• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
epix12000

Please Help With C:\WINDOWS\secure.html!!!

8 posts in this topic

If someone could help me I would really appreciate it. My computer's home page has been hijacked and now it goes to C:\WINDOWS\secure.html. I tried to change it back in internet options and it keeps reverting back to the secure.html page. Below is my hijack this log. I appreciate ANY help I can get. THANKS

 

ogfile of HijackThis v1.97.7

Scan saved at 11:37:28 PM, on 6/12/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE

C:\WINDOWS\SYSTEM\PRINTRAY.EXE

C:\WINDOWS\SYSTEM\QTTASK.EXE

C:\WINDOWS\TEMP\GJP9VC.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\TEMP\GJP9VC.EXE

C:\WINDOWS\SYSTEM\LEXBCES.EXE

C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE

C:\WINDOWS\SYSTEM\RPCSS.EXE

C:\WINDOWS\SYSTEM\LEXPPS.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

A:\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL

O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAM FILES\SEP\SEP.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL

O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAM FILES\SEP\SEP.DLL

O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe

O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE

O4 - HKLM\..\Run: [systemTray] SysTray.ExE

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET

O4 - HKLM\..\Run: [WorksFUD] c:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] c:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [LexStart] Lexstart.exe

O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\Run: [burnQuick Queue] C:\WINDOWS\BQTray.exe

O4 - HKLM\..\Run: [Gjp9vc] C:\WINDOWS\TEMP\GJP9VC.EXE

O4 - HKLM\..\Run: [Gjp9vc.exe] C:\WINDOWS\TEMP\GJP9VC.EXE

O4 - HKLM\..\Run: [services Process] C:\WINDOWS\system32\config\services.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKCU\..\Run: [MoneyStartUp] c:\Program Files\Microsoft Money\System\Money Startup.exe

O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &Define - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

O8 - Extra context menu item: Look Up in &Encyclopedia - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)

O9 - Extra button: Encarta Encyclopedia (HKLM)

O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)

O9 - Extra button: Define (HKLM)

O9 - Extra 'Tools' menuitem: Define (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8123.4647800926

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: Showbiz Slots 2 by pogo - http://showbiz2.pogo.com/applet-5.8.3.20/s...2-ob-assets.cab

O16 - DPF: Phlinx by pogo - http://flinger.pogo.com/applet-5.8.3.20/fl...r-ob-assets.cab

O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet-5.8.3.26/popf...u-ob-assets.cab

O16 - DPF: Tri-Peaks by pogo - http://game5.pogo.com/applet-5.8.3.26/peak...s-ob-assets.cab

O16 - DPF: Sweet Tooth TM by pogo - http://sweet06.pogo.com/applet-5.8.3.26/sw...h-ob-assets.cab

O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet-5.8.4.18...o-ob-assets.cab

O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet-5.8.4.18/...k-ob-assets.cab

O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet-5.8.4.18...s-ob-assets.cab

O16 - DPF: Jokers Wild Poker by pogo - http://vpjoke.pogo.com/applet-5.8.4.18/vid...d-ob-assets.cab

Share this post


Link to post
Share on other sites

bump

i hope some one can help. usually i can figure out how to get rid of these myself but this is a very tough and persistent one. you guys are the experts.

Share this post


Link to post
Share on other sites

I came across this problem on a clients computer. What i found was that it installs some custom active desktop web settings as well as hijacking your start page.

 

Try locating and deleteing the secure.html file. Next open your display properties and go to the desktop tab. Click customize desktop then click on the web tab. There should be a web page there either called web or security...i can't remember off the top of my head. Just delete what's there to be on the safe side.

 

After that reboot your computer and hopefully your in good shape.

 

Something else that never hurts is to check for strange files in your windows directory. Sort the files by date modifed to help get the newer files then right click on them and click properties. Almost all legit files will have version information listed. It will tell you file version and company etc etc. If a file doesn't have this info then do a google search on the full file name....do include the extension. This will almost for sure produce hits that will tell you if the file is a legit file or some piece of malicous programming.

