Home page hijacked - secure32

Home page hijacked - secure32

Explorer Home Page being hijacked and redirected to SECURE32.HTML. Can't
seem to get ride of it. Just purchased and ran Norton Virus but doesn't fix
it.

JET wrote:
> Home page hijacked - secure32
>
> Explorer Home Page being hijacked and redirected to SECURE32.HTML.
> Can't seem to get ride of it. Just purchased and ran Norton Virus but
> doesn't fix it.

Google is your friend:
http://computercops.biz/postt10732.html

You need to run HijackThis and post your log there as there could be several
variations of this pest.
Please download HijackThis into a C:\HJT folder you creat for this and unzip
it there.
http://www.merijn.org/files/hijackthis.zip

Run it and click on Scan.
Let it run to completion.

Do not remove anything in there yet as not all items are bad.

Then when it is finished click on Save log.
A screen will pop up with Save logfile... Click on Save.
Notepad will open up.
This is the full log that is needed and use Ctrl-a to mark all then Ctrl-c
to copy and create a new topic in that forum and Ctrl+V to past the contents
into the topic.

Log results from running hijackthis startuplist. Any comments on which lines
are problems greatly appreciated.
=================
StartupList report, 1/12/2004, 2:36:10 PM
StartupList version: 1.52
Started from : C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE
Detected: Windows ME (Win9x 4.90.3000)
Detected: Internet Explorer v5.50 (5.50.4134.0100)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MSTASKM.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\STARTEAK.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\REG32.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\WINHLP32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Compaq Knowledge Center.lnk = C:\Program Files\Compaq Knowledge
Center\bin\silent.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
SystemTray = SysTray.Exe
CPQInet = c:\compaq\CPQInet\CpqInet.exe
MotiveMonitor = C:\Program Files\Motive\motmon.exe
SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
CPQEASYACC = C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
EACLEAN = C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
PCHealth = C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
ATTBroadbandUpdate = C:\Program Files\AT&T\BBClient\Programs\SAUpdate.exe
RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe
SYSTEMBOOTHIDEPLAYER
Winsock2 driver = WINCFG.SCR
DxLoad = C:\WINDOWS\DX3DRndr.exe
Tapicfg.exe = \tapicfg.exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
WebScan = C:\PROGRAM FILES\ACCELERATION
SOFTWARE\ANTI-VIRUS\DEFSCANGUI.EXE -k
Reg32 = C:\WINDOWS\reg32.exe
Symantec Core LC = C:\Program Files\Common Files\Symantec
Shared\CCPD-LC\symlcsvc.exe start
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
NAV CfgWiz = C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID
NAV /CMDLINE "REBOOT"
zSPGuard = c:\program files\pjw\spguard\spguard.exe /s

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe
*StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe
SVC Socks = C:\WINDOWS\SYSTEM\mstaskm.exe
ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script
Blocking\SBServ.exe" -reg
ccEvtMgr = "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
ccSetMgr = "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=C:\WINDOWS\SYSTEM\mstaskm.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 12/1/2004, 13:45:6)

[Rename]
NUL=C:\WINDOWS\SYSTEM\MSCRLREV.DLL
C:\WINDOWS\SYSTEM\MSCRLREV.DLL=C:\WINDOWS\SYSTEM\SETD053.TMP

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP
SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\WINDOWS\SYSTEM

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT
5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRAM FILES\AT&T\BBCLIENT\PROGRAMS\SABHO.DLL -
{058FC709-D5CD-4A95-92DB-59E6488ECDA4}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll -
{BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

PCHealth Scheduler for Data Collection.job
Tune-up Application Start.job
Registration reminder 1.job
Registration reminder 2.job
Registration reminder 3.job
Symantec NetDetect.job
Maintenance-Defragment programs.job
Maintenance-ScanDisk.job
Maintenance-Disk cleanup.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE =
http://fpdownload.macromedia.com/pu...ash/swflash.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\AVSNIFF.DLL
CODEBASE =
http://security.symantec.com/sscv6/...bin/AvSniff.cab

[Symantec RuFSI Utility Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RUFSI.DLL
CODEBASE =
http://security.symantec.com/sscv6/...n/bin/cabsa.cab

[ActiveDataObj Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ACTIVEDATA.DLL
CODEBASE =
https://www-secure.symantec.com/tec.../ActiveData.cab

[ActiveDataInfo Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\SYMADATA.DLL
CODEBASE = https://www-secure.symantec.com/tec...ta/SymAData.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL
AUHook: C:\WINDOWS\SYSTEM\AUHOOK.DLL

--------------------------------------------------
End of report, 7,448 bytes
Report generated in 0.648 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of
platform
/history - to list version history only
=================




