How to delete Secure32 - Removal tool, fix instructions

Name: Secure32

Aliases: -

Type: Adware

Size: 4,901

First appeared on: 21.10.2005

Damage: Low

Brief Description:

It downloads malware from Internet and modifies the Start, Local and Default Page of Internet Explorer. It can be automatically downloaded while accessing several adult sites or pirated software websites.

Secure32 is an adware program that downloads several types of malware to the affected computer, such as other adware, spyware and Trojans.

Additionally, it modifies the Start Page, Local Page and Default Page. Instead, it opens Internet Explorer windows that contain an image whose aim is to deceive users, making them believe that their computer is affected by spyware and enticing them into purchasing a rogue antispyware program.

Secure32 can be installed in the affected computer without user consent, as it is automatically downloaded while accessing several adult sites or pirated software websites that use vulnerability exploits in order to affect computers.

Visible Symptoms:

Secure32 is easy to recognize, as when the Start Page, Local Page or Default page is opened, it displays an Internet Explorer window containing the following text instead:

Detected SPYware! System error #384
Your IP address is *.*.*.*. Using this address a remote computer has gained access to your computer and probably is collecting the information about the sites you've visited and the files contained in the folder Temporary Internet Files! Attention! Ask for help or install the software for deleting secret information about the sites you visited.
Your computer is full of evidences!
ISP of transmission:
Your IP address
They know you're using: Mozilla/4.0 (compatible, MSIE 6.0, Windows NT 5.1) Your computer is: Windows XP Risk status: VERY HIGH RISK


Secure32


Technical description:

Secure32 carries out the following actions:

It downloads the following types of malware to the affected computer:
  • Other adware.
  • Spyware.
  • Trojans, especially of the password stealer type, whose aim is to obtain passwords, and of the downloader type, which downloads other malware to the affected system.
  • It modifies the Start Page, Local Page and Default Page.
Secure32 creates the file SECURE32.HTML in the Windows directory. This file belongs to the image displayed in the start, local and default page of Internet Explorer.

Secure32 downloads the following files from Internet:
  • COUNTRY.EXE, KL1.EXE, MS1.EXE,TOOL2.EXE, TOOL4.EXE, TOOL5.EXE, TOOLBAR.EXE and WINSTALL.EXE, which is saved in the Windows directory.
  • CHILD.DLL, DDHHNKKI.DLL, DPCFFAMF.DLL, FLOOP64.DLL, PAYTIME.EXE, SVWHOST.DLL and SVWHOST.EXE, which is saved in the Windows system directory.
On the other hand, Secure32 creates a subfolder called HOSTS in the Windows directory, which contains several files belonging to websites from which it downloads malware.

Secure32 creates the following entry in the Windows Registry:
  • HKEY_CURRENT_USER\ Software\ Microsoft\ Internet Explorer\ Main Default_Page_URL = %windir%\secure32.html
    where %windir% is the Windows directory.
Additionally, the downloaded malware creates the following entries in the Windows Registry:
  • HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run Windows installer = %windir%\wininstall.exe
  • HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run WindowsUpdateNT = %windir%\svwhost.exe
    By creating these entries, Secure32 ensures that it is run whenever Windows is started.
Secure32 modifies the following entries of the Windows Registry:
  • HKEY_CURRENT_USER\ Software\ Microsoft\ Internet Explorer\ Main Local Page = %windir%\secure32.html
  • HKEY_CURRENT_USER\ Software\ Microsoft\ Internet Explorer\ Main Start Page = %windir%\secure32.html
  • HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Internet Explorer\ Main Default_Page_URL = %windir%\secure32.html
  • HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Internet Explorer\ Main Local Page = %windir%\secure32.html
  • HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Internet Explorer\ Main Start Page = %windir%\secure32.html
Propagation:

Secure32 can be installed in the affected computer without user consent, as it is automatically downloaded while accessing several adult sites or pirated software websites that use vulnerability exploits in order to affect computers.

Removal tool and instruction:

This virus can't be removed manually, but there are instructions for restoring Start Page, Local Page and Default Page of Internet Explorer.

In order to restore the Local Page and Default Page change the values of the entries of the Windows Registry mentioned below to other websites of your choice, as the following ones belong to Secure32:
  • HKEY_CURRENT_USER\ Software\ Microsoft\ Internet Explorer\ Main Local Page = %windir%\secure32.html
  • HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Internet Explorer\ Main Default_Page_URL = %windir%\secure32.html
  • HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Internet Explorer\ Main Local Page = %windir%\secure32.html
    where %windir% is the Windows directory.