PDA

View Full Version : secure32 and SpySwapper


cheesyhead
2006-12-26, 18:52
I have AVG anti virus software and while visiting a webpage I received information that the C:\\WINDOWS\System32\secure32.html file was infected. I have removed this file and restored default settings in Internet Explorer, but the error about secure32 is missing and the home page continues to revert back to c:\secure32.html. Also pictures will not appear on any webpage. I have attached the hijackthis log file in hopes that someone can point me in the right direction. Any help is much appreciated!
Thank you very much, Cheesyhead

Logfile of HijackThis v1.99.1
Scan saved at 10:32:32 AM, on 12/26/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hphmon04.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\autosys.exe
C:\DOCUME~1\default\LOCALS~1\Temp\svchost.exe
C:\DOCUME~1\default\LOCALS~1\Temp\1071551856.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {23314D99-1240-4d4f-A25C-17E44823D048} - C:\WINDOWS\System32\ipv6monl.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\System32\autosys.exe
O4 - HKCU\..\Run: [Recoveru systems] C:\DOCUME~1\default\LOCALS~1\Temp\svchost.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {DECDBEEF-D3AD-B3EF-DE4D-B3EFDEADB3EF} - C:\Documents and Settings\All Users\Start Menu\Programs\BellSouth(r) Communications Suite\BellSouth Messenger.lnk
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://smbusiness.dellnet.com/ (file missing) (HKCU)
O16 - DPF: Yahoo! MLB StatTracker - http://aud2.sports.dcn.yahoo.com/java/y/mlbst8402_x.cab
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.mid-tn.com/utilities/tdserver.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {B9F3009B-976B-41C4-A992-229DCCF3367C} (CoAxTrack Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://66.242.36.115/view22/View22RTE.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Indexing Service (cisvc) - Unknown owner - C:\WINDOWS\System32\cisvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
shelf life
2006-12-27, 16:02
hi cheesyhead,

lets try this first:
scan with HJT, put a checkmark beside the items below, close all windows and click fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html

O2 - BHO: (no name) - {23314D99-1240-4d4f-A25C-17E44823D048} - C:\WINDOWS\System32\ipv6monl.dll

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe

O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\System32\autosys.exe

O4 - HKCU\..\Run: [Recoveru systems]
C:\DOCUME~1\default\LOCALS~1\Temp\svchost.exe
-----------------------------------------
next:
start hjt again, click on "open misc tools section" then on "delete a file on reboot"

Copy/Paste the line below into the File name box then click on Open,
C:\WINDOWS\System32\autosys.exe
answer no to the prompt to reboot

samething for this file:
c:\secure32.html
this time answer yes to reboot computer.
---------------------------------------------
first stop after reboot: download, install and update avg antimalware, but dont scan with it yet. we will do that in safe mode. also make sure your antivirus is up to date.
http://free.grisoft.com/doc/20/lng/us/tpl/v5
---------------------------------------------
to reach safe mode:
tap the f8 key during a computer restart, from the list chose the first option safe mode. once in safe mode:
do a full system scan with AVG, after the scan please save the avg log file to your desktop. Still in safe mode run your antivirus.
------------------------------------------
afterwards reboot computer normally, rescan and post a new hjt log and the saved avg antispyware log.
-------------------------------------------

you are way behind on windows updates. you are open to all kinds of vulneribilites(sp) you are a gold mine for scanners and malicious websites.
---------------------------------------
shelf life
tashi
2007-01-02, 18:38
This topic is closed due to lack of a response.

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original topic starter.


UPDATED WINDOWS - Your first line of defence, links and tips (http://forums.spybot.info/showthread.php?t=425)