"YoKenny" <YKnot@home.invalid> wrote in message
news:5sBMb.135639$1g41.37768@twister01.bloor.is.net.cable.rogers.com...
> JET wrote:
> > Home page hijacked - secure32
> >
> > Explorer Home Page being hijacked and redirected to SECURE32.HTML.
> > Can't seem to get ride of it. Just purchased and ran Norton Virus but
> > doesn't fix it.
>
> Google is your friend:
> http://computercops.biz/postt10732.html
>
> You need to run HijackThis and post your log there as there could be
several
> variations of this pest.
> Please download HijackThis into a C:\HJT folder you creat for this and
unzip
> it there.
> http://www.merijn.org/files/hijackthis.zip
>
> Run it and click on Scan.
> Let it run to completion.
>
> Do not remove anything in there yet as not all items are bad.
>
> Then when it is finished click on Save log.
> A screen will pop up with Save logfile... Click on Save.
> Notepad will open up.
> This is the full log that is needed and use Ctrl-a to mark all then Ctrl-c
> to copy and create a new topic in that forum and Ctrl+V to past the
contents
> into the topic.
>
>

JET wrote:
> Log results from running hijackthis startuplist. Any comments on
> which lines are problems greatly appreciated.

The startuplist is not required at this point just the scan logfile.
http://mjc1.com/mirror/hjt/ more help.

You have a trojan:
BKDR_SPYBOT.A
http://de.trendmicro-europe.com/ent...e=BKDR_SPYBOT.A

Online virus scan:
http://housecall.trendmicro.com

> =================
> StartupList report, 1/12/2004, 2:36:10 PM
<snip>

> C:\WINDOWS\REG32.EXE
> Winsock2 driver = WINCFG.SCR <== trojan
> Reg32 = C:\WINDOWS\reg32.exe <== malware

> "YoKenny" <YKnot@home.invalid> wrote in message
> news:5sBMb.135639$1g41.37768@twister01.bloor.is.net.cable.rogers.com...
>> JET wrote:
>>> Home page hijacked - secure32
>>>
>>> Explorer Home Page being hijacked and redirected to SECURE32.HTML.
>>> Can't seem to get ride of it. Just purchased and ran Norton Virus
>>> but doesn't fix it.
>>
>> Google is your friend:
>> http://computercops.biz/postt10732.html
>>
>> You need to run HijackThis and post your log there as there could be
>> several variations of this pest.
>> Please download HijackThis into a C:\HJT folder you creat for this
>> and unzip it there.
>> http://www.merijn.org/files/hijackthis.zip
>>
>> Run it and click on Scan.
>> Let it run to completion.
>>
>> Do not remove anything in there yet as not all items are bad.
>>
>> Then when it is finished click on Save log.
>> A screen will pop up with Save logfile... Click on Save.
>> Notepad will open up.
>> This is the full log that is needed and use Ctrl-a to mark all then
>> Ctrl-c to copy and create a new topic in that forum and Ctrl+V to
>> past the contents into the topic.



--
YoKenny

As a matter of interest, how did you deduce this, where was it in the
log.

Taff............

On Mon, 12 Jan 2004 21:51:32 GMT, "YoKenny" <YKnot@home.invalid>
wrote:

>JET wrote:
>> Log results from running hijackthis startuplist. Any comments on
>> which lines are problems greatly appreciated.
>
>The startuplist is not required at this point just the scan logfile.
>http://mjc1.com/mirror/hjt/ more help.
>
>You have a trojan:
>BKDR_SPYBOT.A
>http://de.trendmicro-europe.com/ent...e=BKDR_SPYBOT.A
>
>Online virus scan:
>http://housecall.trendmicro.com
>
>> =================
>> StartupList report, 1/12/2004, 2:36:10 PM
><snip>
>
>> C:\WINDOWS\REG32.EXE
>> Winsock2 driver = WINCFG.SCR <== trojan
>> Reg32 = C:\WINDOWS\reg32.exe <== malware
>
>> "YoKenny" <YKnot@home.invalid> wrote in message
>> news:5sBMb.135639$1g41.37768@twister01.bloor.is.net.cable.rogers.com...
>>> JET wrote:
>>>> Home page hijacked - secure32
>>>>
>>>> Explorer Home Page being hijacked and redirected to SECURE32.HTML.
>>>> Can't seem to get ride of it. Just purchased and ran Norton Virus
>>>> but doesn't fix it.
>>>
>>> Google is your friend:
>>> http://computercops.biz/postt10732.html
>>>
>>> You need to run HijackThis and post your log there as there could be
>>> several variations of this pest.
>>> Please download HijackThis into a C:\HJT folder you creat for this
>>> and unzip it there.
>>> http://www.merijn.org/files/hijackthis.zip
>>>
>>> Run it and click on Scan.
>>> Let it run to completion.
>>>
>>> Do not remove anything in there yet as not all items are bad.
>>>
>>> Then when it is finished click on Save log.
>>> A screen will pop up with Save logfile... Click on Save.
>>> Notepad will open up.
>>> This is the full log that is needed and use Ctrl-a to mark all then
>>> Ctrl-c to copy and create a new topic in that forum and Ctrl+V to
>>> past the contents into the topic.




