How do I remove secure32.html for free?

  • CGFX
  • Graduate
  • Graduate
  • User avatar
  • Posts: 161
  • Loc: Chicago, IL.

Post 3+ Months Ago

I went to one of those "Free Serial Numbers" sites. As soon as I opened the sites homepage, I saw that something was downloaded quick and fast. It was a software which was a adware/spyware named "Spy Sheriff". I used Ad-Ware SE to remove it. Sadly it took some stuff I needed for my Window XP O/S and some needed Javascript files for images. But what won't go away is this "secure32.html". I have searched all over both my internal and external hard drives, and it won't go away. It has my internet default homepage on lockdown. How do I remove this "secure32.html" for FREE, and get back some needed files that the virus remover should not have removed?

Thank you,
cgfX
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • MOC
  • Proficient
  • Proficient
  • User avatar
  • Posts: 490
  • Loc: Ocean City , Maryland

Post 3+ Months Ago

Download Cleanup from here http://cleanup.stevengould.org/
Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Click the Options... button on the right.
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
Empty Recycle Bins
Delete Cookies
Cleanup! All Users
Click OK
DO NOT RUN IT YET


* Click Here and download Killbox and save it to your desktop.
http://www.downloads.subratam.org/KillBox.exe

* Click here for info on how to boot to safe mode if you don't already know how.
http://service1.symantec.com/SUPPORT/ts ... 2409420406

* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to.

* Now download Hijack this: http://www.majorgeeks.com/download3155.html
Run Hijack This and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [MSOffice32] C:\WINDOWS\system32\msjcf.exe

* Restart your computer into safe mode now. Perform the following steps in safe mode:


* Double-click on Killbox.exe to run it.
Put a tick by Standard File Kill.
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time.
Click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file.
Click Yes.
Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
c:\secure32.html

c:\Windows\secure32.html

c:\Windows\System32\secure32.html

C:\WINDOWS\system32\msjcf.exe

Note: It is possible that Killbox will tell you that one or more files do not exist.
If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the Killbox.


* Run Cleanup:
Click on the "Cleanup" button and let it run.
Once its done, close the program.


* Go to Control Panel > Internet Options.
Click on the Programs tab then click the "Reset Web Settings" button.
Click Apply then OK.


* Restart back into Windows normally now.


* Run ActiveScan online virus scan here

When the scan is finished, anything that it cannot clean have it delete it.
- Save the results from the scan!

Post a new HiJackThis log along with the results from the ActiveScan.


After if everything looks good ,you can (if you have your original xp disk )
go START,RUN ,,and type in SFC /scannow
after that you will be asked to insert the disk ,and repairs will then be made
to the OS .
then you can either go to control panel and click on the java icon and see if
you have done an update to java ( 06) or re-install it all over again .
  • CGFX
  • Graduate
  • Graduate
  • User avatar
  • Posts: 161
  • Loc: Chicago, IL.

Post 3+ Months Ago

MOC,

Thank you very much, I have never done these steps before, but I am going to copy and paste them. And follow each step slowly as you said. Thanks again and I will keep you updated.

cgfX
  • CGFX
  • Graduate
  • Graduate
  • User avatar
  • Posts: 161
  • Loc: Chicago, IL.

Post 3+ Months Ago

MOC,

By the way, do you know the name of what got me?

Is is a worm, virus, ad-ware, or spy-ware?

Where does it normally hide?

Is it something that steals account infomation and/or credit card numbers?

Or is it simply an ad to sell a product and/or software?

Anything you might know would be of major appreciation.

Thank you,
cgfX
  • pramitroy
  • Guru
  • Guru
  • pramitroy
  • Posts: 1284

Post 3+ Months Ago

secure32 is a kind of browser hijacker. It resides on your C: drive but most probably you wont be able to see it as it is attributed as hidden or system.

If you find any confusion you should post a HijackThis log here and we will check it.
  • CGFX
  • Graduate
  • Graduate
  • User avatar
  • Posts: 161
  • Loc: Chicago, IL.