 

Another good practice is to start in safe mode. It's not as easy to get into safe mode on XP as it is in Win9x/ME. The best advice I have is after your bios posts start smashing the F8 key untill you get a boot menu. Once your in safe mode go find yoru temp directory and delete everythign in it. On XP system it's usually located in c:\documents and setting\"youruser"\local settings\temp in windows 9x/me it's usually located in yoru windows directory. After everything is deleted reboot your system.

 

If you know how to edit your registry it doesn't hurt to search for the names of any files you delete from your windows directory and remove references to them. Also find your "run once" and "run" keys and just see what windows has starting up in there. You may find thigns starting up you didn't even know about. Be carefull whatever you do in the registry as it can totaly blow up your computer if you delete somethign important.

 

You should also search for your hosts file. It's typically in the windows directory on older systems or in the windows\system32 directory and windows\system32\drivers\etc edit this file with notepad. Typically the only entry you should find is

 

127.0.0.1 localhost

 

anythign else should probalby be deleted.

 

Most of these instruction are for XP systems but some of this can be used on older OS's

 

Note: In order to see the local settings folder you may have to go to the control panel on folder options - view - and check show hidden files and folders.

Edited by cblanzy

Share this post


Link to post
Share on other sites

I had the same problem and have been watching your post to see if anyone replied. Both Ad Aware and PC-Cillian have updated to fight this thing. You might need both to clean it up completely, but if you get the updates of these two programs and use all the in-depth scan settings they will clean it up for you.

Share this post


Link to post
Share on other sites

Epix12000,

Sorry you had to wait so long.

 

Please make sure your computer is configured to view all files/folders:

http://www.xtra.co.nz/help/0,,4155-1916458,00.html

 

Reboot into Safemode:

Turn on the computer

Immediately begin tapping the <F8> key.

Use the arrow keys to highlight Safe Mode and press the <Enter> key.

 

Navigate to WINDOWS\system32.

Find system32.dll (ONLY from the WINDOWS\system32 directory) You cannot delete the dll file while it loaded, so you will have to delete it while explorer.exe is not running. (Close explorer.exe in TaskManager--Ctrl+Alt+Delete)

Delete the system32.dll file.

 

Reboot into Safemode again.

Go to the WINDOWS\ directory & delete secure.html

Restart the computer.

 

There are still several things in your log which should be taken out, but before doing so, please make sure you have the latest version (1.98) of HJT and download it to a permanent location on your computer:

http://computercops.biz/zx/phoenix22/hijackthis.zip

Here's how:

To create a folder:

Click My Computer, then C:\

In the menu bar, File->New->Folder.

That will create a folder named "New Folder", which you can rename to "HJT" or "HijackThis".

Now you have C:\HJT\ folder.

Double-click on the .exe to scan.

After Scan, the Scan button changes to Save Log. Click that, save it somewhere.

Do Ctrl-A to Select all, and then copy and paste it here.

Please post a new HijackThis log so we can proceed.

Share this post


Link to post
Share on other sites

BatBatter is right it is the system32.dll file that keeps the secure.html file on the system.

 

This is the Trojan.Ecure virus reported by Symantec. You can find information via the links below:

http://securityresponse.symantec.com/avcen...ojan.ecure.html

http://securityresponse.symantec.com/avcen...an.ecure.b.html

http://securityresponse.symantec.com/avcen...an.ecure.c.html

 

I was looking at a computer that had the Trojan.Ecure "B" variant.

Update your virus definitions cause the B & C variants were just added

today 7/7/04. Scan with your virus program after doing this and it

should find a DLL file. The one I found was system32.dll in c:\windows\system 32 .

I have Windows XP

 

Just wanted you to know. I couldn't get rid of it either. The virus

is that NEW.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0