Jump to content


Photo

secure.html replicates BEFORE I reboot


  • Please log in to reply
1 reply to this topic

#1 osmosis

osmosis

    Member

  • New Member
  • Pip
  • 2 posts

Posted 11 July 2004 - 01:07 AM

I've run adaware, my antivirus from Trend Micro, and the Bazooka spyware all with current versions & updates. I've followed the instructions at spywareinfo (thanks!) and at Symantec and at TrendMicro.

Thanks for hijackthis - it beats heck out of regedit which I used a good part of today... and hijack does so much more! Even so, I can't get rid of this Trojan. I delete the hosts entries, I delete the bad files, and I use Hijack to delete the MSIE entries... but as my title says, they come BACK BEFORE I reboot!

I do not see any bad entries in my resident program list. I've used your links to check them all out and they all appear valid. I'm embarrased to admit how many HOURS I've spent on this.

I also cannot get into control panel and it's also blocking me from normal Windows explorer. Thank goodness I have a home network! and can use another machine to browse, download and use windows explorer on my "bad" machine.

Here is the Hijack listing from AFTER the Secure.html replicated. If you want to see the list that shows those entries GONE, let me know. Something must be running that is resetting them.

Logfile of HijackThis v1.98.0
Scan saved at 12:49:54 AM, on 7/11/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCPFW.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMPROXY.EXE
C:\WINDOWS\SYSTEM\MSDTCW.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCGUIDE.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCLIENT.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMOAGENT.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\DOWNLOADEDFILES\SPECIFIC SOFTWARE\MISCVIRUSETC\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [MSDTC] msdtcw -start
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [PccPfw] C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O4 - HKLM\..\RunServices: [tmproxy] C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmtrans.html
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O20 - AppInit_DLLs: APITRAP.DLL
O21 - SSODL: System - {52CC0E40-D1FF-11D8-846A-0050BACA191C} - C:\WINDOWS\system32\system32.dll

any help would be greatly appreciated. I'm at the end of my ability to move forward on this.

Brent

Edited by osmosis, 11 July 2004 - 08:32 AM.


#2 osmosis

osmosis

    Member

  • New Member
  • Pip
  • 2 posts

Posted 11 July 2004 - 08:29 AM

Great news! I got this FIXED.

I found the solution at http://www.lavasofts...showtopic=32531

via a Google search, not because I was in that forum. The KEY (in their case and in mine) is the file system32.dll which you must delete AFTER turning off the resident program Explorer.exe

After getting this stopped, I was able to follow the normal steps outlined at THIS site. Deleting the secure.html entries and other related files, getting rid of the HOSTS entries, etc as described in the
Primary instructions: http://www.spywarein...jacked/#removal

This fixed everything, including I now can run control panel and windows explorer with no problem.

B




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button