Post 3+ Months Ago

Below are the results from ActiveScan, this virus is tough, is is blocking many of the links and url's that can help me.

ActiveScan:


Incident Status Location

Adware:adware/cws.searchmeup Not disinfected C:\WINDOWS\SYSTEM32\PAYTIME.EXE
Spyware:Spyware/MyNetProtectorNot disinfected C:\Program Files\MNPAntiPopup\mod_upd.dll
Spyware:Spyware/MyNetProtectorNot disinfected C:\Program Files\MNPAntiPopup\mod_kw.dll
Virus:Bck/Haxdoor.GK Not disinfected Operating system
Spyware:spyware/whazit Not disinfected C:\WINDOWS\SYSTEM32\fiz1
Adware:adware/virtualbouncer Not disinfected C:\WINDOWS\SYSTEM32\INNERVBINSTALL.LOG
Adware:adware/exact.bargainbuddyNot disinfected C:\WINDOWS\SYSTEM32\javex80.vxd
Adware:adware/cws.searchmeup Not disinfected C:\WINDOWS\SYSTEM32\paytime.exe
Adware:adware/keenvalue Not disinfected C:\WINDOWS\SYSTEM32\setup_incred_6.exe
Adware:adware/addestroyer Not disinfected C:\WINDOWS\SYSTEM32\SWRT01.dll
Adware:adware/sahagent Not disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\sporder_.dll
Adware:adware/savenow Not disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\WUInst.dll
Spyware:spyware/betterinet Not disinfected C:\WINDOWS\INF\biini.inf
Adware:adware/dollarrevenue Not disinfected C:\drsmartload1.exe
Adware:adware/spysheriff Not disinfected C:\winstall.exe
Adware:adware/secure32 Not disinfected C:\WINDOWS\country.exe
Adware:adware/ncase Not disinfected C:\WINDOWS\msbb.log
Spyware:spyware/new.net Not disinfected C:\WINDOWS\NDNuninstall5_48.exe
Adware:adware/twain-tech Not disinfected C:\WINDOWS\support.cn
Adware:adware/popupsandbannersNot disinfected C:\WINDOWS\timessquare.exe
Adware:adware/isearch Not disinfected C:\WINDOWS\tool2.exe
Adware:adware/topmoxie Not disinfected C:\PROGRAM FILES\couponsandoffers
Spyware:spyware/apropos Not disinfected C:\PROGRAM FILES\CxtPls
Adware:adware/downloadware Not disinfected C:\PROGRAM FILES\DownloadWare
Adware:adware/sidesearch Not disinfected C:\PROGRAM FILES\Lycos
Adware:adware/wintools Not disinfected C:\PROGRAM FILES\COMMON FILES\BTLINK
Adware:adware/portalscan Not disinfected C:\PROGRAM FILES\COMMON FILES\Slmss
Adware:adware/powerstrip Not disinfected Windows Registry
Spyware:Spyware/Apropos Not disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\popinstlite.exe
Spyware:Spyware/Apropos Not disinfected C:\Documents and Settings\Default User\My Documents\Data\popinstlite.exe
Spyware:Spyware/Apropos Not disinfected C:\Documents and Settings\Diane.DICOMPUTER\My Documents\Data\Data\popinstlite.exe
Spyware:Spyware/Apropos Not disinfected C:\Documents and Settings\Diane.DICOMPUTER\My Documents\Data\popinstlite.exe
Adware:Adware/DollarRevenue Not disinfected C:\drsmartload1.exe
Virus:Trj/Banker.BTO Not disinfected C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll
Virus:Trj/Torpig.Y Not disinfected C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
Virus:Trj/Banker.BTO Not disinfected C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
Spyware:Spyware/BetterInet Not disinfected C:\Program Files\Common Files\updater\data1Attempt.dat
Spyware:Spyware/BetterInet Not disinfected C:\Program Files\Common Files\updater\data2.dat
Spyware:Spyware/Apropos Not disinfected C:\Program Files\CxtPls\CxtPls.dll
Spyware:Spyware/Apropos Not disinfected C:\Program Files\CxtPls\CxtPls.exe
Spyware:Spyware/Apropos Not disinfected C:\Program Files\CxtPls\uninstaller.exe
Spyware:Spyware/Apropos Not disinfected C:\Program Files\CxtPls\WinGenerics.dll
Spyware:Spyware/MyNetProtectorNot disinfected C:\Program Files\MNPAntiPopup\mod_kw.dll
Spyware:Spyware/MyNetProtectorNot disinfected C:\Program Files\MNPAntiPopup\mod_upd.dll
Virus:Trj/Qhost.M Not disinfected C:\Program Files\Support.com\backup\ho\hosts\808_50e81e8dd_[hosts]
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\Downloaded Program Files\ashton.inf
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\Downloaded Program Files\turbo.inf
Adware:Adware/SaveNow Not disinfected C:\WINDOWS\Downloaded Program Files\WUInst.dll
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\INF\biini.inf
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\INF\biM.inf
Adware:Adware/Transponder Not disinfected C:\WINDOWS\INF\polmx2.inf
  • CGFX
  • Graduate
  • Graduate
  • User avatar
  • Posts: 161
  • Loc: Chicago, IL.

