Hey thx for all the help on the Secure.html thing it really p**sed me off... and especially Ivo Tzvetkov u gave some very quick and clear instructions to get rid of this! also when in the registry u can press ctrl+F and it will search the registry for anything that u want. i did have one problem when i went to run and typed "msconfig32.exe" it gave me to message that it could not find anything like that. doesnt matter i still get rid of the thing. Once again thank you all!

I need assistance with the same problem
1. After Start-->Run-->msconfig32.exe
On clicking search, an error comes saying that Windows cannot find msconfif32.exe
2. Also I tried deleting the same from windows folder in C drive, but it gives another error, mentioning that the file cannot be deleted as it is in use.
Tx

Thanks to Tzvetkov manage to clear segure.html, but now I have an error when entering c: I enter and appears an error of explorer, which does that it is closed, and must reinitiate, that I do?

Sorry all. The file msconfig32.exe does not exists! It's called msconfig.exe. My mistake sorry again!

Looking for some help.

First, I am also infected with the dreaded C:\secure.html. Only problem is, when I go to delete my reg32.exe file, it's not there. I do have a reg33.exe file.

The second problem I have is every time I go into add/remove programs and try to open, the window appears for an instant and disappears... Any suggestions?

I am also looking for help!!

I got the same dumb c:/windows/secure.html problem.....i downloaded the Hijack This! program and here is a copy of the log file from that program:

Logfile of HijackThis v1.97.7
Scan saved at 8:15:20 PM, on 4/19/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\DOCKAPP.EXE
C:\WINDOWS\SYSTEM\PROMON.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\SYSTEM\PRPCUI.EXE
C:\WINDOWS\REG33.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\WINDOWS\WT\UPDATER\WCMDMGR.EXE
C:\PROGRAM FILES\LINKSYS\WIRELESS-G NOTEBOOK ADAPTER\ODHOST.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\LINKSYS\WIRELESS-G NOTEBOOK ADAPTER\WPC54CFG.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\JUSTINS FOLDER\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://awebfind.biz/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://awebfind.biz/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://awebfind.biz/sp.htm
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://awebfind.biz/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://awebfind.biz/sp.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [BayMgr] DockApp.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [Reg32] C:\WINDOWS\reg33.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?3...3809953704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

can someone tell me what problems are in this?

Hello, i've read all your posts, i am running window's Xp. I downloaded the C:/windows/secure.html virus or spyware whatever. Now my machine is running very very slow and can hardly run apps.. i've tryed spybot ad-aware and norton any suggestions?

Hello, i've read all your posts, i am running window's Xp. I downloaded the C:/windows/secure.html virus or spyware whatever. Now my machine is running very very slow and can hardly run apps.. i've tryed spybot ad-aware and norton any suggestions?

my brother got attacked by same thing, someone hacked his system and put that crap up along with some trojan horses on his system.

I'll show you some tricks about removing the virus tonight ;-)

It may be unrelated, but I haven't found reg32 anywhere yet. I do keep finding point32.

I haven't tried this yet but I feel this is the proper solution...
http://securityresponse.symantec.com/avcenter/venc/data/pf/tro...ecure.html

Holly cow, I am so so angry right now. I have a similar problem, even my desktop has been changed I cant change it back, ive deleted files and all kinds of things but im no expert and about ready to give up and cry. Please somebody help me in a language I can understand. I appreciate any help. Many thanks.

Ok I seem to have gotted rid of th secure html using the instructions two posts up, but it took over my desktop and now my desktop flashes grey and white(it used to show an advert) I cant seem to locate the program doing it please can anyone help?

Ok got the thingnow and now just have to repair the rest of my machine as it got pretty battered whilst I was trying to find the problem. If anyone needs help removing this then just send me an email and I will detail the instructions in simple terms. paul8977@hotmail.com

im still having much trouble with this virus/spyware
i followed your directions, but i couldn't find the file "reg32.exe" in the windows folder...
i ran a search for the file but it came up empty...
i also tried using msconfig to shut it down manually from startup but the file didn't exist on the start up list either...
i also tried to just delete the "secure.html" file itself, but it just replaces itself after about a second
i noticed it was continually copying over itself so just replacing it with another file wouldn't help... can someone tell me how to fix this?

after recieving tons of emails I have decided to post the solution for you here as I cant keep up.
First of all download the following
http://www.shinobiresources.com spybot S&D
http://www.lavasoft.com Ad-aware
http://www.merijn.org hijack this and also cw shredder
make sure you update them too
instructions are for xp modify as neccesary
First things first, you need to disable system restore. To do this you must right click “my computer” and select properties. One of the tabs is system restore, click that and check the box that says turn off system restore, then press “apply” then press “ok”.

Next restart in safe mode and log in as the administrator (if you are the only user just log in as yourself)

Now comes the fun part

Go “start” - “search” – and search for files and folders.

Find : desktop.html

Delete it and all recurrences of it



Now search for hosts

In turn open each one with notepad (ask me if you aren’t sure how) and delete the contents except for 1 line which needs to read

127.0.0.1 localhost

if it isn’t there then write it in yourself and save

now find and see if you can delete the followingdon’t worry if you cant)
c:\windows\system32 rpcss.dll


now empty the recycle bin

run adaware check all entries and delete them

run spybot s&d
clean all entries

go to control panel>internet settings and change the homepage
also in the same place clear all internet history and cookies etc

run cwshredder

reboot in normal mode
run hijack this and fix anything relating to secure.html

re enable system restore

cross your fingers and open internet explorer

okay now i tried to edit the host files, but they too keep replacing themselves much like the secure.html file... can someone tell me where i can find the source of this problem?

Please follow all of the instructions above and it shouldnt happenalso check c:\windows\system32 if there is a version of explorer here delete it, you may well find there are two, and they will show up on the hijack this log. To stop the hosts re entering the code you must disablr system restore and follow the rest of the instructions i posted. If you cant do it my email is above so please feel free to use it
Paul

because i solved this problem using info from this forum, i am adding this post as a service to others whom are having this problem. i solved the "c:\windows\secure.html" problem using the following tactic.

http://securityresponse.symantec.com/avcenter/venc/data/w32.hl...ot.ao.html

at the website posted above are listed several programs which this particular virus installs to your startup system. i did not find 'reg32' on my system, but i did find 'system.exe'. this file was found in the c:\windows directory. i stopped running it using ctl-alt-del under the processes tab. then i deleted the file with no trouble. upon restart of my computer, i was again able to freely assign the homepage of internet explorer.

DEATH TO THOSE THAT THINK THEY CAN JUST INVADE MY COMPUTER LIKE THIS...DEATH!

tgidkp