme\Trend Micro\Internet Security\TMOAgent.exe
    C:\Programme\Yahoo!\Messenger\YPager.exe
    C:\Dokumente und Einstellungen\jkrahnert\Desktop\AntiViren SW\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\Windows\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\Windows\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\Windows\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\Windows\secure.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\secure.html
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file)
    O4 - HKLM\..\Run: [THGuard] "C:\Programme\TrojanHunter 3.9\THGuard.exe"
    O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Programme\Trend Micro\Internet Security\TMOAgent.exe" /run
    O4 - HKLM\..\Run: [PCClient.exe] "C:\Programme\Trend Micro\Internet Security\PCClient.exe"
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Programme\Trend Micro\Internet Security\pccguide.exe"
    O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
    O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe
    O4 - Startup: NoPopUp 2001.lnk.disabled

    THANKS FOR ANY HELP!

    Jorg K.
     
  2. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Re: Hijacked by C:/windows/secure.html HELP!

    Hi jorgk

    Pls. save your HJT into its OWN folder - like C:\HIjackThis.

    Download cwshredder here Close all browser windows and click on the fix/next button.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click "Fix checked":

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\Windows\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\Windows\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\Windows\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\Windows\secure.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\secure.html
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file)


    Make sure you can view hidden and system files: Instructions here

    Then Boot to safe mode: Instructions here

    Delete the following item:

    C:\Windows\secure.html

    Then reboot and use AdAware as described :
    HERE

    Then use the Disk Cleanup Utility to empty all your Temp folders.

    Then Disable system restore: Instructions here
    Reboot

    Enable System Restore.

    Problem gone?
     
  3. jorgk

    jorgk Registered Member

    Joined:
    Jul 15, 2004
    Posts:
    2
    Re: Hijacked by C:/windows/secure.html HELP!

    Dear Marianna

    Done it all and it worked!!! *THANK YOU*THANK YOU*THANK YOU*

    If I weren't so poor, I'd send you a bottle of champagne every year for your birthday :)

    You guys are saints!
     
  4. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Re: Hijacked by C:/windows/secure.html HELP!

    Hi jorgk

    SUPER - great job !

    Glad we could help :)

    Also here is an excellent source for tips to tighten security. Follow the advice and get the free downloads to help avoid some of these problems in the future.

    Happy Safe Computing :)
     
Thread Status:
Not open for further replies.