A New "c:\secure32.html" Problem

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by kenjoy, Apr 20, 2006.

  1. kenjoy

    kenjoy Private E-2

    I've had one or more viruses attack my computer and have only been able to resolve some of the problems. Initially, a virus redirected my IE homepage to a warning page titled "Detected SPYware! System error #384." My browser showed the IE address of that page as "c:\secure32.html". After running Norton Antivirus and Spybot S&D and deleting several files, I've managed to get the homepage to open to where I direct it. But it looks like a registry change has occurred, and even "Killbox" can't fix it.

    Spybot continually comes up with a problem it identifies as "CoolWWWSearch.WCADW" and the detail states there has been a registry change to the IE start page at "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page = about:blank." Similarly, the HijackThis log notes that there have been potentially several changes to the registry, including "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page = c:\secure32.html". However, when I tried to fix that file using HijackThis, it didn't work. And when I tried to kill it using Killbox, I received an error message saying "The file does not seem to exist."

    My HijackThis log is attached. I couldn't figure out how to empty the Norton Protected Recycle Bin (although I did empty the quanantine folders). If this log is too long for you to analyze, please let me know what additional steps to take and I'll be happy to resubmit it.

    Can you tell which files are "bad"? And if some of those files are from the registry, does "bad" mean I can simply use "edit registry" to delete them -- or are they essential files that need to be modified back to where they were? Since Killbox didn't find bad files but they seem to be in the HijackThis log, I'm wondering what else might work.

    Thank you in advance!
     

    Attached Files:

    kenjoy, Apr 20, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.
    • Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
    • Make sure you check version numbers and get all updates.
    • Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
    • After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:
    • When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
      • Bitdefender
      • Panda Scan
      • HijackThis
    .
     
    chaslang, Apr 20, 2006
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    In addtion to sevearl other malware problems, I just noticed something very serious in your log that you must address immediately!

    IMPORTANT NOTE: You have been infected with a TWO Password Stealing Trojans: Trojan.W32.Torpig and Trojan.w32.FRANLOAD

    See this links for what you have: http://www.liutilities.com/products/wintaskspro/processlibrary/ibm00001/
    http://www.liutilities.com/products/wintaskspro/processlibrary/syshost/

    Since you appear to use this PC for financial related matters, you must take this possible threat seriously.

    You are strongly advised to do the following immediately:
    1. Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned. If you have network compters, start checking them for problems too.
    2. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
    3. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
    Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.

    You also have the below:

    • Troj/Cosiam-G is a backdoor Trojan which allows a remote intruder to gain access and control over the computer. This trojan includes functionality to access the internet and communicate with a remote server via HTTP.
    • Downloader.Agent.afl - is a downloader trojan that downloads and executes remote files. Sends system information to remote servers.
     
    Last edited: Apr 20, 2006
    chaslang, Apr 20, 2006
    #3
  4. kenjoy

    kenjoy Private E-2

    Thank you for that warning. I will take the precautions you suggest. Of course, that still leaves open the question of how I get rid of this damn malware so I again (hopefully) will be able to use my computer safely. I've read many postings on your site, but I still don't have a clue how to address this very "special" set of problems my computer is presenting.

    Since our exchange earlier today, I've followed all the steps outlined in "Read & Run Me First". I'm attaching the logs I ran in Bitdefender, Panda ActiveScan, and HijackThis. I hope they will give you enough information to diagnose the problem and suggest a solution.

    One specific question: Since Killbox seemed to be blocked from deleting registry files, is it safe for me to go into "editreg" and try to delete or modify the registry myself? If so, can you advise how I can do this safely (I know very little about computer code).

    By the way, I think you guys perform a terrific service. I'd be willing to bet dollars to donuts that you're not geeks at all, but "Major Geeks" is certainly a catchy name! If you're ever in the DC area, contact me and I'll buy you lunch!
     

    Attached Files:

    kenjoy, Apr 21, 2006
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The best thing you can do now is to only do whatever we ask you to do and nothing else.

    You need to follow the directions in step 7 of the READ ME and install it as instructed. You have it installed exactly where the directions specify not to install it (i.e, on your Desktop and in a subfolder of Documents and Settings).
     
    Last edited: Apr 21, 2006
    chaslang, Apr 21, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download - Pocket KillBox

    Extract it to its own folder somewhere that you will be able to locate it later to run it.

    Run Pocket Killbox by double clicking on killbox.exe
    Choose Tools > Delete Temp Files and click OK.

    Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

    C:\PROGRAM FILES\INTERNET EXPLORER\update.exe
    C:\WINNT\SYSTEM32\roll.exe
    C:\WINNT\SYSTEM32\senssrv.dll
    C:\WINNT\SYSTEM32\syshost.exe
    C:\WINNT\system32\eventwvr.exe
    C:\WINNT\SYSTEM32\taskdir~.exe
    C:\WINNT\SYSTEM32\oleext.dll
    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe


    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself. However BOOT INTO SAFE MODE during this reboot and do not run anything but what I request. DO NOT open any browsers!