www.sounds-pa.com | www.thecomputerworkshop.com

Ditto......I went thru that one and didn't see it......he posted the
wrong log.

Heather

"taff" <taff@the-valleys.com> wrote in message
news:60k600tegeopg9ei95u3ljsqefqd5029tk@4ax.com...
> As a matter of interest, how did you deduce this, where was it in the
> log.
>
> Taff............
>
> On Mon, 12 Jan 2004 21:51:32 GMT, "YoKenny" <YKnot@home.invalid>
> wrote:
>
> >JET wrote:
> >> Log results from running hijackthis startuplist. Any comments on
> >> which lines are problems greatly appreciated.
> >
> >The startuplist is not required at this point just the scan logfile.
> >http://mjc1.com/mirror/hjt/ more help.
> >
> >You have a trojan:
> >BKDR_SPYBOT.A
>
>http://de.trendmicro-europe.com/ent.../ve_detail.php?
VName=BKDR_SPYBOT.A
> >
> >Online virus scan:
> >http://housecall.trendmicro.com
> >
> >> =================
> >> StartupList report, 1/12/2004, 2:36:10 PM
> ><snip>
> >
> >> C:\WINDOWS\REG32.EXE
> >> Winsock2 driver = WINCFG.SCR <== trojan
> >> Reg32 = C:\WINDOWS\reg32.exe <== malware
> >
> >> "YoKenny" <YKnot@home.invalid> wrote in message
> >>
news:5sBMb.135639$1g41.37768@twister01.bloor.is.net.cable.rogers.com...
> >>> JET wrote:
> >>>> Home page hijacked - secure32
> >>>>
> >>>> Explorer Home Page being hijacked and redirected to
SECURE32.HTML.
> >>>> Can't seem to get ride of it. Just purchased and ran Norton Virus
> >>>> but doesn't fix it.
> >>>
> >>> Google is your friend:
> >>> http://computercops.biz/postt10732.html
> >>>
> >>> You need to run HijackThis and post your log there as there could
be
> >>> several variations of this pest.
> >>> Please download HijackThis into a C:\HJT folder you creat for this
> >>> and unzip it there.
> >>> http://www.merijn.org/files/hijackthis.zip
> >>>
> >>> Run it and click on Scan.
> >>> Let it run to completion.
> >>>
> >>> Do not remove anything in there yet as not all items are bad.
> >>>
> >>> Then when it is finished click on Save log.
> >>> A screen will pop up with Save logfile... Click on Save.
> >>> Notepad will open up.
> >>> This is the full log that is needed and use Ctrl-a to mark all
then
> >>> Ctrl-c to copy and create a new topic in that forum and Ctrl+V to
> >>> past the contents into the topic.
>
>
>
>
> www.sounds-pa.com | www.thecomputerworkshop.com

On Mon, 12 Jan 2004 19:47:32 GMT, "JET" <jetconsulting@attbi.com>
wrote:

>Autorun entries from Registry:
>HKLM\Software\Microsoft\Windows\CurrentVersion\Run
[...]
>Winsock2 driver = WINCFG.SCR

Probable Spybot variant

>DxLoad = C:\WINDOWS\DX3DRndr.exe

Probable SWEN worm

>Tapicfg.exe = \tapicfg.exe

Coolwebsearch

>Autorun entries from Registry:
>HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
[...]
>SVC Socks = C:\WINDOWS\SYSTEM\mstaskm.exe

>--------------------------------------------------
>
>Load/Run keys from C:\WINDOWS\WIN.INI:
>
>load=
>run=C:\WINDOWS\SYSTEM\mstaskm.exe

Coolwebsearch

For Spybot and Swen, I'd recommend Trojan Remover
http://www.simplysup.com/tremover/
That may also remove coolwebsearch, but if so it's calling it by
another name.

Otherwise for Coolwebsearch - CWShredder from
http://www.spywareinfo.com/~merijn/downloads.html

Did you *update* Norton after you installed it? Of course Swen would
have been trying to disable it...

Carol