winnnt/secure.html homepage

Discussion in 'adware, spyware & hijack cleaning' started by Barrryy, Mar 9, 2004.

Thread Status:
Not open for further replies.
  1. Barrryy

    Barrryy Guest

    When computer is turned on there are 3 messages that pop up. 'Precision time.Ink' 'Date manager.Ink' and 'Gstartup.Ink' After closing each of those and attempting to go to Internet Explorer a Blue screen appears and says "Detected spyware system error #384. Logfile of HijackThis v1.97.7
    Scan saved at 3:10:46 PM, on 3/9/2004
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\Program Files\Intel\ASF Agent\ASFAgent.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\gearsec.exe
    C:\Program Files\Dell\OpenManage\Client\Iap.exe
    C:\WINNT\System32\NMSSvc.exe
    C:\Program Files\Kerio\Personal Firewall\persfw.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\admin.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\igfxtray.exe
    C:\WINNT\System32\hkcmd.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINNT\loadqm.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
    C:\WINNT\System32\LXSUPMON.EXE
    C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\WINZIP\wzqkpick.exe
    C:\unzipped\hijackthis1977[1]\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://my-find.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my-find.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my-find.com/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my-find.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my-find.com/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {f760cb9e-c60f-4a89-890e-fae8b849493e} - C:\WINNT\madise.dll (file missing)
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
    O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
    O4 - HKLM\..\Run: [rundll134] C:\WINNT\SYSTEM32\RMTCFG\hidden32.exe C:\WINNT\SYSTEM32\RMTCFG\uns\rmtcfg.exe
    O4 - HKLM\..\Run: [rundll946] C:\WINNT\SYSTEM32\RMTCFG\hidden32.exe C:\WINNT\SYSTEM32\RMTCFG\uns\secure.bat
    O4 - HKLM\..\Run: [WindowEnhancer] "C:\Program Files\WindowEnhancer\v1\WindowEnhancer.EXE" /U
    O4 - HKLM\..\Run: [Sec_Admin] C:\WINNT\system32\admin.exe /start /silence
    O4 - HKLM\..\Run: [NetworkStartup] net share IPC$ /delete /yes
    O4 - HKLM\..\Run: [Protec_Store] C:\WINNT\system32\CSRSSSS.EXE protect.bat
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [System Service] C:\WINNT\System32\msrexe.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
    O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &AroundWeb Search - res://C:\Program Files\AroundWeb\awtoolb.dll/MENUSEARCH.HTM
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
    O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/scandl_cnry.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38028.3160300926
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} (IRDIXAObj Class) -

    Thanks a ton for your assistance in fixing my computer. I appreciate your time.
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Barrryy,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://my-find.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my-find.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my-find.com/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my-find.com/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my-find.com/index.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {f760cb9e-c60f-4a89-890e-fae8b849493e} - C:\WINNT\madise.dll (file missing)

    O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)

    O4 - HKLM\..\Run: [rundll134] C:\WINNT\SYSTEM32\RMTCFG\hidden32.exe C:\WINNT\SYSTEM32\RMTCFG\uns\rmtcfg.exe
    O4 - HKLM\..\Run: [rundll946] C:\WINNT\SYSTEM32\RMTCFG\hidden32.exe C:\WINNT\SYSTEM32\RMTCFG\uns\secure.bat
    O4 - HKLM\..\Run: [WindowEnhancer] "C:\Program Files\WindowEnhancer\v1\WindowEnhancer.EXE" /U

    O4 - HKLM\..\Run: [NetworkStartup] net share IPC$ /delete /yes

    O4 - HKLM\..\Run: [System Service] C:\WINNT\System32\msrexe.exe

    O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
    O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

    O8 - Extra context menu item: &AroundWeb Search - res://C:\Program Files\AroundWeb\awtoolb.dll/MENUSEARCH.HTM

    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
    O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/scandl_cnry.cab

    O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} (IRDIXAObj Class) -

    Then download, unzip and run: CWShredder.exe
    Use the Fix button and follow the instructions you will receive.

    Then reboot into safe mode
    and delete:
    C:\WINNT\secure.html
    C:\WINNT\SYSTEM32\RMTCFG\uns <= entire folder
    C:\Program Files\WindowEnhancer <= entire folder
    C:\WINNT\System32\msrexe.exe
    C:\Program Files\PrecisionTime <= entire folder
    C:\Program Files\Date Manager <= entire folder
    C:\Program Files\Common Files\GMT <= entire folder

    Then these I can't find anything about. They don't look very promising, especially since we already found three trojans.

    O4 - HKLM\..\Run: [Sec_Admin] C:\WINNT\system32\admin.exe /start /silence
    O4 - HKLM\..\Run: [Protec_Store] C:\WINNT\system32\CSRSSSS.EXE

    I would advise fixinmg those two if you don't know where they came from and send
    C:\WINNT\system32\admin.exe
    C:\WINNT\system32\CSRSSSS.EXE
    to the address in my profile.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.