    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes. (You may not see these! If not, just continue.)
    C:\Program Files\Common Files\??crosoft\d?xplore.exe
    C:\PROGRA~1\ASEMBL~1\wowexec.exe

    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    O4 - HKLM\..\Run: [roll] roll.exe
    O4 - HKLM\..\RunServices: [eventwvr] C:\WINNT\system32\eventwvr.exe
    O4 - HKLM\..\RunServices: [Microsoft Windows System] syshost.exe
    O4 - HKLM\..\RunOnce: [Panda_cleaner_267358] C:\WINNT\system32\ActiveScan\pavdr.exe 267358
    O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
    O16 - DPF: {C6B086D2-146B-47A4-A218-B82DCAF2D872} (cpbrxpie Control) - http://a19.g.akamai.net/7/19/7125/4007/ftp.coupons.com/r3120/cpbrxpie.cab
    O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.2) - http://www.trafficland.com/MyRoadsExpress/html/jinstall-1_4_2-windows-i586.cab
    O20 - Winlogon Notify: SensSrv - C:\WINNT\SYSTEM32\senssrv.dll
    O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - (no file)

    Now exit HJT
    Run Windows Explorer and double check to make sure the below files are all deleted (some we already got with killbox):
    C:\PROGRAM FILES\Aveo <--- the folder
    C:\PROGRAM FILES\INTERNET EXPLORER\update.exe
    C:\WINNT\SYSTEM32\roll.exe
    C:\WINNT\SYSTEM32\senssrv.dll
    C:\WINNT\SYSTEM32\syshost.exe
    C:\WINNT\system32\eventwvr.exe
    C:\WINNT\SYSTEM32\taskdir~.exe
    C:\WINNT\SYSTEM32\oleext.dll
    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe <--- look for any files here that begin with ibm00 and end with anything else and delete them.

    Now reboot into normal mode and after reboot double check the same HJT entries I had you fix above and if any still remain, fix them again a second time.

    Now since you had some real nasties, I want to be safe and have you run another scanning removal tool. Run the below procedure and attach the Ewido log:

    Running Ewido Anti-Malware

    Now also attach a new HJT log

    Also tell me how things are working!
     
    chaslang, Apr 21, 2006
    #6
  7. kenjoy

    kenjoy Private E-2

    I did as you suggested and am attaching the Ewido and HJT logs. Note that I ran Ewido in normal mode rather than safe mode because I couldn't read the Ewido screens in safe mode. The computer seems to be running fine now, but I'm not sure that's dispositive because it was running okay even when I had all the malware on it.

    How do the logs look to you? If okay, do you still think I need to contact banks, etc. to change passwords based on the Trojans I apparently had? Is it safe for me to access accounts from this computer now?

    Also, for my benefit and the benefit of others who may have the same problem and be reading this post in the future, is there a specific name to virus or malware I had?

    Thanks again. You guys rock!
     

    Attached Files:

    kenjoy, Apr 21, 2006
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your logs are clean now. The fact that you system is clean now does not change the fact that these programs were running on your PC for some length of time before we fixed them. This still means that your security (especially financial) may have been compromised. You need to verify this with all of your banks, credit cards, etc. Remember it is for your security not ours. Better to be safe than sorry. No illegal activity may have occurred and if you find that is the case then you can sleep easier. But you still should change all passwords for all of your accounts (not just banking, for everything). And I would still suggest doing it from another PC. Then afterwards you can start using this PC normally.

    I gave you the names in message number 3. But note that each scanning tool often uses their own names for problems like this. Thus you will find many references to the same problems with different names. Also read the links given in message # 3.


    DO THE BELOW IMMEDIATELY

    Since your log is now clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Apr 21, 2006
    #8
  9. kenjoy

    kenjoy Private E-2

    In your last email, you wrote: "If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point."

    I'm not sure whether I mentioned earlier that my computer is running on Windows 2000. From the instructions in Read & Run Me First, it appears that Disable and Enable System Restore applies only to XP and ME. Is there a way I can do Disable and Enable System Restore in 2000, or is that not useful?

    My system now seems to be running fine with one exception. I now need to type "http:\\" at the beginning of most Internet addresses I want to enter. For example, I used to be able to access the NY Times website by typing "www.nytimes.com". But if I type that now, nothing happens. I can only get there by typing "http:\\www.nytimes.com". Do you have any suggestion about how to fix this?

    Finally, since I didn't say this adequately in my last post, I can't thank you enough for the incredible service you perform. You have saved me a ton of time and worry. You clearly enjoy what you do, but I'm curious about your business model. Do you make money from advertising, cross-marketing, or using the knowledge you gain from these exchanges to consult for any of the major antivirus companies? Do you accept/encourage contributions from grateful people like myself? Whatever your revenue stream, I hope it flourishes, because given the central role computers play in our lives and how pitifully little most people (myself included) know about the technology, you're a life saver!
     
    kenjoy, Apr 21, 2006
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes that message is a boilerplate I use to save some typing and when I'm as busy as I'm like the last few weeks I sometime forget to edit it for non-WinXP or WinMe users like yourself. Just ignore the System Restore part. I think I will update the boilerplate message to include the if you are running WinXP or WinMe remarks.

    I'll give you a fix to try below.

    You're welcome. No I do not make money off of this. Especially considering how much time it takes. And I'm not an employee of Majorgeeks! If user's would like to make a donation to me, I have a Pay Pal account; however, that is up to the user themselves. I do not ask for donations.

    For your problems with http:, try the below:

    Copy the bold text below to notepad. Save it as fixMe.reg to your desktop (yes overwrite the previous one). Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
     
    chaslang, Apr 22, 2006
    #10
  11. kenjoy

    kenjoy Private E-2

    You seemed to have nailed every other aspect of the problem so perfectly that I was expecting your suggested solution would resolve the "http" problem immediately. Alas, I followed the steps you suggested (namely, pasting the code you sent into Notepad to update the registry), yet I still cannot access websites without entering the "http:\\" code that normally precedes, for example, "www.nytimes.com". For what it's worth, the Notepad application exists on my computer under both the WINNT and WINNT\System32 folders. I'm not sure that which app I selected makes any difference, but I thought I'd mention it in case it is signficant.

    Any other thoughts?
     
    kenjoy, Apr 23, 2006
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Apr 24, 2006
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds