[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Spyware/Malware C:\secure32.html

Posted on 2006-06-06
16
Medium Priority
?
3,983 Views
Last Modified: 2010-05-19
Hi Guys,

We've a laptop which believed to be infected by spyware/malware. Everytime launching the IE 6, it opens up a web page with addres c:\secure32.html. Realising that, the user did performed virus/spyware scan using McAfee and deleted off the virus detected (including secure32.html). Now another problem comes, everytime open up IE, an error message pops up saying that couldn't found c:\secure32.html. I've tried to remove value C:\secure32.html in the registry but unfortunately it appeared again. Care to help on how to solve this problem? Thanks a million.
0
Comment
Question by:rs-250
  • 8
  • 4
  • 3
  • +1
16 Comments
 
LVL 65

Assisted Solution

by:SheharyaarSaahil
SheharyaarSaahil earned 450 total points
ID: 16840383
To remove malwares and spywares you should run an anti-malware program and not an anti-virus like Mcafee or Symantect etc etc
and Turn off your system restore before running any cleaniing software and always run them in safemode.
a good anti-malware tools is Ewido and after that Hijackthis can help you a lot to fix the corrupted registry entries related to IE.

i have written down some instructions on cleaning the system from these junks, you can go through them if you want.

How to clean your system from Malware & Viruses
http://www.alaynah.net/shehar/clean_system.htm

How to use Hijackthis
http://www.alaynah.net/shehar/hijackthis.htm

Anti-Spyware\Adware Tools
http://www.alaynah.net/shehar/anti_spyware.htm
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16840618
Just let us look at your Hijackthis log, and we will show you what entries to fix and what tools to run in order to clean your system with malware etc.


Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything.
Notepad will also open, copy its contents and paste it to either these sites:
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or paste the log at --> http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Post the link to the saved list here.
0
 

Author Comment

by:rs-250
ID: 16840629
Hi there,

I followed your advice, and below is the Hijackthis log file

=================


Logfile of HijackThis v1.99.1
Scan saved at 16:26:17, on 2006/06/06
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\SECOM\VPN Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
C:\WINNT\system32\TpKmpSVC.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\winscntrl.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\imejpmgr.exe
C:\WINNT\system32\tp4serv.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\RunDll32.exe
C:\WINNT\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINNT\system32\TpShocks.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINNT\system32\ICO.EXE
C:\WINNT\system32\Pelmiced.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\uybtlebc.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINNT\system32\netdrvr.exe
C:\Program Files\Network Associates\VirusScan\scncfg32.exe
C:\Program Files\Network Associates\VirusScan\scan32.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\owatari.hideo\ƒfƒXƒNƒgƒbƒv\owatari\HijackThis.exe

F2 - REG:system.ini: Shell=explorer.exe                                                                                                    "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
O3 - Toolbar: ƒ‰ƒWƒI(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SysTray] C:\Program Files\uybtlebc.exe
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\samnsp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1148229580000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148229533359
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sojitz.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{41959669-4008-4ACE-8ECF-C6D4E9465756}: Domain = sojitz.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{41959669-4008-4ACE-8ECF-C6D4E9465756}: NameServer = 170.100.0.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sojitz.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = sojitz.local,nichimen.co.jp,ni000.nisshoiwai.co.jp,nmeks
O17 - HKLM\System\CS1\Services\Tcpip\..\{41959669-4008-4ACE-8ECF-C6D4E9465756}: Domain = sojitz.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{41959669-4008-4ACE-8ECF-C6D4E9465756}: NameServer = 170.100.0.2
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sojitz.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = sojitz.local,nichimen.co.jp,ni000.nisshoiwai.co.jp,nmeks
O17 - HKLM\System\CS2\Services\Tcpip\..\{41959669-4008-4ACE-8ECF-C6D4E9465756}: Domain = sojitz.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{41959669-4008-4ACE-8ECF-C6D4E9465756}: NameServer = 170.100.0.2
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = sojitz.local,nichimen.co.jp,ni000.nisshoiwai.co.jp,nmeks
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: tphotkey - C:\WINNT\SYSTEM32\tphklock.dll
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - (no file)
O21 - SSODL: oRncoicCuX - {04F7CB08-AE5D-61A2-418A-9C904C11E856} - C:\WINNT\system32\fqb.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\SECOM\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Neoteris Setup Service - Juniper Networks - C:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: QCONSVC - IBM Corp. - C:\WINNT\System32\QCONSVC.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINNT\system32\TpKmpSVC.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16840653
Please do not run hijackthis in safe Mode run it in normal mode,
if i were you I would not turm off System Restore console yet while in the process of cleaning your system, in case something happens and you need those restore points.

System Restore points (if infected) can not harm your system. You can turn it off later on when your system is stable.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16840661
Sorry didn't see your post.
BTW, you have a trojan there that attemps to steal passwords, I'm not sure how much your system is compromised.

I'll be back with the entries for you to fix.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 16840664
> System Restore points (if infected) can not harm your system.
How? :)
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 1050 total points
ID: 16840758
Some entries are not showing in your log. Did you remove any R's entries?

1. Fix these entries in Hijackthis:

F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - (no file)  
O21 - SSODL: oRncoicCuX - {04F7CB08-AE5D-61A2-418A-9C904C11E856} - C:\WINNT\system32\fqb.dll

If those 017 lines are unknown to you, or not part of your domain then fix them also.


