Jump to content


Photo

c:\windows\secure.html


  • Please log in to reply
4 replies to this topic

#1 confused2004

confused2004

    Member

  • New Member
  • Pip
  • 2 posts

Posted 27 July 2004 - 02:26 AM

My PC infected iwth c\windows\secure.html. Won't go.

This is the log from hijackthis. Please help
StartupList report, 7/27/2004, 12:18:48 AM
StartupList version: 1.52
Started from : C:\Documents and Settings\Administrator\Desktop\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Windows\System32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\OfficeScan NT\ntrtscan.exe
C:\OfficeScan NT\tmlisten.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\atiptaxx.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\Windows\System32\ltmsg.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\OfficeScan NT\pccntmon.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\QuickTime\qttask.exe
C:\Windows\System32\ctfmon.exe
C:\Palm\hotsync.exe
C:\Program Files\Shoreline Communications\ShoreWare Client\STCLogin.exe
C:\Windows\System32\taskmgr.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
HotSync Manager.lnk = C:\Palm\hotsync.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ATIModeChange = Ati2mdxx.exe
AtiPTA = atiptaxx.exe
eabconfg.cpl = C:\Program Files\Compaq\EAB\EabServr.exe /Start
hkss = C:\Program Files\Compaq\Hotkey Software\hkss.exe
Cpqset = c:\compaq\cpqsetup\cpqset.exe
LTWinModem1 = ltmsg.exe 9
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
OfficeScanNT Monitor = "C:\OfficeScan NT\pccntmon.exe"
WG511WLU = C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\Windows\System32\ctfmon.exe

--------------------------------------------------

Shell & screensaver key from C:\Windows\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com...ex/qtplugin.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macr...director/sw.cab

[{205FF73B-CA67-11D5-99DD-444553540000}]
CODEBASE = https://www.webconfe...all/Install.cab

[Yahoo! Audio Conferencing]
InProcServer32 = C:\WINDOWS\DOWNLO~1\yacscom.dll
CODEBASE = http://us.chat1.yimg...v45/yacscom.cab

[Quicksilver Class]
CODEBASE = http://scpwka.ops.pl...quicksilver.cab

[InforbitHelper Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\IFHelper.dll
CODEBASE = http://download.info...in/ifhelper.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai...all/xscan53.cab

[webconference.Encoder]
CODEBASE = https://www.webconfe...nceV5.1.239.CAB

[MediaTicketsInstaller Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CONFLICT.1\MEDIAT~1.OCX
CODEBASE = http://www.mt-downlo...tsInstaller.cab

[Shockwave Flash Object]
InProcServer32 = C:\Windows\System32\macromed\flash\FLASH.OCX
CODEBASE = http://download.macr...ash/swflash.cab

[GpcContainer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ieatgpc.dll
CODEBASE = http://extreme.webex...bex/ieatgpc.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\Windows\system32\SHELL32.dll
CDBurn: C:\Windows\system32\SHELL32.dll
WebCheck: C:\Windows\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
System: C:\Windows\system32\system32.dll

--------------------------------------------------
End of report, 5,924 bytes
Report generated in 0.080 seconds

Thank you

#2 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 27 July 2004 - 08:55 PM

  • Double click on "My Computer" to open it.
  • Double click on the local "C-Drive" to open it.
  • Click on "File" => "New Folder" and name it HJT. i.e. The folder will be C:\HJT.
  • Please download HijackThis from any of the following locations:
  • Install/Unzip it into C:\HJT.
  • Only run HijackThis from C:\HJT\HijackThis.exe. That way we can ensure that we have the backup files available in the event that they are needed.
  • Run HijackThis, click on scan and wait for the scan to finish.
  • The "Scan" button will change to "Save Log", click on it and simply press "Save" on the window that will appear.
  • Notepad will open with a copy of the log.
    • Click on "Edit" => "Select All".
    • Click on "Edit" => "Copy". This will copy the contents of the Notepad instance to the clipboard.
  • Please post your entire log here for analysis.


#3 confused2004

confused2004

    Member

  • New Member
  • Pip
  • 2 posts

Posted 28 July 2004 - 01:37 AM

Ok. But what was wrong with the log i posted there?????

#4 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 28 July 2004 - 01:39 AM

That is not the log I need - Can you follow the instructions??

#5 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 31 July 2004 - 06:06 PM

You posted a Startup List. Follow the directions PGPhantom gave to post the HijackThis log instead. :)

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button