Re: secure32.exe
- From: "Scherbina Vladimir" <vladimir.scherbina@xxxxxxxxx>
- Date: Fri, 20 Jan 2006 08:37:08 +0200
check following registry keys on infected machine:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
is there any mention of your file ? (note registry value can have another
name, but path should include secure32).
Why can't you remove it from Task Manager ? Seems like module has it's
protection? Open this process in the Far and look at the list of modules it
uses.
Try to find "not-usual" dlls that are loaded it secure32.exe. More likely,
that secure32.exe extracts dll from it's resrouces and injects it somewhere,
after been injecting this dll may monitor system for occurences of
secure32.exe and if its absent(somebody terminated it) start it. If you will
find this "unusual dll" try to find it in all processes - if there are any
occurences in another processes, then most likely secure32 uses
SetWindowsHook to map it in all processes.
Try to find that dll (and remove) in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify.
In addition to all that I wrote you may use ProcessExplorer from
www.sysinternals.com (it's free) to see what mutexes, events, threads
secure32.exe creates; and play with them. Most mailware creates protection
threads - a piece of code that monitors OS items to protect (registry,
processes, etc), so if you will terminate protection thread (if you will
find it) you will be able to remove it.
I usually perform these simple steps to remove mailware, and if I fail I
take debugger (SoftIce or OllyDbg, IDA pro) and begin debugging to make sure
how to remove that stuff from system.
--
Vladimir
"Michael Blanc" <mblanc@xxxxxxxx> wrote in message
news:fJydnb4gJ-MTgU3enZ2dnUVZ_sidnZ2d@xxxxxxxxxxxxxx
>I want *manual* instructions. Registry Keys, etc.
>
>
>
> David H. Lipman wrote in message ...
>>From: "Michael Blanc" <mblanc@xxxxxxxx>
>>
>>| I suspect that this binary is a parasite. I can't kill it in the Task
>>| Manager and don't know where to find it in the registry.
>>|
>>| I am having problems with the system - the computer keeps sending 100s
>>of
>>| Kbytes upon dial-up connection, and cannot even load a URL because of
> this
>>| degraded bandwidth.
>>|
>>| Am I right about this binary? If so, I will want to *manually* remove
>>it,
>>| hence need the instructions. (OS = Win2000, browser is IE5). Needless to
>>| say, I am using a different machine to post this.
>>|
>>| Thanks for any help!
>>|
>>| MB
>>|
>>
>>It is a Downloader Trojan so it may have associates that it has installed.
>>
>>Download MULTI_AV.EXE from the URL --
>>http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
> <snip>.....
>
>>
>>* * * Please report back your results * * *
>>
>>
>>
>>--
>>Dave
>>http://www.claymania.com/removal-trojan-adware.html
>>http://www.ik-cs.com/got-a-virus.htm
>>
>>
>
>
.
- Follow-Ups:
- Re: secure32.exe
- From: Michael Blanc
- Re: secure32.exe
- From: Michael Blanc
- Re: secure32.exe
- References:
- secure32.exe
- From: Michael Blanc
- Re: secure32.exe
- From: David H. Lipman
- Re: secure32.exe
- From: Michael Blanc
- secure32.exe
- Prev by Date: Re: Can't Log on: multiple XP security and/or virus issues
- Next by Date: Re: secure32.exe
- Previous by thread: Re: secure32.exe
- Next by thread: Re: secure32.exe
- Index(es):
Relevant Pages
|
