Re: secure32 is back
- From: "icedteeh" <icedteeh@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 6 Jan 2006 18:12:02 -0800
The trojan creates a registry run key to load itself at startup.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"PayTime"=C:\WINDOWS\System32\paytime.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"PayTime"=C:\WINDOWS\System32\paytime.exe
The trojan modifies Internet Explorer settings:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Local
Page"=c:\secure32.html
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Start
Page"=c:\secure32.html
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
"Default_Page_URL"=c:\secure32.html
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main "Local
Page"=c:\secure32.html
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main "Start
Page"=c:\secure32.html
"David H. Lipman" wrote:
> From: "Dave" <Dave@xxxxxxxxxxxxxxxxxxxxxxxxx>
>
> | Hello.
> |
> | I have the secure32 problem. BHODemon is not longer available. Any
> | suggestions?
> |
> | Thanks - Dave
>
>
> * BHODemon
>
> http://www.majorgeeks.com/downloadget.php?id=3550&file=11&evp=245a87539eea8ed6904332b4b8b8442d
>
> There may be no new updates but it will still show unidentifiable BHOs.
>
>
>
> Two part reply..
>
> Perform Part 1 then perform Part 2.
>
> If the first two parts don't work, perform the alternate utility.
>
> It is suggested that you execute each tool in Normal Mode then in Safe Mode.
>
> If you are using any version of Sun Java that is prior to JRE Version 5.0,
> then you are strongly urged to remove any/all versions that are prior to JRE
> Version 5.0. There are vulnerabilities in them and they are actively being exploited.
> It is possible that is how you got infected with malware.
>
> Therefore, it is highly suggested that if there are any prior versions of Sun Java
> to Version 5 on the PC that they be removed and Sun Java JRE Version 5.0 Update 6
> be installed ASAP.
>
> http://www.java.com/en/download/manual.jsp
>
>
>
> Part 1
> -----------
>
> Use noahdfear's SmitFraud and SpyAxe removal tool -- SmitRem.exe
> http://noahdfear.geekstogo.com/click%20counter/click.php?id=1
>
> http://www.bleepingcomputer.com/forums/topic36868.html
>
>
> Part 2
> -----------
>
> Download SmitFraud.exe from the URL --
> http://www.ik-cs.com/programs/virtools/SmitFraud.exe
>
> Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
> Choose; Unzip
> Choose; Close
>
> NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
> FireWall to enable WGET.EXE to download the needed McAfee related files.
>
> Execute; c:\mcafee\clean.bat
> { or Double-click on 'Clean Link' in c:\mcafee }
>
> A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
> end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
> It is suggested that you move the report out of c:\mcafee before performing another scan.
>
> ALTERNATE:
>
> Secured2K's SpyAxe, PSGuard, Smitfraud, Sinnaka and Alemod removal tool.
>
> http://secured2k.home.comcast.net/tools/AntiPuper.exe
>
> http://forums.mcafeehelp.com/viewtopic.php?t=65072
>
>
> Please Copy and Paste the contents of the HTML Log file; C:\mcafee\ScanReport.HTML in your
> reply.
>
> * * * Please report back your results * * *
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>
.
- References:
- Re: secure32 is back
- From: David H. Lipman
- Re: secure32 is back
- Prev by Date: Re: secure32 is back
- Next by Date: Re: secure32 is back
- Previous by thread: Re: secure32 is back
- Next by thread: Re: WinFixer 2005
- Index(es):
Relevant Pages
|
Loading
