Jump to content


Please Help With C:\WINDOWS\secure.html!!!

  • Please log in to reply
7 replies to this topic

#1 epix12000



  • Full Member
  • Pip
  • 13 posts

Posted 12 June 2004 - 11:41 PM

If someone could help me I would really appreciate it. My computer's home page has been hijacked and now it goes to C:\WINDOWS\secure.html. I tried to change it back in internet options and it keeps reverting back to the secure.html page. Below is my hijack this log. I appreciate ANY help I can get. THANKS

ogfile of HijackThis v1.97.7
Scan saved at 11:37:28 PM, on 6/12/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAM FILES\SEP\SEP.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAM FILES\SEP\SEP.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [WorksFUD] c:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] c:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [BurnQuick Queue] C:\WINDOWS\BQTray.exe
O4 - HKLM\..\Run: [Gjp9vc.exe] C:\WINDOWS\TEMP\GJP9VC.EXE
O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\config\services.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [MoneyStartUp] c:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Define - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8123.4647800926
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: Showbiz Slots 2 by pogo - http://showbiz2.pogo...2-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://flinger.pogo....r-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.co...u-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game5.pogo.co...s-ob-assets.cab
O16 - DPF: Sweet Tooth TM by pogo - http://sweet06.pogo....h-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://superbingo.po...o-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo - http://greenback.pog...k-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.po...s-ob-assets.cab
O16 - DPF: Jokers Wild Poker by pogo - http://vpjoke.pogo.c...d-ob-assets.cab

#2 epix12000



  • Full Member
  • Pip
  • 13 posts

Posted 16 June 2004 - 09:04 AM


#3 epix12000



  • Full Member
  • Pip
  • 13 posts

Posted 17 June 2004 - 07:31 AM

i hope some one can help. usually i can figure out how to get rid of these myself but this is a very tough and persistent one. you guys are the experts.

#4 epix12000



  • Full Member
  • Pip
  • 13 posts

Posted 21 June 2004 - 09:34 PM


#5 cblanzy



  • New Member
  • Pip
  • 1 posts

Posted 01 July 2004 - 08:52 AM

I came across this problem on a clients computer. What i found was that it installs some custom active desktop web settings as well as hijacking your start page.

Try locating and deleteing the secure.html file. Next open your display properties and go to the desktop tab. Click customize desktop then click on the web tab. There should be a web page there either called web or security...i can't remember off the top of my head. Just delete what's there to be on the safe side.

After that reboot your computer and hopefully your in good shape.

Something else that never hurts is to check for strange files in your windows directory. Sort the files by date modifed to help get the newer files then right click on them and click properties. Almost all legit files will have version information listed. It will tell you file version and company etc etc. If a file doesn't have this info then do a google search on the full file name....do include the extension. This will almost for sure produce hits that will tell you if the file is a legit file or some piece of malicous programming.

Another good practice is to start in safe mode. It's not as easy to get into safe mode on XP as it is in Win9x/ME. The best advice I have is after your bios posts start smashing the F8 key untill you get a boot menu. Once your in safe mode go find yoru temp directory and delete everythign in it. On XP system it's usually located in c:\documents and setting\"youruser"\local settings\temp in windows 9x/me it's usually located in yoru windows directory. After everything is deleted reboot your system.

If you know how to edit your registry it doesn't hurt to search for the names of any files you delete from your windows directory and remove references to them. Also find your "run once" and "run" keys and just see what windows has starting up in there. You may find thigns starting up you didn't even know about. Be carefull whatever you do in the registry as it can totaly blow up your computer if you delete somethign important.

You should also search for your hosts file. It's typically in the windows directory on older systems or in the windows\system32 directory and windows\system32\drivers\etc edit this file with notepad. Typically the only entry you should find is localhost

anythign else should probalby be deleted.

Most of these instruction are for XP systems but some of this can be used on older OS's

Note: In order to see the local settings folder you may have to go to the control panel on folder options - view - and check show hidden files and folders.

Edited by cblanzy, 01 July 2004 - 09:03 AM.

#6 ericboyd



  • New Member
  • Pip
  • 1 posts

Posted 01 July 2004 - 10:32 PM

I had the same problem and have been watching your post to see if anyone replied. Both Ad Aware and PC-Cillian have updated to fight this thing. You might need both to clean it up completely, but if you get the updates of these two programs and use all the in-depth scan settings they will clean it up for you.

#7 Bugbatter


    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 939 posts

Posted 05 July 2004 - 07:55 AM

Sorry you had to wait so long.

Please make sure your computer is configured to view all files/folders:

Reboot into Safemode:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Navigate to WINDOWS\system32.
Find system32.dll (ONLY from the WINDOWS\system32 directory) You cannot delete the dll file while it loaded, so you will have to delete it while explorer.exe is not running. (Close explorer.exe in TaskManager--Ctrl+Alt+Delete)
Delete the system32.dll file.

Reboot into Safemode again.
Go to the WINDOWS\ directory & delete secure.html
Restart the computer.

There are still several things in your log which should be taken out, but before doing so, please make sure you have the latest version (1.98) of HJT and download it to a permanent location on your computer:
Here's how:
To create a folder:
Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named "New Folder", which you can rename to "HJT" or "HijackThis".
Now you have C:\HJT\ folder.
Double-click on the .exe to scan.
After Scan, the Scan button changes to Save Log. Click that, save it somewhere.
Do Ctrl-A to Select all, and then copy and paste it here.
Please post a new HijackThis log so we can proceed.
Microsoft MVP - Consumer Security

#8 racermark



  • Full Member
  • Pip
  • 9 posts

Posted 07 July 2004 - 08:59 PM

BatBatter is right it is the system32.dll file that keeps the secure.html file on the system.

This is the Trojan.Ecure virus reported by Symantec. You can find information via the links below:

I was looking at a computer that had the Trojan.Ecure "B" variant.
Update your virus definitions cause the B & C variants were just added
today 7/7/04. Scan with your virus program after doing this and it
should find a DLL file. The one I found was system32.dll in c:\windows\system 32 .
I have Windows XP

Just wanted you to know. I couldn't get rid of it either. The virus
is that NEW.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button