Post 3+ Months Ago

I was not able to use the link you posted for HijackThis, I found a version on google, not sure if it is the one you recommended, but below is the log.

HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 4:19:43 PM, on 1/2/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\program files\support.com\bin\tgcmd.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\paytime.exe
C:\Program Files\MNPAntiPopup\MNPAntiPopup.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Documents and Settings\Troy\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://www.premiercreditcard.com/email ... otmail.com
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: File Print FedEx Kinko's - {9566395F-43D2-4c64-B525-B501FFA276E2} - mscoree.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: File Print FedEx Kinko's - {9566395f-43d2-4c64-b525-b501ffa276e2} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcivgqccaybyo] C:\WINDOWS\System32\nkivtq.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AutoLoaderxs761WWQIRXZ] "C:\WINDOWS\System32\itsxdo.exe" /PC="WB.POP" /UninstallName="SysAI"
O4 - HKLM\..\Run: [securer] C:\WINDOWS\System32\securer\syshost.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [nsdriver] C:\WINDOWS\System32\nssys32.exe
O4 - HKCU\..\Run: [MNPAP] C:\Program Files\MNPAntiPopup\MNPAntiPopup.exe
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [go7mRkH8T] nbiert2.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://chat.msn.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3717DF57-0396-463D-98B7-647C7DC6898A} - http://delivery.inet-traffic.com/intdel.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {41F31718-2B9D-4F76-85E2-DD11BBA99F8D} - http://install.spywarelabs.com/DistID/2 ... 031120.EXE
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O20 - Winlogon Notify: avpe32 - C:\WINDOWS\SYSTEM32\avpe32.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SpywareCleanerService - Unknown owner - C:\Program Files\Spyware Cleaner\SCService.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
  • LAbrego
  • brego from LA
  • Web Master
  • User avatar
  • Posts: 2855

Post 3+ Months Ago

Hi CGFX, your system is really loaded, this is what you have to do:

1.- Run HijackThis and check the following items, don't click fix yet:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R3 - Default URLSearchHook is missing
O2 - BHO: File Print FedEx Kinko's - {9566395F-43D2-4c64-B525-B501FFA276E2} - mscoree.dll (file missing)
O3 - Toolbar: File Print FedEx Kinko's - {9566395f-43d2-4c64-b525-b501ffa276e2} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [mcivgqccaybyo] C:\WINDOWS\System32\nkivtq.exe
O4 - HKLM\..\Run: [AutoLoaderxs761WWQIRXZ] "C:\WINDOWS\System32\itsxdo.exe" /PC="WB.POP" /UninstallName="SysAI"
O4 - HKLM\..\Run: [securer] C:\WINDOWS\System32\securer\syshost.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [nsdriver] C:\WINDOWS\System32\nssys32.exe
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
O4 - HKCU\..\Run: [go7mRkH8T] nbiert2.exe
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O16 - DPF: {3717DF57-0396-463D-98B7-647C7DC6898A} - http://delivery.inet-traffic.com/intdel.exe
O16 - DPF: {41F31718-2B9D-4F76-85E2-DD11BBA99F8D} - http://install.spywarelabs.com/DistID/2 ... 031120.EXE
O20 - Winlogon Notify: avpe32 - C:\WINDOWS\SYSTEM32\avpe32.dll
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: SpywareCleanerService - Unknown owner - C:\Program Files\Spyware Cleaner\SCService.exe (file missing)
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)

