Spyware/Malware C:\secure32.html

Posted on 2006-06-06
Last Modified: 2010-05-19
Hi Guys,

We've a laptop which believed to be infected by spyware/malware. Everytime launching the IE 6, it opens up a web page with addres c:\secure32.html. Realising that, the user did performed virus/spyware scan using McAfee and deleted off the virus detected (including secure32.html). Now another problem comes, everytime open up IE, an error message pops up saying that couldn't found c:\secure32.html. I've tried to remove value C:\secure32.html in the registry but unfortunately it appeared again. Care to help on how to solve this problem? Thanks a million.
Question by:rs-250
    LVL 65

    Assisted Solution

    To remove malwares and spywares you should run an anti-malware program and not an anti-virus like Mcafee or Symantect etc etc
    and Turn off your system restore before running any cleaniing software and always run them in safemode.
    a good anti-malware tools is Ewido and after that Hijackthis can help you a lot to fix the corrupted registry entries related to IE.

    i have written down some instructions on cleaning the system from these junks, you can go through them if you want.

    How to clean your system from Malware & Viruses

    How to use Hijackthis

    Anti-Spyware\Adware Tools
    LVL 47

    Expert Comment

    Just let us look at your Hijackthis log, and we will show you what entries to fix and what tools to run in order to clean your system with malware etc.

    Please download HijackThis 1.99.1
    Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything.
    Notepad will also open, copy its contents and paste it to either these sites:
    then at the bottom left corner click "paste"
    Copy the address/url and post it here:

    Or paste the log at -->
    and click "Analyse", click "Save".  Post the link to the saved list here.

    Author Comment

    Hi there,

    I followed your advice, and below is the Hijackthis log file


    Logfile of HijackThis v1.99.1
    Scan saved at 16:26:17, on 2006/06/06
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\Program Files\SECOM\VPN Client\cvpnd.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Program Files\uybtlebc.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Network Associates\VirusScan\scncfg32.exe
    C:\Program Files\Network Associates\VirusScan\scan32.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\Documents and Settings\owatari.hideo\ƒfƒXƒNƒgƒbƒv\owatari\HijackThis.exe

    F2 - REG:system.ini: Shell=explorer.exe                                                                                                    "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
    O3 - Toolbar: ƒ‰ƒWƒI(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
    O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
    O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
    O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
    O4 - HKLM\..\Run: [SysTray] C:\Program Files\uybtlebc.exe
    O4 - HKCU\..\Run: [Internat.exe] internat.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\samnsp.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sojitz.local
    O17 - HKLM\System\CCS\Services\Tcpip\..\{41959669-4008-4ACE-8ECF-C6D4E9465756}: Domain = sojitz.local
    O17 - HKLM\System\CCS\Services\Tcpip\..\{41959669-4008-4ACE-8ECF-C6D4E9465756}: NameServer =
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sojitz.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = sojitz.local,,,nmeks
    O17 - HKLM\System\CS1\Services\Tcpip\..\{41959669-4008-4ACE-8ECF-C6D4E9465756}: Domain = sojitz.local
    O17 - HKLM\System\CS1\Services\Tcpip\..\{41959669-4008-4ACE-8ECF-C6D4E9465756}: NameServer =
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sojitz.local
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = sojitz.local,,,nmeks
    O17 - HKLM\System\CS2\Services\Tcpip\..\{41959669-4008-4ACE-8ECF-C6D4E9465756}: Domain = sojitz.local
    O17 - HKLM\System\CS2\Services\Tcpip\..\{41959669-4008-4ACE-8ECF-C6D4E9465756}: NameServer =
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = sojitz.local,,,nmeks
    O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: tphotkey - C:\WINNT\SYSTEM32\tphklock.dll
    O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - (no file)
    O21 - SSODL: oRncoicCuX - {04F7CB08-AE5D-61A2-418A-9C904C11E856} - C:\WINNT\system32\fqb.dll
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\SECOM\VPN Client\cvpnd.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: Neoteris Setup Service - Juniper Networks - C:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
    O23 - Service: QCONSVC - IBM Corp. - C:\WINNT\System32\QCONSVC.EXE
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
    O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINNT\system32\TpKmpSVC.exe
    O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

    LVL 47

    Expert Comment

    Please do not run hijackthis in safe Mode run it in normal mode,
    if i were you I would not turm off System Restore console yet while in the process of cleaning your system, in case something happens and you need those restore points.

    System Restore points (if infected) can not harm your system. You can turn it off later on when your system is stable.
    LVL 47

    Expert Comment

    Sorry didn't see your post.
    BTW, you have a trojan there that attemps to steal passwords, I'm not sure how much your system is compromised.

    I'll be back with the entries for you to fix.
    LVL 65

    Expert Comment

    > System Restore points (if infected) can not harm your system.
    How? :)
    LVL 47

    Accepted Solution

    Some entries are not showing in your log. Did you remove any R's entries?

    1. Fix these entries in Hijackthis:

    F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
    O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - (no file)  
    O21 - SSODL: oRncoicCuX - {04F7CB08-AE5D-61A2-418A-9C904C11E856} - C:\WINNT\system32\fqb.dll

    If those 017 lines are unknown to you, or not part of your domain then fix them also.