2. Download Pocket Killbox.
http://www.atribune.org/downloads/KillBox.exe
*Select the "Delete on Reboot" option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINNT\system32\winscntrl.exe
C:\WINNT\system32\netdrvr.exe
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
C:\secure32.html

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. If the computer doesn't restart, just restart manually.


3. Submit this file below to jotti to be scanned and if infected delete it --> C:\Program Files\uybtlebc.exe
http://virusscan.jotti.org/

4. Then scan your pc with antivirus scanners, Or Ewido, etc.
Also run MS Removal tool:
MS malicious software removal tool:
http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16840776
>>How? :)<<
can you please elaborate what you mean?
How can an infected system restore not harm the system is that what you asked? :)
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 16840783
i may be wrong.... but i have read everywhere that if there are infected files in system restore points, then even after cleaning the system, the infection can come back from the restore points, all websites like Microsoft and Symantec plus Mcafee etc etc recommend to disable system restore before cleaning the system..... so that's why i wanna know that how can an infected system restore point cannot harm the system? :)
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16840862
Okay, I know  Symantec and other antivirus scanners say to turn off system restore before scanning mainly because most antivirus can not clean or modify the System restore files(which is a very good thing) otherwise the integrity of the system restore files and the purpose of System Restore console would be useless.

Other reason would be to cut back the length of time to scan and also to minimize the possibility of "hangs". Some scanners can hang/freeze when scanning System Restore files (happens to Spysweeper sometimes)

There is no need to turn off System Restore while in the process of sweeping malware/viruses because there is the tendency that stubborn malware screw up your system when you try and remove them. And that's when you need those restore points then, and if it's turn off you have no points to go back to, a bad system restore point is way better than no restore points unless you're happy to reformat when that happens.

If the System Restore points are infected, those viruses in there are NOT ACTIVE, they can not harm the system.
The only way for those viruses to become active is IF and when you used one of those infected restore points. But while they are in there not being used, they can't do any harm.

Once the system is stable and no longer at risk of being messed up, then that's the perfect time to turn System Restore off, reboot to flush all those viruses away.

>>then even after cleaning the system, the infection can come back from the restore points<<
the files in system restore will not interact with your system, they are being put away like backups, they can not interact with the rest of the files in your system. They will only become active when you roll back and decide to use those points.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 16840877
ok boss.... will not advise people to disable system restore from now-on :)
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16840983
hey, I wish I was a boss, lol

Thanks for being nice in disagreeing with me,
That's why I have high regard for you SheharyaarSaahil because you are open to other people's opinion, you could have dismissed my opinion, argue and bite me like some experts do when I speak up to them.
But instead you behave very professionally, :)

You truly are a Great Expert!
0
 
LVL 32

Expert Comment

by:r-k
ID: 16843621
I was just scanning this thread, and I agree with rpggamergirl on this point. Restore Points are inactive unless something is restored from them, so they don't pose any immediate threat. The AV instructions have gotten stuck in this "first disable restores" rut because they don't want to take the risk that something may get restored from there, but in my view that is very rare, and in fact it is just as likely that you may need the Restore Point in some cases because the AV program deleted something important.

As far as I know the System Restore will only restore anything in response to explicit user actions, not automatically, so the better plan is to turn off system restore after the computer is cleaned up, then create a new restore point.

Some useful info is here:

 http://support.microsoft.com/kb/831829/en-us
0
 

Author Comment

by:rs-250
ID: 16866834
Thanks guys for the help. At this moment, I've removed all detected spyware/malware but still couldn't solve the problem. Will give it another try when the user isn't using it. But I'll award the points.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16867033
Thanks for the points, but you need not award the points if your problem is not solved, you can still keep the Question open as long as someone posts before 21 days pass in which the topic is considered abandoned. Or ask for a refund.

Did you removed "c:\secure32.html" values from the HKCR or HKLM hive? it probably has an entry in the Local Machine for global.
Check both hives.

Examples:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Local Page"="c:\secure32.html"
"Default_Page_URL"="c:\secure32.html"


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Default_Page_URL"="c:\secure32.html"
"Default_Search_URL"="c:\secure32.html"
"Search Bar"="http://us.rd.yahoo.com/customize/ycomp_adb/search/ie.html"
"Search Page"="http://us.rd.yahoo.com/customize/ycomp_adb//www.yahoo.com"
"Start Page"="c:\secure32.html"


If all the registry related values are gone and still having problems, try Smitrem.
Smitrem also removes "c:\secure32.html"
Download SmitRem.exe and save the file to the Desktop.
http://noahdfear.geekstogo.com/click%20counter/click.php?id=1
Double click on the file to extract it to it's own folder on the Desktop.

Now, reboot to Safe Mode:

Next, open the SmitRem folder
-Double click the "RunThis.bat" file to start the tool.
-Follow the prompts on screen.
The Desktop and icons disappear and then reappear again --- this is normal.
Wait for the tool to complete and Disk Cleanup to finish --- this may take a while.
When done, the log created by the smitRem tool is located at C:\smitfiles.txt

Restart your computer.
Good luck!
0
 

Author Comment

by:rs-250
ID: 16882678
Thanks for the tip, I'll give it another try :)
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PREFACE The purpose of this guide is to provide information to successfully add specific IIS 7.0 role services for the Symantec Endpoint Protection Manager (SEPM) to function properly when installed on Windows 2008. AUDIENCE Information Technol…
If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

868 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question