2.- Now close ALL windows & browsers and click FIX CHECKED

3.- Reboot into Safe Mode.
Tap F8 repeatedly when your machine starts to boot up.
Select 'Safe Mode' from the options that appear

4.- Set Windows to 'Show all files & folders'.
Click Start > My Computer> Tools> Folder Options>
On the View tab make sure that you:-
Select 'Show Hidden Files & Folders'
Uncheck 'Hide file extensions for known file types'.
Uncheck 'Hide protected operating system files'.
Click OK.

5.- Delete the following files (don't worry if you can't find all of them):
c:\secure32.html
C:\WINDOWS\System32\nkivtq.exe
C:\WINDOWS\System32\itsxdo.exe
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\System32\nssys32.exe
C:\WINDOWS\SYSTEM32\avpe32.dll
nbiert2.exe (Probably in C:\windows or C:\Windows\System32)

6.- Delete the following folders with all its contents:
C:\WINDOWS\System32\securer\
C:\Program Files\ClockSync\
C:\Program Files\Spyware Cleaner\

7.- Reboot normaly

8.- When finish post a fresh HijackLog here.
  • CGFX
  • Graduate
  • Graduate
  • User avatar
  • Posts: 161
  • Loc: Chicago, IL.

Post 3+ Months Ago

Labrego,

Thanks, but not only could I not find some of those files and folders, I could not find any of them. Except the 'securer' folder. I did everything you said and I thank you for all of your help. But that dang 'Secure32.HTML' keeps finding ways to remake itself time after time.

Latest HijackThis Results:

Logfile of HijackThis v1.99.1
Scan saved at 9:10:28 PM, on 1/2/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\program files\support.com\bin\tgcmd.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\MNPAntiPopup\MNPAntiPopup.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Troy\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://www.premiercreditcard.com/email ... otmail.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKCU\..\Run: [MNPAP] C:\Program Files\MNPAntiPopup\MNPAntiPopup.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://chat.msn.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O20 - Winlogon Notify: avpe32 - C:\WINDOWS\SYSTEM32\avpe32.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

Thank you again,
cgfX
  • pramitroy
  • Guru
  • Guru
  • pramitroy
  • Posts: 1284

Post 3+ Months Ago

OK CGFX,

Go to My Computer>Tools>Folder options>View> check again that "Show hidden files and folders" is selected and then uncheck "Hide Protected operating system files". Click OK.

Now check whether you can find this C:\WINDOWS\SYSTEM32\avpe32.dll

There are no new entry most probably and repeat as Labrego instructed.

You may also download Killbox and delete the files

c:\secure32.html
C:\WINDOWS\SYSTEM32\avpe32.dll

Then post a fresh new log.
  • LAbrego
  • brego from LA
  • Web Master
  • User avatar
  • Posts: 2855

Post 3+ Months Ago

That O20 - Winlogon Notify: avpe32 - C:\WINDOWS\SYSTEM32\avpe32.dll entry is keeping this thing alive. Let's try this also CGFX

1- Please download Process Explorer by Systernals and extract it to your desktop. Do not run this now as we will use it later.

2.- Download KillBox and extract it to your desktop. Do not run this now as we will use it later.

3.- Reboot your computer into Safe Mode

4.- Double-click on procexp.exe which is the Process Explorer that we downloaded earlier.