    2. Download Pocket Killbox.
    *Select the "Delete on Reboot" option.
    *Copy the file names below to the clipboard by highlighting them and pressing Control-C:

    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe

    *Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
    *Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. If the computer doesn't restart, just restart manually.

    3. Submit this file below to jotti to be scanned and if infected delete it --> C:\Program Files\uybtlebc.exe

    4. Then scan your pc with antivirus scanners, Or Ewido, etc.
    Also run MS Removal tool:
    MS malicious software removal tool:
    LVL 47

    Expert Comment

    >>How? :)<<
    can you please elaborate what you mean?
    How can an infected system restore not harm the system is that what you asked? :)
    LVL 65

    Expert Comment

    i may be wrong.... but i have read everywhere that if there are infected files in system restore points, then even after cleaning the system, the infection can come back from the restore points, all websites like Microsoft and Symantec plus Mcafee etc etc recommend to disable system restore before cleaning the system..... so that's why i wanna know that how can an infected system restore point cannot harm the system? :)
    LVL 47

    Expert Comment

    Okay, I know  Symantec and other antivirus scanners say to turn off system restore before scanning mainly because most antivirus can not clean or modify the System restore files(which is a very good thing) otherwise the integrity of the system restore files and the purpose of System Restore console would be useless.

    Other reason would be to cut back the length of time to scan and also to minimize the possibility of "hangs". Some scanners can hang/freeze when scanning System Restore files (happens to Spysweeper sometimes)

    There is no need to turn off System Restore while in the process of sweeping malware/viruses because there is the tendency that stubborn malware screw up your system when you try and remove them. And that's when you need those restore points then, and if it's turn off you have no points to go back to, a bad system restore point is way better than no restore points unless you're happy to reformat when that happens.

    If the System Restore points are infected, those viruses in there are NOT ACTIVE, they can not harm the system.
    The only way for those viruses to become active is IF and when you used one of those infected restore points. But while they are in there not being used, they can't do any harm.

    Once the system is stable and no longer at risk of being messed up, then that's the perfect time to turn System Restore off, reboot to flush all those viruses away.

    >>then even after cleaning the system, the infection can come back from the restore points<<
    the files in system restore will not interact with your system, they are being put away like backups, they can not interact with the rest of the files in your system. They will only become active when you roll back and decide to use those points.
    LVL 65

    Expert Comment

    ok boss.... will not advise people to disable system restore from now-on :)
    LVL 47

    Expert Comment

    hey, I wish I was a boss, lol

    Thanks for being nice in disagreeing with me,
    That's why I have high regard for you SheharyaarSaahil because you are open to other people's opinion, you could have dismissed my opinion, argue and bite me like some experts do when I speak up to them.
    But instead you behave very professionally, :)

    You truly are a Great Expert!
    LVL 32

    Expert Comment

    I was just scanning this thread, and I agree with rpggamergirl on this point. Restore Points are inactive unless something is restored from them, so they don't pose any immediate threat. The AV instructions have gotten stuck in this "first disable restores" rut because they don't want to take the risk that something may get restored from there, but in my view that is very rare, and in fact it is just as likely that you may need the Restore Point in some cases because the AV program deleted something important.

    As far as I know the System Restore will only restore anything in response to explicit user actions, not automatically, so the better plan is to turn off system restore after the computer is cleaned up, then create a new restore point.

    Some useful info is here:

    Author Comment

    Thanks guys for the help. At this moment, I've removed all detected spyware/malware but still couldn't solve the problem. Will give it another try when the user isn't using it. But I'll award the points.
    LVL 47

    Expert Comment

    Thanks for the points, but you need not award the points if your problem is not solved, you can still keep the Question open as long as someone posts before 21 days pass in which the topic is considered abandoned. Or ask for a refund.

    Did you removed "c:\secure32.html" values from the HKCR or HKLM hive? it probably has an entry in the Local Machine for global.
    Check both hives.

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
    "Local Page"="c:\secure32.html"

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
    "Search Bar"=""
    "Search Page"=""
    "Start Page"="c:\secure32.html"

    If all the registry related values are gone and still having problems, try Smitrem.
    Smitrem also removes "c:\secure32.html"
    Download SmitRem.exe and save the file to the Desktop.
    Double click on the file to extract it to it's own folder on the Desktop.

    Now, reboot to Safe Mode:

    Next, open the SmitRem folder
    -Double click the "RunThis.bat" file to start the tool.
    -Follow the prompts on screen.
    The Desktop and icons disappear and then reappear again --- this is normal.
    Wait for the tool to complete and Disk Cleanup to finish --- this may take a while.
    When done, the log created by the smitRem tool is located at C:\smitfiles.txt

    Restart your computer.
    Good luck!

    Author Comment

    Thanks for the tip, I'll give it another try :)

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    There are many HijackThis tutorials on the web already, so this article is about tips that help utilize HijackThis' full potential as a diagnostic tool. Download HijackThis from a TrendMicro link or from known reliable sources only. http://free.…
    So you got the Conficker. You could go to each machine and run the eye chart test (, but in a bigger environment, or if you prefer to work smarter and not harder, you need some …
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now