5.- In the top section of the Process Explorer screen double-click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

6.- Once you see this screen click on each instance of avpe32.dll and click on the kill button. If you see any files listed that are the same name but end with .bak or .ini or are the name in reverse, you can kill those as well.

7.- After you have killed all of the instances of avpe32.dll under winlogon click on the OK button.

8.- Now double-click on explorer.exe, select the Threads tab, and again click once on each instance of avpe32.dll. Once they are highlighted click on the Kill button like you did in the previous step.

9.- When this is done, click on the OK button again.

10.- Now run HijackThis again, close all windows, and press the Scan button.

11.- Place a check next to each of these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O20 - Winlogon Notify: avpe32 - C:\WINDOWS\SYSTEM32\avpe32.dll

12.- Once all the entries are checked, press the Fix button and then exit HijackThis.

13.- Double-click on Killbox.exe that you downloaded and extracted earlier. Select the delete on reboot option. Then enter C:\WINDOWS\SYSTEM32\avpe32.dll into the Full path of file to delete field.

14.- Click the red circle with the white X and select Yes to the delete prompt but NO to reboot now. Then add the c:\secure32.html file too and press the red circle with the white X and select Yes to the delete prompt and then Yes to reboot now.

Hope this get rid of this thing
  • CGFX
  • Graduate
  • Graduate
  • User avatar
  • Posts: 161
  • Loc: Chicago, IL.

Post 3+ Months Ago

Labrego,

Thank you very much again, I will try this next step tomorrow evening. What is scary is that I have some Photoshop & Illustrator work to turn in to my boss tomorrow and I have to save it in a PDF file format and hand it over to them. I just pray that I don't spread this stuff to them and their company system. I don't believe they will be to happy with me. Thanks again and have a good night and good day tomorrow.

cgfX
  • CGFX
  • Graduate
  • Graduate
  • User avatar
  • Posts: 161
  • Loc: Chicago, IL.

Post 3+ Months Ago

Larz,

I downloaded Process Explorer from your link. But after two trys, it won't run, may it be the software, or a well wrote virus. It won't allow me to download ActiveScan, it won't allow me a direct link to majorgeeks.com or to the above link to HijackThis (: http://www.majorgeeks.com/download3155.html ). At first I could not get into ozzu directly. I can nolonger find the firewall, and the Norton Antivirus is broken. I thank you very much, but I believe this is just going to cost me money. What I would like to know please, could I transfer this thing by way of simply burning .jpeg and .pdf files and taking them to work? I have some stuff I really need to work on and turn into my employer?

cgfX
  • grinch2171
  • Moderator
  • Genius
  • User avatar
  • Posts: 6809
  • Loc: Martinsburg, WV

Post 3+ Months Ago

I would burn all important files you need and just format and reload Windows. This you can do for free. I hate recommending that but you seem to be in a real mess.
  • edr
  • Born
  • Born
  • edr
  • Posts: 1

Post 3+ Months Ago

If you did not do anything yet, here is a simple solution to your problem:
Boot your computer in safe mode and search for the file SECURE32.HTML in all the folders and delete it.
also search the registry (CLICK: START, RUN, REGEDIT) and search for the file and remove the entry, keep searching by pressing f3 and remove until finished.
After this reboot the computer and you should be clean for IE.
  • dhaval
  • Born
  • Born
  • dhaval
  • Posts: 1

Post 3+ Months Ago

i want to remove secure32.html
  • jeffbatt12
  • Born
  • Born
  • jeffbatt12
  • Posts: 1

Post 3+ Months Ago

I had secure32.html/Spy Sheriff Virus and after downloading, both hijack this and kill box and what not, I was still unable to remove the virus.
However, I remembered that I could system restore to an earlier date, so I simply went to Start>Programs>Accessories>System Tools>System Restore and restored to the day before I got the virus. Then secure32.html was gone!

Post Information

  • Total Posts in this topic: 17 posts
  • Users browsing this forum: No registered users and 89 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.